Data Protection Policy
The NTTA is committed fully to compliance with the requirements of the Data Protection Act 1998. The 1998 Act applies to all organisations that process data to their employees, as well as to others e.g. customers and clients. It sets out principles which should be followed by those who process data; it gives rights to those whose data is being processed.
To this end, the organisation endorses fully and adheres to the eight principles of data protection, as set out in the DPA.
- Data must be processed fairly and lawfully.
- Data must only be obtained for specified and lawful purposes.
- Data must be adequate, relevant and not excessive.
- Data must be accurate and up to date.
- Data must not be kept for longer than necessary.
- Data must be processed in accordance with the “data subject’s” (the individual’s) rights.
- Data must be securely kept.
- Data must not be transferred to any other country without adequate protection in place.
These principles must be followed at all times when processing or using personal information. Therefore, through appropriate management and strict application of criteria and controls, the organisation will:
- observe fully the conditions regarding the fair collection and use of information
- meet its legal obligations to specify the purposes for which information is used
- collect and process appropriate information only to the extent that it is needed to fulfil our operational needs or to comply with any legal requirements
- ensure the quality of information used
- ensure that the information is held for no longer than is necessary
- ensure that the rights of people about whom information is held can be fully exercised under the DPA (i.e. the right to be informed that processing is being undertaken, to access one’s personal information; to prevent processing in certain circumstances, and to correct, rectify, block or erase information that is regarded as wrong information)
- take appropriate technical and organisational security measures to safeguard personal information
- ensure that personal information is not transferred abroad without suitable safeguards.
Status of this Policy
The Policy does not form part of the formal contract of employment for staff but it is a condition of employment that staff will abide by the rules and policies made by the NTTA from time to time. Any failure to follow the Data Protection Policy may lead, therefore, to disciplinary proceedings. This Policy was approved on 22 May 2018. It will be reviewed no later than [22 May 2019].
Designated Data Controllers
The Designated Data Controller will deal with day-to-day matters. Any member of staff, or other individual who considers that the policy has not been followed in respect of personal data about himself or herself should raise the matter with one of the Designated Data Controllers.
All staff are responsible for:
- checking that any information that they provide to the organisation in connection with their employment is accurate and up to date.
- informing the organisation of any changes to information that they have provided, e.g. changes of address, either at the time of appointment or subsequently. The organisation cannot be held responsible for any errors unless the employee has informed it of such changes.
All staff are responsible for ensuring that:
- any personal data that they hold is kept securely.
- personal information is not disclosed either orally or in writing or via Web pages or by any other means, accidentally or otherwise, to any unauthorised third party.
Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases. Personal information should be kept in a locked filing cabinet, drawer, or safe. If it is computerised, be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.
- The organisation backs up data every day and has multiple copies (at least one set for each day of the week and additional weekly ones in order to have at least a month’s worth of data at any one time). Records of these are kept.
- Backups are kept off site. Any kept on site are in special heat-proof safes: fire-proofing alone is inadequate.
- Backups are verified regularly by the software and system supplier.
- Master copies of software are stored off site or in a heat-proof safe.
- Firewalls and virus checkers are kept up to date and running, and users are trained in virus avoidance and detection.
- Computers are protected from physical harm, theft or damage, and from electrical surges using protective plugs.
- The organisation plans for how to deal with loss of electricity, external data links, server failure, and network problems. It uses paper forms where necessary for temporary record keeping.
In many cases, the organisation can only process personal data with the consent of the individual. In some cases, if the data is sensitive, as defined in the DPA (and to which special rules apply), express consent must be obtained.
Requests may be made for details of personal information which we under the DPA. A small fee of [not more than £10) will be payable. Copies of the information held should be sent in writing to NTTA, Carriage Court, Welbeck, Worksop, Notts, S80 3LR. The requested information will normally be provided within 40 days.
If an individual believes that any information held on him or her is incorrect or incomplete, then they should write to or email the NTTA office (firstname.lastname@example.org) as soon as possible. The organisation will promptly correct any information found to be incorrect.
This policy sets out this organisation’s commitment to protecting personal data and how that commitment is implemented in respect of the collection and use of personal data.