Individual Rights (Data Privacy) Policy

Similar documents
closer look at Rights & remedies

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

Access to Personal Information Procedure

Data Protection Policy. Malta Gaming Authority

Code of Practice on the discharge of the obligations of public authorities under the Environmental Information Regulations 2004 (SI 2004 No.

Schools Subject Access Request Procedures

(1) General information

Park View Primary School

Art. I Right to Access to Personal Data

Condominium Management Regulatory Authority of Ontario Access and Privacy Policy

Subject Access and Other Information Rights: Information Governance ( IG ) Policy

Privacy policy. 1.1 We are committed to safeguarding the privacy of our website visitors.

North Yorkshire County Council. Subject Access Request Guidance and Procedure. Data Protection Act 1998

Data Protection Bill [HL]

Data Protection Act 1998

Data Protection Bill [HL]

Aalto Summer continuing education

FREEDOM OF INFORMATION POLICY

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

General Data Protection Regulation

Charter on personal data

European College of Business and Management Data Protection Policy

Data Protection Act 1998 Policy

FREEDOM OF INFORMATION REQUEST

CHAPTER 38. Rule 2. Public Access to Administrative Records of the Judicial Branch

How we use Personal Information

Freedom of Information Act 2000 (FOIA) Decision notice

FREEDOM OF INFORMATION ACT 2000 SUMMARY GUIDANCE

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Freedom of Information Procedure Manual

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

Data Protection Bill, House of Commons Second Reading Information Commissioner s briefing

Information exempt from the subject access right (section 40(4) and

The Act on Processing of Personal Data

Factsheet on the Right to be

Data Processing Addendum

Refusing a request under the EIR

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

Freedom of Information Policy

Model Business Associate Agreement

Freedom of Information Act 2000: Policy

Access to Public Records

APPEALS, LITIGATION and WORKING WITH THE GENERAL COUNSEL

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

DATA PROTECTION (JERSEY) LAW 2005

REGULATION (EU) 2016/679 General Data Protection Regulation

Ireland passes Data Protection Act 2018 GDPR. Key provisions and amendments

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

FREEDOM OF INFORMATION ACT (FOIA) PROCEDURES AND GUIDELINES

THE UNIVERSITY OF TEXAS SYSTEM ADMINISTRATION HIPAA PRIVACY MANUAL Section 7.2: Right to Access Protected Health Information Page: 1 of 5

Using the New York State Freedom of Information Law

Supersedes the following Resolutions & Policies:

Citizen Advocacy Center Guide to Illinois Freedom of Information Act

PRIVACY POLICY STATEMENT ON THE PROCESSING OF PERSONAL AND SENSITIVE DATA OF THE CUSTOMERS WITHIN THE MEANING OF ARTICLE 13 AND FF. OF REGULATION (EU)

SIMON READHEAD Q.C. PRIVACY NOTICE

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

32000D0520. Official Journal L 215, 25/08/2000 P

PUBLIC RECORDS ACT POLICY. Policy Number: REC Policy Effective Date: September 6, 2017

THE FREEDOM OF INFORMATION ACT, Arrangement of Sections PART I PRELIMINARY

Data Processing Agreement

SUBJECT ACCESS REQUEST

PRACTICE DIRECTION [ ] DISCLOSURE PILOT FOR THE BUSINESS AND PROPERTY COURTS

Interstate Commission for Adult Offender Supervision

WHISTLE BLOWING POLICY

Freedom of Information Act 2000 Policy and Procedure

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

MEMORANDUM OF UNDERSTANDING

Merrydale Infant School Freedom of Information Act

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

Environmental Information Regulations 2004 (EIR) Decision notice

ARTICLE 29 DATA PROTECTION WORKING PARTY

SUPPLIER DATA PROCESSING AGREEMENT

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

VILLAGE OF OVID VILLAGE. Michigan Freedom of Information Act Procedures and Guidelines

CITY OF GRAND LEDGE. Freedom of Information Act Procedures and Guidelines

Data Processing Agreement

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Board of Education Utica Community Schools

the Commisslone Mazionale per le Sodeta e la Borsa in ItaJy and the Public Company Accounting Oversight Board In the United States

C. The City s public records policy is located in the City s policies and procedures manual.

BERMUDA GOOD GOVERNANCE ACT : 35

INFORMATION SHARING AGREEMENT WEST YORKSHIRE POLICE. and LEEDS AND YORK PARTNERSHIP NHS FOUNDATION TRUST

FREEDOM OF INFORMATION ACT 2000 POLICY

WASHINGTON TOWNSHIP FREEDOM OF INFORMATION ACT POLICY

68 REPORTING MONEY LAUNDERING AND FINANCING OF TERRORISM ACTIVITY AND TRANSACTIONS

CHURNET VIEW MIDDLE SCHOOL POLICY FOR FREEDOM OF INFORMATION ACT 2000

Disclosure of Documents in Disciplinary Proceedings

Freedom of Information Policy, Procedures and Requests

Freedom of Information Act 2000 (FOIA) Decision notice

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

ACCESS AND PRIVACY POLICY

Declaration on the protection of personal data in the company TAJMAC ZPS, a.s.

MEEKER COUNTY GUIDELINES AND PROCEDURES FOR MINNESOTA GOVERNMENT DATA PRACTICES ACT

EXHIBIT B FREEDOM OF INFORMATION ACT PROCEDURES AND GUIDELINES

CITY OF CHICAGO BOARD OF ETHICS. AMENDED RULES AND REGULATIONS (Effective January 5, 2017)

FREEDOM OF INFORMATION ACT PROCEDURES AND GUIDELINES

Transcription:

October 2017 Please see the cover sheet to the Information Policies on the Staff Intranet and Board Intelligence. Individual Rights (Data Privacy) Policy 1. Introduction 1.1 UK data protection law gives individuals whose personal information is collected and/or used rights in respect of such information. 1.2 Any individual (including an employee, contractor, director, investor or financial professional) whose personal information is collected and/or used by the Financial Reporting Council Limited (FRC, we, us or our) will benefit from these rights in accordance with the provisions of this Data Protection Rights Policy (Policy). 2. Objectives 2.1 To ensure that we handle personal information in accordance with the law. 2.2 To explain how we deal with a request from an individual to exercise their data protection rights (Request). 1 3. Individual's Data Protection Rights 3.1 We must assist individuals to exercise the following data protection rights, consistent with the requirements of applicable UK data protection law: 3.1.1 The right of access: This is a right for an individual to obtain confirmation whether a controller processes personal information about them and, if so, to be provided with details of that personal information and access to it. The process for handling this type of request is described further in sections 3 and 4 below; 3.1.2 The right of rectification: This is a right for an individual to obtain rectification without undue delay of inaccurate personal data a controller may process about them; 3.1.3 The right to erasure: This is a right for an individual to require a controller to erase personal information about them on certain grounds for example, where the personal information is no longer necessary to fulfil the purposes for which it was collected; 3.1.4 The right to restriction: This is a right for an individual to require a controller to restrict processing of personal information about them on certain grounds; 3.1.5 The right to object: This is a right for an individual to object, on grounds relating to their particular situation, to a controller's processing of personal data about them, if certain grounds apply; 1 This policy addresses individual s rights as at September 2017. Further changes may be made in readiness for General Data Protection Regulation implementation on 25 May 2018. Financial Reporting Council 1

3.1.6 The right to data portability: This is a right for an individual to receive personal information concerning them from a controller in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply. 3.2 If any Request is received in relation to a data subject s rights (including the right to rectification, erasure, restriction, object or data portability) the Request must be referred to the FOIA Team at foia@frc.org.uk. 4. Right of Access 4.1 An individual making a valid Request is entitled to: 4.1.1 Be informed whether we hold and are processing personal information about them; 4.1.2 Be given a description of the personal information, the purposes for which they are being held and processed and the recipients or classes of recipient to whom the personal information is, or may be, disclosed by tus; and 4.1.3 Communication of their personal information held by us in a form that is understandable, without compromising the privacy of other individuals. 4.2 The Request must be made in writing, which can include email. 4.3 We may apply a fee of up to a maximum of ten pounds sterling ( 10). 2 Where the Request is manifestly unfounded or excessive (e.g. it is repetitive in nature), we may either: 4.3.1 Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or 4.3.2 Refuse to act on the Request. 4.4 Requests made by individuals are handled by the Governance & Legal Team who may consult with the HR Team as appropriate. 4.5 We are not obliged to comply with a Request unless it is supplied with such information which it may reasonably require in order to confirm the identity of the individual making the Request and to locate the information which that individual seeks. 4.6 We must respond to a Request promptly and no later than forty (40) calendar days after all the necessary information (enabling us to identify the individual and locate the requested information) and fee have been received. 3 4.7 An individual may make a Request only in respect of their own personal information. With that said, an individual may give their consent, in writing, to another individual to make a Request on their behalf (e.g. a lawyer acting on behalf of the individual). 2 Applicable up to 25 May 2018 3 From 25 May 2018, we must provide information on action taken on a Request within one month of receipt of the Request. That period may be extended by two further months where necessary, taking into account the complexity and number of the Requests 2 Individual Rights (Data Privacy) Policy October 2017

Please see the cover sheet to the Information Policies on the Staff Intranet and Board Intelligence. 4.8 In some cases personal information may be withheld if an exemption applies. Decisions about the appropriate use of exemptions should always be made by the FOIA Team. 5. Policy 5.1 Receipt of a Subject Access Request 5.1.1 If an individual makes a Request for their personal information, the Request must be passed to the FOIA Team via foia@frc.org.uk. 5.1.2 The date on which the Request was received together with any other relevant information should be recorded. 5.2 Initial steps 5.2.1 The FOIA Team will make an initial assessment of the Request to decide whether it is valid and whether confirmation of identity, or any further information, is required. 5.2.2 The FOIA Team will then contact the individual in writing to confirm receipt of the Request and seek confirmation of identity or further information. 5.3 Exemptions to subject access 5.3.1 A valid request may be refused in accordance with the relevant exemptions set out in UK data protection law and regulatory guidance, including; (a) Impossibility or burden of providing access A right to access may be restricted where providing access would be impossible or involve disproportionate effort. When contemplating whether to withhold information due to such reasons, we must consider many factors, such as whether the personal information is used for decisions that significantly affect the individual. Expense and burden are important factors and should be taken into account, but they are not definitive in determining whether providing access is reasonable. (b) Confidential commercial information We may also deny or limit access to personal information to the extent that granting full access would reveal confidential commercial information (e.g. where the information is subject to contractual obligations of confidence or is being processed as part of an ongoing audit, investigation or enforcement activities). (c) Public interest exemptions We are not obliged to provide information where a public interest exemption applies. Such exemptions may include where disclosure of the information may interfere with important public interests, such as national security, defence or public security. Other reasons for denying or limiting access are: Financial Reporting Council 3

(i) Interference with the execution or enforcement of the law or with private causes of action; (ii) Where the legitimate rights or important interests of others would be violated; (iii) Breaching a legal or other professional privilege or obligation; (iv) Prejudicing employee security investigations or grievance procedures or in connection with succession planning and corporate reorganisations; (v) Prejudicing business or other activity in relation to management forecasting or management planning; (vi) Prejudicing the discharge of regulatory functions; or (vii) Prejudicing future or ongoing negotiations between the requestor and the FRC. 5.3.2 Given our role as a regulator with enforcement and disciplinary functions, the FOIA Team shall give particular consideration to the application of exemptions (iii) and (vi) to any Request. 5.3.3 Decisions about the use of exemptions should only ever be made by the FOIA Team. The FOIA Team will assess each request individually to determine whether any of the above-mentioned exemptions may apply and/or whether it can redact information and disclose the remaining personal information. 5.4 Appropriate methods for locating and disclosing personal information 5.4.1 The FOIA Team will arrange a search of all relevant electronic and structured paper filing systems, with the assistance of other departments such as the HR Department as appropriate. 5.4.2 Particular care must be taken where the Request concerns information whose disclosure would reveal personal information about other individuals. The FRC has a responsibility to protect all personal information it processes, and must not disclose other individuals' personal information in response to a Request if doing so is contrary to applicable privacy law or the lawful rights and freedoms of those individuals. 5.4.3 The personal information requested will be collated by the FOIA Team, with the assistance of other departments as appropriate, into a readily understandable format (e.g. internal codes or identification numbers used at the FRC that correspond to personal information should be explained). A covering letter will be prepared by the FOIA Team which includes information required to be provided in response to the Request. 5.4.4 Where the provision of the personal information in permanent form is not possible or would involve disproportionate effort there may be no obligation to provide a permanent copy of the requested information. In such circumstances the individual may be offered the opportunity to have access to the information by inspection or to receive the information in another form. 4 Individual Rights (Data Privacy) Policy October 2017

Please see the cover sheet to the Information Policies on the Staff Intranet and Board Intelligence. The other information referred to in 2.1 above must still be provided (unless an exemption under law applies). 5.5 Requests for erasure, amendment or cessation of processing of information 5.5.1 If a Request is received for the deletion or correction or any other right relating to an individual s personal information, the Request must be referred to the FOIA for advice. 5.6 All queries relating to this Policy are to be addressed to the FOIA Team at foia@frc.org.uk. October 2017 Financial Reporting Council 5

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback