Data Protection Policy
- Policy statement 1
- Status of the policy 1
- Definition of data protection terms 1
- Data protection principles 2
- Fair and lawful processing 2
- Processing for limited purposes 3
- Adequate, relevant and non-excessive processing 3
- Accurate data 3
- Timely processing 3
- Processing in line with data subject's rights 3
- Data security 3
- Dealing with subject access requests 4
- Providing information over the telephone 4
- Monitoring and review of the policy 5
|1. Policy statement|
|2. Status of the policy|
|3. Definition of data protection terms|
|4. Data protection principles|
Anyone processing personal data must comply with the eight enforceable principles of good practice. These provide that personal data must be:
|5. Fair and lawful processing|
6. Processing for limited purposes
Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Act. This means that personal data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose before any processing occurs.
7. Adequate, relevant and non-excessive processing
Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject. Any data which is not necessary for that purpose should not be collected in the first place.
8. Accurate data
Personal data must be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps should, therefore, be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data should be destroyed.
9. Timely processing
Personal data should not be kept longer than is necessary for the purpose. This means that data should be destroyed or erased from our systems when it is no longer required.
10. Processing in line with data subject's rights
Data must be processed in line with data subjects' rights. Data subjects have a right to:
11. Data security
12. Dealing with subject access requests
A formal request from a data subject for information that we hold about them must be made in writing. A fee is payable by the data subject for the provision of this information. Any member of staff who receives a written request should forward it to [their line manager OR the Data Protection Compliance Manager] immediately.
13. Providing information over the telephone
Any member of staff dealing with telephone enquiries should be careful about disclosing any personal information held by us. In particular they should:
14. Monitoring and review of the policy