Data protection policy
Policies and procedures |
Having a data protection policy is important because it shows that you have thought about:
- complying with the law
- following good practice
- protecting clients, staff and other individuals
- protecting the organisation.
The 1998 Data Protection Act is the key legislation governing how data may be held and used. When organisations become aware of their responsibilities they often ask whether there is a standard or model policy they can adopt, but unfortunately there isn’t.
Data protection is not about following a fixed set of rules, which are the same for everyone. It's about complying with some general principles. Your data protection policy must cover the decisions your organisation has taken to comply with the Act and it must identify individual responsibilities.
It is vital that the process of preparing a policy is owned and managed at a senior level: it is not an ICT issue but a significant legal consideration which reflects the culture and practices of the whole organisation. It is also good practice for the policy to be approved by trustees, as they have legal responsibilities.
Data Controller
The Data Controller is the legal ‘person’ responsible for complying with the Data Protection Act, but it will almost always be the organisation, not an individual staff member or volunteer. Separate organisations (for example a charity and its trading company) are separate Data Controllers.Where organisations work in close partnership it may not be easy to identify the Data Controller. If in doubt, seek guidance from www.ico.gov.uk.
Notification
Having identified your Data Controller you must consider whether your organisation is exempt from Notification. Guidance is available on the Information Commission website, or you can ask for their help. Everyone covered by the Act must pay a fee each year (currently £35) and complete a Notification form for the Information Commissioner covering:
- the purposes for which personal data is held (from a standard list)
- the types of Data Subjects about whom data is held
- the types of information that are held
- the types of disclosure that are made
- any transfers abroad
The Notification entry has to be reviewed each year to reflect any significant changes.
Subject access
Individuals have a right to know what information is being held about them. In response to a valid request (including a fee, if required), the Data Controller must provide a copy of all personal data about that Data Subject held at the time the application was made.
The Data Controller may negotiate with the Data Subject to provide a more limited range of data or may choose to provide more. Certain data may be withheld, including Third Party material, especially if any duty of confidentiality is owed to the Third Party – in this case Third Party means either that the data is about someone else, or that someone else is the source.
Data protection is important not because
it is about protecting data, but because it is about protecting people. People can be harmed if
their data is misused or falls into the wrong hands,or if inaccurate or insufficient data is used
to make decisions that affect them.
Issues to be considered in a data protection policy |
Topic |
Issues to consider |
|
Confidentiality |
Limits to confidentiality, communication with Data Subjects, communication with staff, authorisation for disclosures |
|
Security |
Setting security levels, security measures, specific risks, personal safety |
|
Direct marketing and fundraising |
Opting-out procedures, sharing lists, electronic contact |
|
Data recording and storage
|
Data accuracy and updating policies, storage issues, retention periods, archiving |
|
Subject access |
Responsibility for ensuring subject access requests are handled within the legal time limit of 40 days, procedure for making requests, provision for verifying identity, charging policy, procedure for granting access |
|
Transparency |
Purpose for which data is being processed, types of disclosure likely, how to exercise rights |
|
Consent |
Forms of consent, opting-out opportunities, withdrawing consent. |
|
Staff training acceptance of responsibilities |
Fit with other related policies: Induction, continuing training, procedure for staff signifying acceptance of policy |
|
Policy review |
Responsibility for policy review, procedure, timing |
Weblink
The table above was adapted from an article by Paul Ticher for the ICT Hub Knowledgebase. Full text can be found at: www.icthubknowledgebase.org.uk/dataprotectionpolicies