BACKGROUND INFORMATION

Similar documents
Charities & Not-for-Profits Overview of Data Protection Law

Immigration, Asylum and Nationality Act 2006

European College of Business and Management Data Protection Policy

Data Protection Policy

Data Protection. Policy & Procedure. Greater Manchester Police

Data Protection Act 1998 Policy

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

WALTHAMSTOW SCHOOL FOR GIRLS APPLICANTS GUIDE TO THE PREVENTION OF ILLEGAL WORKING

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Data Protection Act 1998

DATA PROTECTION (JERSEY) LAW 2005

DATA SHARING AND PROCESSING

UKRI Prevention of Illegal Working Policy

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

IMMIGRATION, ASYLUM AND NATIONALITY ACT 2006 INFORMATION FOR CANDIDATES

SSSC Policy. The Immigration Asylum and Nationality Act Guidelines for Schools

Data Protection Bill [HL]

ARTICLE 29 Data Protection Working Party

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

OFFICE OF THE POLICE AND CRIME COMMISSIONER FREEDOM OF INFORMATION ACT 2000 PUBLICATION SCHEME

Schools Subject Access Request Procedures

Access to Personal Information Procedure

Data Protection Policy

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER NOTICE OF INTENT

DATA PROTECTION POLICY STATUTORY

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

FREEDOM OF INFORMATION POLICY

Request under the Freedom of Information Act 2000 (FOIA)

Page1. Eligibility to Work in the UK. Issue Date 01/01/2017 Issue 1 Document No: 003 Uncontrolled when copied

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

- and - OPINION. Reasons

Postings under Statutory Instrument and Bilateral Agreements

Privacy. Purpose. Scope. Policy. Appendix A

How we use Personal Information

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Freedom of Information Policy

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

Data Protection in the European Union: the role of National Data Protection Authorities Strengthening the fundamental rights architecture in the EU II

FREEDOM OF INFORMATION REQUEST

Saturday, 7 November 15

Data Protection Policy

MOROCCO. Decision of OJ L 70/1 of Agreement: art. 59 OJ L 70/15. Protocol No 5 OJ L 70/186

Privacy Notice (GDPR) Licensing Firearms

Freedom of Information Act 2000 (Section 50) Decision Notice

Freedom of Information Policy, Procedures and Requests

Factsheet on rights for nationals of European states and those with an enforceable Community right

Port Glasgow St Andrew s Data Protection Policy

Data Protection Bill [HL]

Prevention of Illegal Working Guidance on the Immigration, Asylum and Nationality Act 2006

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Right to Work in the UK Policy Contents

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

SPINAL INJURIES ASSOCIATION

ELIGIBLITY TO WORK IN THE UK CHECKLIST

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

IMMIGRATION, ASYLUM AND NATIONALITY ACT 2006 INFORMATION FOR CANDIDATES

Data Protection Policy and Procedure

CSCU9Q5. Data Protection and Freedom of Information Acts

Data Protection Policy

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

Data Protection. Guidance for Schools

Timeline of changes to EEA rights

Merrydale Infant School Freedom of Information Act

Staff Data Protection Policy

EMA Residency 2006/07 Supporting Information

Subject Access Request Procedure

Immigration Policy. Operational

SIA For life after spinal injury

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

Fee Assessment Procedure for Applicants

PRIVACY AND ELECTRONIC COMMUNICATIONS (EC DIRECTIVE) REGULATIONS 2003 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER FIXED MONETARY PENALTY NOTICE

Fee Status Assessment Questionnaire

16 March Purpose & Introduction

Data Protection Regulations (DPR)

Molescroft Primary School Recruitment and Selection Policy Published October 2010, Reviewed August 2012, September 2015

RIGHT TO WORK GUIDELINES

Request under the Freedom of Information Act 2000 (FOIA)

Right to Work Procedures

All sections to be completed in full

DATA PROTECTION AND FREEDOM OF INFORMATION POLICY

2007 No COMPANIES AUDITORS. The Statutory Auditors and Third Country Auditors Regulations 2007

TULIP RESOURCES DOCUMENT VERIFICATION FOR ALL EMPLOYEES FEBRUARY 2013

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

EEA3: PERMANENT RESIDENCE

Annex - Summary of GDPR derogations in the Data Protection Bill

Supporting families with no recourse to public funds

DATA PROTECTION LAWS OF THE WORLD. Ukraine

b) How many outstanding arrest warrants does Suffolk Constabulary currently have?

Work and residence permits and business entry visas

Visas and volunteering

to the Government Gazette of Mauritius No. 14 of 14 February 2009

Freedom of Information Act Decision notice

THE DATA PROTECTION PRINCIPLES

Enrolment Policy. PART 1 British/Domestic Students

How we use Personal Information

FREEDOM OF INFORMATION ACT 2000 POLICY

Information exempt from the subject access right (section 40(4) and

CHURNET VIEW MIDDLE SCHOOL POLICY FOR FREEDOM OF INFORMATION ACT 2000

1. Why do third-country audit entities have to register with authorities in Member States?

Transcription:

Data Protection 1. BACKGROUND INFORMATION The law governing Data Protection is covered by the Data Protection Act 1998. It implements the EC Data Protection Directive (95/46/EC) in the UK. The Act came into force on 1st March 2000 and replaces the Data Protection Act 1984. The impact on Scouting activities is covered in Section 2 of this factsheet but it is important that readers first have an overview of the provisions of the 1998 Act. Purpose of the 1998 Act The purpose of the Act is to protect the right to privacy of individuals. In order to do this, the Act regulates the processing of Personal Data in relation to individuals, including the obtaining, holding, use or disclosure of such information. Young people have the same rights as adults under the Act Changes to the 1984 Act For those with knowledge of the 1984 Act the main changes made by the 1998 Act are as follows: New set of data protection principles including new obligations in respect of security of data; Restriction imposed on transferring data outside the European Economic Area (EEA); Extension of the law to cover manual records; Requirement to obtain specific consent for processing sensitive data; The Data Subject s enhanced right to obtain information and object to processing; New notification (registration) and enforcement procedures. Definitions Data means information, which is held on a computer; or recorded in a manual filing system whereby specific information about a particular data Subject is readily accessible. Personal Data is information relating to a living Data Subject who can be identified from the data and any other information relating to the Data Subject that is likely to come within the possession of the Data 0845 300 1818 Controller. It includes expressions of opinion by or about the Data Subject. Data Subject is the individual who is the subject of the Personal Data held. Data Controller is the person who either alone or jointly with others determines the purpose and manner for which the Personal Data is to be used. Data Processor is the person who processes the data on behalf of the Data Controller. European Economic Area (EEA) The EEA comprises all 15 countries of the European Union (Austria, Belgium, Denmark, Eire, Finland, France, Germany, Greece, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden, United Kingdom) and Iceland, Liechtenstein and Norway. Sensitive Personal Data. See below Thus, anyone (or organisation) who wishes to record and process information about individuals (Data Subjects) from which they can be identified is subject to the provisions of the 1998 Act. However, the Act does not include persons collecting information on individuals for their own domestic or household affairs. Data Protection Principles Data Controllers must comply with all of the following principles, regardless of whether or not they are required to notify (register with) the Data Protection Commissioner under the Act. In general, the principles provide that the Personal Data must be: - 1. processed fairly and lawfully; 2. obtained for specified and lawful purposes only; 3. adequate, relevant and not excessive in relation to those purposes; 4. accurate and up-to-date; 5. kept for no longer than is necessary; 6. processed in accordance with the rights of Data Subjects; 7. kept secure against unauthorised or unlawful processing and accidental loss, destruction or damage; 1/5 Data Protection The Scout Association 2000 Item code: FS270001 July 2000

8. restricted to the EEA unless the Personal Data is to be transferred to a country outside the EEA which can ensure an adequate level of protection. Sensitive Personal Data This is defined widely to include the following information about an individual: - health or sexual life religious or similar beliefs racial or ethnic origin criminal offences (actual or alleged) or proceedings relating to such offences. political opinions or trade union membership The list of what constitutes Sensitive Personal Data can be added to by the Government. Names, dates of birth, addresses, and telephone numbers are not classed as Sensitive Personal Data. The Data Subject must give explicit consent to the holding of Sensitive Personal Data. However, explicit consent is not required where the information has been made public by the Data Subject or for certain purposes including: - medical purposes legal proceedings monitoring racial equality the Data Subject s employment Operation of the 1998 Act To oversee the implementation of the Act the Government appoints a Data Protection Commissioner. Her duties include: the management of the register of Data Controllers and making this publicly available promoting the observance of the Data Protection Principles encouraging the development of codes and practices to assist Data Controllers in complying with the principles. Penalties The 1998 Act creates a number of criminal offences punishable by fine for failure to comply with any notices (instructions) issued by the Data Protection Commissioner to Data Controllers. Notification (Registration) The 1998 Act introduces a new system of notification which replaces the registration system under the 1984 Act. Notification is an annual process. A fee is payable on the initial notification and on each renewal. This is currently 35 (June 2000) Notification is necessary unless the Data Controller can show that the data processing being undertaken falls within an exemption. See Section 2 Exemption from Notification. Rights of Data Subjects Data Subjects have the following rights. See also Section 2 Data Subject s Request. i) Access - Data Subjects are entitled - with some exceptions - on request in writing and on payment of a fee set at a maximum of 10 (payable to the Data Controller) to be informed by the Data Controller about whether data is being processed about them. If data is being processed they are entitled to receive a description and a copy of the Personal Data held, the purposes for which it is being processed and those to whom the data has or may be disclosed. The Data Controller must comply with the request within 40 days. ii) To require the Data Controller not to process data - Data Subjects may require the Data Controller at the end of a reasonable period of time, to cease or not to begin processing any Personal Data on certain grounds. These are that the processing would cause unwarranted substantial damage or substantial distress to them or to another. However, this right is not available to the Data Subject where: i) the individual has already consented - unless that consent is revoked - or ii) the processing of data is necessary to perform a contract to which the individual is a party, e.g. in an employment situation; or iii) to comply with a legal obligation or iv) to protect the vital interests of the individual. iii) To require the correction or erasure of inaccurate data about them. iv) To prevent processing of their data for the purposes of direct marketing v) To receive compensation where an individual suffers damage by any contravention of the Act. 2/5 Data Protection The Scout Association 2000 Item code: FS270001 July 2000

vi) To make a request to the Commissioner to assess whether the Act has been contravened. 2. SCOUTING AND DATA PROTECTION Scout Units Here the term Scout unit refers to any Group, District, County or other body recognised by The Scout Association. For the purposes of the Act, the Data Controller is the Executive Committee of the relevant Scout unit. The Scout Association (Headquarters) Headquarters is registered as a Data Controller under the 1984 Act and will be required to notify under the l998 Act when notification is due. This registration permits it to keep Personal Data on a computerised database operated only by Headquarters. This registration does not cover Scout units. Each Scout unit will need to notify (register) or come within an exemption if it wishes to keep Personal Data. Most Scout units will be exempt. Exemption from Notification Under the 1998 Act, Scout units which hold computerised or manual records of members of the Scout Movement or of other individuals who have regular contact with them, should not have to notify as they are classed as not for profit organisations which are exempt from notification. In this context those having regular contact will also include members of the Council of the relevant Scout unit. In order for this exemption from notification to apply, the Personal Data can be processed only for the purposes of i) establishing or maintaining membership or support for the Scout unit; or ii) for providing Scouting activities to members or to those who have regular contact with the Scout unit. However the Scout unit must still ensure that the individual (Data Subject) does not object to the Personal Data being held. Therefore the Data Subject should be told what information will be held and that it will only be used for Scouting purposes. They should also be told that the data will not be disclosed to anyone outside the Scout Movement in the UK without their permission. If the member is a minor, i.e. under the age of 18 years, the parent/guardian must be informed. A pro forma letter, which can be used for this purpose, is attached at Appendix 1. Most adults by completion of an application form such as Form AA Adult Appointment Application form have already consented for their Personal Data to be held and used for Scouting purposes. For other adults a suitably modified version of the letter at Appendix 1 can be used. The Personal Data must not be kept after the relationship between the Scout unit and the Data Subject ends unless and for so long as it is necessary to do so for the administration of the Scout unit and provision of Scouting activities. It is in order to keep details of former members of the Scout Movement for the purposes of a continuing contact with them unless they require that Scout unit does not do so - See Section 1. Rights of Data Subjects Sensitive Personal Data If the information held on a member contains Sensitive Personal Data, e.g. relating to the member s health, the explicit consent (e.g. by signing a form) of the member must be obtained. If the member is a minor the explicit consent of the parent/guardian is required. The purpose for holding such information should be given, e.g. in order to deal with medical emergencies whilst on Scouting activities. There are a few circumstances when consent to the processing of sensitive Personal Data is not required see the section on Sensitive Personal Data in Section 1. Nonetheless, it is always advisable to obtain explicit consent and to ensure that the purposes for which the data is processed relate to the maintenance of membership or Scouting activities in order to remain within the not for profit exemption from notification. Staff Administration Some Scout units employ staff. Notification is not necessary if the processing is for the purposes of the appointment, removal, payment, discipline, superannuation, work management or 3/5 Data Protection The Scout Association 2000 Item code: FS270001 July 2000

other personnel matters relating to staff. Data about the Data Subject can be given - without consent - to any third parties necessary for staff administration, e.g. Inland Revenue. Data Subject s Request If a Scout unit receives a request in writing - from a Data Subject for a description and copy of the information which is held about him or her the secretary of the Scout unit (or other person appointed by the Executive Committee to act as the Data Processor) will have to comply with the request within the 40 day time limit. If in disclosing such information, there is a risk that another individual will be identified the secretary (or other person appointed) can refuse to comply with the request - unless the other individual has given their consent or it is reasonable to comply with the request without that person s consent. This will have to be considered on a case by case basis However, this cannot be used as an excuse not to disclose information on the Data Subject if by blanking out information the other individual s identity can be withheld. If in doubt, seek further advice. If the information to be disclosed includes a reference about the Data Subject, then; this will have to be disclosed subject to removing the name or other particulars identifying the person giving the reference - unless the referee has consented to the disclosure of his or her identity; if the reference was confidential e.g. as provided on the Form RF Reference Form it is likely that the reference cannot be disclosed without the referee s consent unless it can be done without disclosing the identity of the referee. If the reference about the Data Subject was provided by or on behalf of the Data Controller (i.e. the Scout unit), the reference does not need to be disclosed by that Data Controller. Each Scout unit should appoint someone to act as the Data Processor and to be responsible for the day to day processing of the data. Suitable and reasonable security measures should be put in place to safeguard the storage of the data. Internet Web Sites If any Scout unit chooses to publish information about itself on an Internet web site, no Personal Data, which identifies young people, should be put on it under any circumstances. If adult members can be identified, consent to the publication of their details must be obtained. As a general rule, it is best to avoid naming any individuals. If they are Leaders or office holders, their job titles will suffice. The Association has produced a fact sheet entitled Developing a Scouting Web Site which is available from the Information Centre. Any Scout unit proposing to set up a web site would be well advised to obtain a copy. Other Sources of Information The Data Protection Office has produced two booklets entitled The Data Protection Act 1998 and An Introduction and Notification Exemptions A self-assessment guide. These can be obtained from The Office of the Data Protection Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Information Line: 01625 5245700. They are also available for downloading from its web site: http://www.dpr.gov.uk Please note: The Scout Association has sought to ensure that the information in this fact sheet is correct. A draft was shared with the Office of the Data Protection Commissioner before publication. The Association emphasises that the content is not comprehensive and may be subject to change depending on how the 1998 Act operates in practice. Advice should be sought from the Information Centre or the Data Protection Office for specific situations. Administration of Data Each Scout unit must ensure that records of members - and any staff - are kept secure, up to date, for no longer than is necessary and in accordance with the Data Protection Principles set out in Section 1. 4/5 Data Protection The Scout Association 2000 Item code: FS270001 July 2000

Pro Forma Letter to Parents [This letter should be modified to include details of the actual information that the Group will hold.] Dear Parent, Membership Records The Scout Movement in the United Kingdom is a membership organisation. To enable it to operate - and to communicate with its members - it is necessary to maintain records about them. This will include keeping details of name; address; date of birth, contact telephone numbers. We will also be keeping details of your son s/daughter s progress through Scouting (badges gained etc). Information held in our Scout Group may be shared from time to time within Scouting including the Headquarters of the Association. New legislation came into force in March 2000 which covers the protection and processing of personal data. Adults and young people have the same rights under the Data Protection Act 1998. The Act covers paper based (as well as computer based) information. Certain information is classed by the law as Sensitive Personal Data In a Scouting context this may include information about your son s/daughter s:- health. (to ensure that we are prepared for medical emergencies it is important that we hold relevant information.) disabilities (to ensure a safe integration of your son s/daughter s participation in activities, details of any disability need to be known.) religious or similar beliefs (this will help us ensure that we make appropriate arrangements when necessary.) racial or ethnic origin (again this will help us ensure that we are sensitive to cultural needs of our members). To hold this Sensitive Personal Data we will need your explicit consent. This can be given by completing the enclosed form All the information will only be used in connection with your son s/daughter s membership of the Scout Movement in the United Kingdom - this will include membership management and communications. Any of the information provided will not be passed to any third parties outside the Scout Movement without your consent. You can give your consent by completing the question on the form. If you have any questions please do not hesitate to contact me. Yours sincerely Group Scout Leader / Group Chairman / Group Secretary --------------- The following paragraphs should be included in a parents consent form/letter. The second paragraph should be modified as appropriate. I accept that the Scout Group will be keeping information about my son s/daughter s membership of the Scout Movement for Scouting purposes. I give explicit consent to the holding of information of my son s/daughter s health; disabilities; religion/faith; race/ethnic origin again for Scouting purposes. I give/do not give consent to the disclosure of any of information held to third parties associated with the Scout Movement in order that they may offer products and services which may be of interest. 5/5 Data Protection The Scout Association 2000 Item code: FS270001 July 2000

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback