Privacy and Security
Data Protection Policy
This document sets out Wirral Evolution’s policy regarding Data Protection; it is based on the 1998 Data Protection Act.
The purpose of The Act is to regulate the way that personal information about living individuals (no matter how that information is held) is obtained, stored and disclosed.
The legislation grants rights to individuals, to see data stored about them and to require modification if the data is incorrect, and in certain cases, to compensation.
These provisions amount to a right of privacy for the individual.
To aid the understanding of this document and the provisions of The Act, the following key definitions need to be understood:
Data is information which is: being processed by means of equipment operating automatically in response to instructions given for that purpose, or recorded with the intention that it should be processed by means of such equipment, or recorded as part of a manual filing system or with the intention that it should form part of a relevant filing system i.e. a structured filing system, or held as part of a record to which public access is allowed.
Data Controller (for the purpose of this document) means Wirral Evolutions, as it is the Organisation which determines how data is processed.
Data Processor means any person, other than an employee of Wirral Evolutions who processes data on behalf of the data controller, e.g. someone contracted to Wirral Evolutions to produce documents containing personal data.
Data Subject is the individual about whom personal data is held.
Personal Data means data about a living individual who can be identified from that information (or from that and other information in the possession of the data controller). This includes an expression of opinion about the individual.
Sensitive Personal Data means personal data consisting of information in an of the following categories:
- His/her political opinions
- His/her religious beliefs or beliefs of a similar nature
- Whether he/she is a member of a trade union
- His/her physical or mental health or condition
- His/her sexual orientation
- Any offences or allegations of offences committed by him/her
- Any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings, or the sentence of any court in such proceedings.
Processing is widely drawn and means obtaining, recording or holding the information or data, or carrying out any operation or set of operations on the information or data, including organisation, adaptation or alteration, disclosure and destruction of the information or data.
Relevant Filing System means any manual filing system which is structured and refers to identifiable individuals, the information relating to those individuals being readily accessible.
The Act contains 8 Principles relating to the collection, use, processing, and disclosure of data, and the rights of data subjects to have access to the personal data concerning themselves. These Principles are listed below:
- Personal data shall be processed fairly and lawfully
- Personal data shall be obtained only for one or more specified and lawful purposes.
- Personal data shall be adequate, relevant and not excessive.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred outside of the European Economic Area.
Wirral Evolutions supports the objectives of The Act and is bound by its regulation with regard to personal data. This policy is designed to ensure that the confidentiality of personal data is maintained and to increase the access given to individuals to information relating to them.
The Policy is designed to complement other policies, which relate to personal data in some way. These include but are not limited to HR policies, Information Sharing Protocols and any future policies or protocols agreed with internal departments or external partners.
Wirral Evolutions is required to notify to the Office of the Information Commissioner on a yearly basis. This notification is facilitated by The Information Manager and the notification details the main processing activities of Wirral Evolutions.
Wirral Evolutions will hold the minimum personal data necessary to enable it to perform its functions. The data will be deleted in accordance with the Retention and Destruction Policy of Wirral Evolutions. Every effort will be made to ensure that data is accurate and up to date, and that inaccuracies are corrected quickly.
Wirral Evolutions will provide to any individual who makes a written request for their personal data; a reply stating whether or not we hold personal data about them. A copy of that information, in clear language will be given, unless specific legal exemptions apply. The organization must fulfil a request for access to personal data within 40 calendar days.
The data subject has the right to have records amended if they are inaccurate. It is currently the policy of Wirral Evolutions not to make a financial charge for this service.
Wirral Evolutions ensures that personal data is treated as confidential.
IT systems are designed to comply with the Data Protection Principles. This ensures that access to personal data can be restricted to identifiable system users.
Wirral Evolutions is committed in its aim that all appropriate staff will be properly trained, fully informed of their obligations under the Act, and made aware of their personal liabilities.
Wirral Evolutions expects all of its staff and members to comply fully with this Policy and the Data Protection Principles. Disciplinary action may be taken against any employee who breaches any of the instructions or procedures following from this Policy.
Overall responsibility for the efficient administration of Data Protection legislation lies with Managing Director.
Day to day responsibility for administration and compliance with the Act is delegated to the Executive Management Team for their respective areas of Wirral Evolutions.
It is the responsibility of the Information Manager to ensure compliance with this Policy, to specify the procedures to be adopted, and to ensure Wirral Evolutions abides by the legislation. The main duties of the Information Manager in relation to Data Protection are:
- Maintenance of the Wirral Evolution’s external notifications under the Act, and acting as the interface with the Office of the Information Commissioner.
- Development, updating and publication of the Data Protection procedures for Wirral Evolutions.
- Ensure compliance with Data Protection procedures and practices.
- Initial contact point for subject access requests.
- In conjunction with the Head of Human Resources, organise education and training seminars regarding Data Protection issues.
In addition to the formal responsibilities outlined above, all members of staff have a duty to observe the Data Protection Principles and the procedures referred to in this document. This policy will be reviewed on a regular basis and updated as and when necessary.
For any issues relating to this policy, please contact the Information Manager, Nikki Smith on 0151 637 2030 or via email firstname.lastname@example.org