BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures Version History and Document Approval Version History: Version Date Author Reason 1.0 31 st December 2017 Barry Wilson Document Approval: Status Name Date Reviewed: Barry Wilson 15 th January 2018 Approved: Barry Wilson 15 th January 2018
1. Policy Statement BJB Motor Company Limited takes the issue of compliance with the Data Protection Act very seriously and is committed to ensuring all activities carried out by the company and its employees adhere to the principles set out in the Act. All members of staff will receive full training in respect of the Act to ensure they are made aware of their obligations and responsibilities when processing personal data. 2. Background The Act The Data Protection Act first came into force in 1984, and was later amended in 1998 to form the legislation in use today. The main purpose of the Act is to protect the personal data of living individuals, and ensure that it is handled fairly and properly. It also provides individuals with the right to access personal data that is held in both computer and paper based records. This is done through setting out eight Data Protection Principles that must be adhered to when dealing with personal data; these are that Personal Data must be: fairly and lawfully processed; processed for the specified purposes; adequate, relevant and not excessive; accurate and, where necessary, kept up to date; not kept for longer than is necessary; processed in line with the rights of the individual; kept secure; and not transferred to countries outside the European Economic Area unless the information is adequately protected. It was in 1998, that an amendment to the Act led to the establishment of the Information Commissioners Office, which was given the responsibility of enforcing the Data Protection Act. It gained extensive legal powers allowing it to investigate and prosecute any individual, employee or organisation that it found to be in breach of the Act, with many facing significant fines, a criminal record and imprisonment. 3. Use of Personal Data BJB Motor Company Limited will use individual s personal data for consumer credit advice and recommendations, including subsequent contact points with the customer for marketing and information holding purposes. 4. Associated Legislation The Information Commissioners Office does cover other areas of legislation including: Freedom of Information Act 2000 Environmental Information Regulations 2004 Privacy and Electronic Communications Regulations 2003 As BJB Motor Company Limited is not a publicly owned company, there is no legal requirement for it to comply with the Freedom of Information Act or the Environmental Information Regulations. BJB Motor Company Limited does not partake in unsolicited direct marketing by any electronic means to individuals; it does directly market the sale of consumer finance and/or insurance products via telephone / email however this is with the express consent of the customer. Therefore there is no
requirement for BJB Motor Company Limited to comply with the Privacy and Electronic Communications Regulations. 5. Definitions Data Data refers to any information that can be held as a record. For BJB Motor Company Limited this would include all information that is held in our own records, whether it be electronic or as part of the paper filing system. Personal Data Personal Data refers to any information relating to a living individual, who can be identified from that information. This also includes any expression of opinion and indications of intentions in relation to the individual by BJB Motor Company Limited or any other person. This therefore would cover all information regarding Customers and Applicants but not information specific to Motor Vehicles. Sensitive Data Sensitive Data refers to personal data consisting of information such as:- the racial or ethnic origin of the data subject; their political opinions; their religious beliefs or other beliefs of a similar nature; whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992); their physical or mental health or condition; their sexual life; the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. Processing Processing refers to how the data is used. This would include, the obtaining of information at the initial application stage, recording it onto BJB Motor Company Limited s system and deleting the information after the retention period has expired. Data Subject Data Subject refers to a living individual who is the subject of personal data. This would cover all customers who are individual people but not companies or businesses of any form. Data Controller Data Controller refers to Barry Wilson, who decides how any personal data is processed or used. Data Processor Data Processor refers to a person or organisation that processes or uses personal data on behalf of the data controller. This would for example be a Credit Reference Agency or a Collections Agent, who would be using information on behalf of BJB Motor Company Limited. Recipient Recipient refers to any person or organisation to which data is disclosed from the data controller. This would for example be a Credit Reference Agency or Police Officer who have received information from BJB Motor Company Limited. Third Party
Third party refers to any person other than the data subject, the data controller, or any data processor or other person authorised to process data for the data controller or processor. 6. Security of Personal Data 6.1. Clear Desk Policy BJB Motor Company Limited operates a Clear Desk Policy that ensures all personal information is stored securely when not in use by employees. This applies to all personal information that is in hard copy. 6.2. Disposal of paper Records When disposing of paperwork that contains personal information it is essential that it is disposed of securely to ensure that there is not a security breach once the documentation has left the premises. To prevent such a breach occurring, we ensure any paperwork is securely shredded when no longer required. 6.3. Computers & Passwords All BJB Motor Company Limited systems and profiles are password- protected for each individual user that has access to them. 7. Data Retention As specified in the data protection principles, BJB Motor Company Limited will not keep data for longer than necessary. All personal data will be held for the minimum time necessary whilst ensuring compliance with its legal obligations. 8. Customer Communication When communicating with customers via telephone, the only information we disclose is the personal information relating specifically to you. We will perform sufficient identity checks with customers we are speaking with before referring to any personal information. This applies to both incoming and outgoing calls. 8.1. The identity checks involve the individual confirming a minimum of three items of personal information held on the system. These items can include any combination of: Full Forename & Surname Date of Birth First Line of Current Address & Postcode Bank account number and sort code Home telephone number Any password that has previously been arranged Vehicle Registration Number This list is not exclusive, but is meant as an example of what items of personal information can be requested. To minimise the risk of a data protection breach, we limit the amount of personal data given out when speaking to a customer over the phone and if possible attempt to provide any further information to the customer in writing. 9. Requests for the Disclosure of Personal Data 9.1. Subject Access Requests Any individual customer whose personal data is held by BJB Motor Company Limited in its role as a Data Controller has the right to access the data, to be told for what purpose it is being held and to whom it may be disclosed. To access their personal data, an individual is required to make a Subject Access Request to the Data Controller, enclosing a fee, which for BJB Motor Company Limited is 10. Upon receiving this request and fee, we are required to respond within forty days; otherwise we will be in breach of the Act. 9.2. Law Enforcement Agencies
There are a number of exceptions contained within the Data Protection Act that recognise the need for the disclosure of personal data when it is in the public interest, which otherwise may be in breach of the Act. An example of this would be for the purposes of preventing crime and taxation fraud, which can be used by Law Enforcement Agencies to aid them in their investigations. These agencies include the Police, NCA, HM Revenue & Customs and the Department of Work & Pensions. 10. Information Commissioners Office Notification Notification is the process by which a Data Controller informs the Information Commissioner of certain details about their processing of personal information. These details are used by the Information Commissioner to make an entry describing the processing in a register that is available to the public for inspection. The principal purpose of having notification and the public register is transparency and openness. It is a basic principle of data protection that the public should know (or should be able to find out) who is carrying out the processing of personal information, as well as other details about the processing (such as the reason it is being carried out). 11. Staff Awareness and Training It is vital that BJB Motor Company Limited staff understand the importance of protecting personal data; that they are familiar with the organisation s security policy; and that they put its security procedures into practice. We provide appropriate initial and refresher training and this covers: BJB Motor Company Limited s duties under the Data Protection Act and restrictions on the use of personal data The responsibilities of individual staff members for protecting personal data, including the possibility that they may commit criminal offences if they deliberately try to access, or to disclose, information without authority The proper procedures to use to identify callers The dangers of people trying to obtain personal data by deception (for example, by pretending to be the person whom the information is about or by making phishing attacks) or by persuading you to alter information when you should not do so Any restrictions BJB Motor Company Limited places on the personal use of its computers by staff (to avoid, for example, virus infection or spam) The Data Protection Act requires BJB Motor Company Limited as an organisation, to take reasonable steps to ensure the reliability of any staff who have access to personal data. 12. Complaints All complaints and potential breaches relating to the Data Protection Act must be referred to the Managing Director.