Data Protection Policy
1 Data Protection Policy
The Data Protection Act 1998 replaced the Data Protection Act 1984 on 1 March 2000.
The Act regulates how firms use personal data of individuals. This includes customers, non-customers and employees.
It governs not only information held on computer but also information held in manual form (e.g. on file).
1.1.1 The Data Protection Information Commissioner
The Data Protection Information Commissioner enforces and oversees the Data Protection Act 1998. The Commissioner has a range of duties including the promotion of good information handling and the encouragement of Codes of Practice for the data controllers, that is, anyone who decides how and why personal data are processed.
The Commissioner is a UK independent supervisory authority reporting directly to the UK Parliament.
The information provided within this procedural manual is drawn from the requirements laid down by the Office of the Information Commissioner.
Further information is available from visiting the Information Commissioner’s website at www.dataprotection.gov.uk
With the growth in the use of personal data it is essential that wherever personal data is collected and used, people’s lives can be adversely affected if something goes wrong. For example, if details are not entered correctly people can be unjustly refused credit, benefits, housing or even a job. If data are not kept securely people’s privacy can be affected.
It is therefore essential that those that collect and use personal data to maintain the confidence of those who are asked to provide it by complying with the requirements of the Data Protection Act.
All Data Controllers must comply with the eight principles which are at the heart of the Act, including the requirement to obtain and process data fairly.
Under the Act any individual concerned has a right to see almost all personal information held about them, whether it is stored on computer or in manual form. In the event of receiving a so called ‘subject access request’ please refer to ‘Subject Access Procedures’.
The Act places an obligation to ensure the accuracy of an individual’s personal data. Such information should not be misleading as to any matter of fact.
1.4.1 Personal obligations of all staff
· All Alternative Route staff who deal with personal information are required to handle that information confidentially and sensitively
· Alternative Route staff undertake to process personal data supplied by the firm only in accordance with the firm’s instructions
The 1998 Act sets out 8 principles which define the obligations of Alternative Route as a registered data user of personal data. These principles are as follows:
1. Personal data shall be processed fairly and lawfully and not processed unless specific conditions are met.
2. Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against loss of destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA), unless the country or territory ensures adequate protection for the rights and freedoms of the data subjects.
Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the Data Controller towards the individual.
1.6.1 First Principle
‘Personal data shall be processed fairly and lawfully’.
Alternative Route must ensure that the processing is fair and lawful. Where the data is obtained from the data subject Alternative Route must ensure that the data subject is provided with, or have made readily available to them at the time of obtaining the data: the identity of Alternative Route the purpose for processing other necessary information as circumstances require, to ensure that the processing is fair.
Alternative Route’s application forms should take into account the following requirements:
· The data subject has given their consent to the processing
· The processing is necessary for the performance of a contract with the individual to which Alternative Route and data subject is a party
· The processing is necessary to comply with legal obligations
· The processing is necessary in order to protect the vital interests of the data subject
· The processing is necessary for the administration of justice
· The processing is necessary to pursue the legitimate business interest of the firm
Alternative Route will only need to hold or process customer’s personal data for business needs, for example, the need to carry out a credit search in respect of an application for a loan. The customer would have been requested to sign our standard declaration in order for their consent to be provided.
1.6.2 Second Principle
‘Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes’.
This principle differs from the 1984 Act. It is no longer the case that personal data can be used for any purpose as long as it is for a purpose as described in Alternative Route’s register entry.
1.6.3 Third Principle
‘Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed’.
Personal data held for specific purposes must be more than sufficient for the purpose or purposes.
It would therefore not be sufficient to hold information on the basis that one day it may be useful, without a firm idea of how it will be used.
1.6.4 Fourth Principle
‘Personal data shall be accurate and, where necessary, kept up to date’.
All reasonable steps must be taken to ensure the accuracy of data at all times.
Alternative Route must have controls in place to ensure that in the event of inaccurate personal data being identified, procedures will exist to allow for information to be rectified, blocked or destroyed.
1.6.5 Fifth Principle
‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that or those purposes’
· Alternative Route has a document retention policy that sets out the minimum time in which documents should be retained.
· This has been formulated in line with legal and regulatory requirements.
1.6.6 Sixth Principle
‘Personal data shall be processed in accordance with the rights of data subjects under this Act’.
· This principle covers the requirement of Data Controllers to provide individuals with Rights of Access to personal data.
· The data subject may submit a subject access request in writing or by electronic means to Alternative Route. See Subject Access Request procedures.
· Data Subject Access Requests should be referred immediately to Compliance.
· Alternative Route must respond to the request in any event within 40 days as long as the prescribed fee of £10 has been paid.
· Alternative Route has satisfied itself as to the identity of the person making the request.
In addition, principle 6 covers how individuals have a right to be made aware of how their personal information is used and by whom it is used.
Under Data Protection Legislation, Alternative Route must be able to prevent processing of data where the individual objects in writing. For example, a customer may request not to receive any direct marketing material from Alternative Route or wish to have personal details passed through to a third party.
Alternative Route must have systems in place to suppress this type of information being sent out to their customers.
1.6.7 Seventh Principle
‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against loss or destruction of, or damage to, personal data’.
· Alternative Route has taken measures to ensure that only authorised persons have access to personal data and these persons act only as mandated. Passwords giving access to data are frequently changed.
· All reasonable steps are taken to ensure that appropriate security measures are in place to safeguard against unauthorised or unlawful processing of personal data.
· All staff that has access to personal data is deemed to be reliable and training and measures have been put in place.
· Staff only access and use data that is necessary to perform their job function.
1.6.8 Eighth Principle
‘Personal data shall not be transferred to a country of territory outside the European Economic Area without adequate protection.
· Where processing across more than one national boundary is undertaken, it is necessary to determine which law applies to which processing operation
· The UK law will apply to processing by a controller established in the UK.
· Consent of the data subject is required when data is transferred to countries outside the EEA, where protection is inadequate and where the transfer does not fall under any of the exempt cases.
When assessing ‘adequacy of protection’, all circumstances surrounding the data transfer should be considered (e.g. the nature of the data, the purposes and timescales of the processing etc.).
Processing of personal data can be broadly defined when any operation is carried out on personal data. The Act requires that personal data be processed ‘fairly and lawfully’. Personal data will not be considered to be processed fairly unless certain conditions have been met.
Processing may only be carried out where one of the following conditions has been met:
· The individual has given his or her consent to the processing.
· The processing is necessary for the performance of a contract with the individual.
· The processing is necessary to protect the vital interests of the individual.
· The process is necessary to carry out public functions.
When collecting personal data it is essential that people know:
· Who you / we are
· What the data will be used for
· To whom it will be disclosed
This information can often be provided on an application form or similar document.
Data Protection wording is included within Alternative Route’s application package which, when signed by the customer, provides necessary comments for processing the customer’s data.
When handling, collecting, processing or storing personal data staff must ensure that:
· All personal data is both accurate and up to date
· Errors are corrected effectively and promptly
· The data is deleted/destroyed when it is no longer needed
· The personal data is kept secure at all times (protecting from unauthorised disclosure or access)
The Data Protection Act is considered when setting up new systems or when considering use of the data for a new purpose. Any changes could affect Alternative Route’s existing registration with the Data Protection Registrar and an amendment to the registration sought.
It is equally important not to:
· Access personal data that you do not need for your work
· Use the data for any purpose it was not explicitly obtained for
· Keep data that would embarrass or damage Alternative Route if disclosed