Applies to:
All Staff / PR-HR-314
Approved by: HR Manager / Reissue Date: Dec13 / Review Date:Dec16
1PURPOSE
To state the requirements and measures necessary for protecting data in electronic and manual form so that each company, and its staff comply with the requirements of the Data Protection Act 1998.
2SCOPE
These briefing notes apply to the procedures used for collecting, maintaining, protecting, accessing, disclosing and disposing of personal data. This includes:
a)Data held on any central computer server;
b)Data held on any desk top personal computer or similar automatic device;
c)Data held and processed by any bureau or sub-contractor;
d)Data held on separate magnetic media such as floppy disks, cassettes, exchangeable discs, telecommunications devices, CD Roms and tapes;
e)Computer output on paper, fiche or similar media;
f)Manual data in structured files.
3DEFINITION
For the purposes of the Data Protection Act:
Personal Data:
Personal Data is data which relates to a living individual who can be identified either from that data alone or from that data and any other information in the Company’s possession, or which is likely to come into its possession. It also includes any expression of opinion about the individual and any information regarding the intentions of data processor towards the individual both singly and in combination with other information.
Sensitive Personal Data:
There are conditions which must be met for processing sensitive data which are contained in ProcedurePR-HR-312 (Lawful Processing). Sensitive data is personal data that consists of information relating to a data subject’s:
Racial and ethnic origin;
Political opinions;
Physical or mental health or condition;
Sexual life;
Commission or alleged commission of offences;
Court proceedings, disposal of such proceedings or sentencing in such proceedings;
Religious or other beliefs; and
Trade union membership
4PROCEDURES
4.1 Collection
a)The Company must ensure that all personal data collected for input to a computer system and manual records into a relevant filing system is accurate, complete and not excessive in relation to the purpose(s) for which they are processed.
b)If information has been received from the data subject or from someone outside the Company, a note must be added to the information identifying its source. All reasonable measures should be taken to verify the accuracy of the information.
c)Where documents are used, these must be safely transferred to the input location in order to ensure that the security and safety of personal data is enforced at all times using appropriate technical and organisational measures.
d)When personal data is obtained the rights of the data subject must be protected.
e)Only relevant and adequate personal data should be collected, excessive items of data should be avoided.
4.2 Maintenance
a)All data should be maintained in an accurate and current state.
b)Where inaccuracies are identified, corrections should be applied immediately and a note made as to how accurate information came about.
c)All personal data should continue to be relevant and not excessive or retained for longer than necessary.
4.3 Protection
a)Computer equipment or other media holding data should be protected from unauthorised or unlawful processing and from accidental loss or destruction of or damage to personal data.
b)Where information is held on magnetic media, security copies should be maintained and stored in a safe location separately from the equipment. Access to this data must be subject to written authorisation.
c)Magnetic or other media holding personal data being transferred between locations should be protected from access and loss using appropriate technical and organisation measures.
d)The reliability and security of any outside data processors should be checked before awarding any contract to them and providing personal data. The performance of the processors should also be monitored regularly to ensure compliance and security.
4.4 Access
a)Authorisation procedures must ensure that access is restricted to staff who require access to personal data for the discharge of their duties.
b)Where terminals are used, appropriate security systems such as badges and passwords should be used and passwords should be changed regularly.
c)Terminals should be located so that only the user can access the information. Standard screensaver passwords should be used to minimise risks of unauthorised viewing.
d)Access to manually held personal data must be restricted to minimise the risk of unauthorised or accidental disclosure.
4.5 Disclosure
a)Procedures should ensure that personal data is only disclosed to the individual concerned or to third parties in other clearly authorised circumstances. (Refer to PR-HR-311).
b)Personal data should not be transferred to a country or territory outside the European Economic Area unless that country or territory can ensure an adequate level of protection and security of the personal data and the subjects.
4.6 Disposal
a)Data should only be held for the period required by its specific purpose and not retained for an excessive time.
b)All personal data held on tapes, disks, CD Roms or other magnetic media should be positively deleted and cleaned before they are re-used or new data is written over the old. There must be no possibility of the old personal data reaching somebody who is not authorised to receive it.
c)All out of date data, irrespective of the media on which they are held must be securely destroyed.
5IMPLEMENTATION
The HR Manager is the responsible person and is required to:
a)Review existing procedures involving the use of personal data to ensure that they comply with the provisions of the Data Protection Act.
b)Ensure adequate training and dissemination of information to the employees of the Company in relation to these Guidelines and the requirements of the Data Protection Act.
c)Review the access controls to areas where personal data is stored or accessed both during working hours and at other periods to ensure the necessary level of security is in force.
d)Review the location of video terminals and desktop computers to ensure that information displayed is not visible to unauthorised persons, either members of staff or of the public.
e)Develop and maintain data security procedures for the Company.
Document Template FO-QA-801 / Rev.1.0 / Issued By: Compliance Manager / First Issue Date: May 11 / Review Date: May 14