Data Protection Policy & Procedures
Our data protection policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.
We are committed to:
- ensuring that we comply with the eight data protection principles, as listed below
- meeting our legal obligations as laid down by the Data Protection Act 1998
- ensuring that data is collected and used fairly and lawfully
- processing personal data only in order to meet our operational needs or fulfil legal requirements
- taking steps to ensure that personal data is up to date and accurate
- establishing appropriate retention periods for personal data
- ensuring that data subjects’ rights can be appropriately exercised
- providing adequate security measures to protect personal data
- ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues
- ensuring that all staff are made aware of good practice in data protection
- providing adequate training for all staff responsible for personal data
- ensuring that everyone handling personal data knows where to find further guidance
- ensuring that queries about data protection, internal and external to the organisation, is dealt with effectively and promptly
- regularly reviewing data protection procedures and guidelines within the organisation.
Data Protection Principles
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
- Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Overall responsibility for the policy implementation rests with the Board of Directors. However, all company employees are obliged to adhere to, support and implement this policy.
Conica Limited (the ‘Company’) requires all staff to be vigilant and exercise caution when asked to provide personal data held on another individual. In particular, they must ensure that requests for personal information which they are concerned about being improper should be directed to the Data Protection Representative and under no circumstances should personal information be disclosed either orally or in writing to any external person, which includes family members and friends without the express prior consent of the relevant individual or the Data Protection Representative.
When personal data is collected by the Company it shall be held and treated in adherence to the requirements of this policy.
Personal information is kept securely and appropriate security precautions are taken by seeking to ensure the following:
- Source documents kept in a lockable cabinet or drawer or room;
- Computerised data is password protected;
- Data kept on discs or data storage devices are stored securely and encrypted;
- Ensure individual passwords are kept confidential and are not disclosed to other personnel enabling log-in under another individual’s personal username and password;
- Logged on PCs are not left unattended where data is visible on screen to unauthorised personnel.
- Screensavers are used at all times;
- Paper-based records containing personal data must never be left where unauthorised personnel can read or gain access to them.
When manual records are no longer required, they are shredded or bagged and disposed of securely and the hard drives of redundant PCs are wiped clean. Off-site use of personal data presents a greater risk of loss, theft or damage and the company and personal liability that may accrue from the off-site use of personal data is similarly increased. For these reasons staff will:
- only take personal data off-site when absolutely necessary and for the shortest possible time;
- take particular care that when laptops or other devices including mobile phones are used to process personal data at home or in locations outside of the Company, they are kept secure at all times.
Rights of Individuals
Under the Act, an individual has the following rights:
- To request access to information held about them, the purpose for which the information is being used and those to whom it is, has or can be disclosed to;
- To prevent data processing that is likely to cause distress or damage;
- To prevent data processing for direct marketing reasons;
- To be informed about the reasons behind any automatic decision made;
- To seek compensation if they suffer damage as a result of any breach of the Act by the Data Controller;
- To take action to stop the use of, rectify, erase, or dispose of inaccurate information;
- To ask the Information Commissioner to assess if any Personal Data processing has not been followed in accordance with the Act.
Access to Personal Data
Subject to exemptions, the Act gives any individual who has personal data kept about them by the Company the right to request in writing a copy of the information held relating to the individual in electronic format and also in some manual filling systems. Any person who wants to exercise this right should in the first instance make a written request to the Company.
After receipt of a written request and any information needed as proof of identity of the person making the request has been received, the Company will ensure that the individual receives access within one month, unless there is a valid reason for delay or an exemption is applicable.
The Act does not prevent an individual making a subject access request via a third party, including by a solicitor acting on behalf of a client. In these cases and prior to the disclosure of any personal information, the Company would need to be satisfied that the third party making the request is entitled to act on behalf of the individual and would require evidence of this entitlement.
Whilst the Act does not limit the number of subject access requests an individual can make to any organisation, the Company is not obliged to comply with an identical or similar request to one already dealt with, unless a reasonable interval has elapsed between the first request and any subsequent ones. The Company may also charge a reasonable fee based on the administrative cost when a request is manifestly unfounded or excessive, particularly if it is repetitive.
Retention and Disposal of Data
The Company is not permitted to keep personal information of staff for longer than is required for its purpose or is required by law.
Personal and confidential information will be disposed of by means that protect the rights of those individuals ie. shredding, disposal of confidential waste, secure electronic deletion.
Data Protection Representative:
To contact the company’s representative please email firstname.lastname@example.org
For more information and advice on data protection contact:
Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF