Liaison Technology Limited
DATA PROTECTION POLICY
created and approved by the board of directors on the 01 of March 2009
1. Purpose and objectives
This policy forms part of the Liaison Technology (“LT”) commitment to the safeguarding of personal data processed by its staff. (Processing has a very broad definition, and includes activities such as creating, storing, consulting, amending, disclosing and destroying data.) Its objectives are:
- To help staff recognise personal data
- To help them understand their rights and obligations with respect to personal data.
LT processes the personal data of living individuals such as contractors, employees and clients. This processing is regulated by the Data Protection Act 1998 (DPA). The UK’s regulator for the DPA is the Information Commissioner’s Office.
It is the duty of data controllers such as LT to comply with the data protection principles with respect to personal data. This policy describes how LT will discharge its duties in order to ensure continuing compliance with the DPA in general and the data protection principles and rights of data subjects in particular. The principles are listed in the Annex to this Policy.
“The policy applies to all staff and third party providers of LT and all other computer, network or information users authorised by LT. It relates to their use of any LT-owned technologies and where an interface exist, centrally managed or otherwise; to all private systems (whether owned, leased, rented or on loan) when connected to the LT solutions; to all LT-owned or licensed data and programs (wherever stored); and to all data and programs provided to LT by sponsors or external agencies (wherever stored). The policy also relates to paper files and records created for the purposes of the 3BD business.”
‘”Personal data” means data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”
Sensitive personal data
- the racial or ethnic origin of data subjects
- their political opinions
- their religious beliefs or other beliefs of a similar nature
- whether they are members of a trade union
- their physical or mental health or condition
- their sexual life
- the commission or alleged commission by them of any offence, and any proceedings for such offences.
Although the DPA does not define ‘health’, the term should be understood broadly, to include preventative medicine, medical diagnosis, DNA sequences, medical research, provision of care and treatment and the management of healthcare services.
Personal demographic data, such as personal addresses and financial data (including salaries) are not sensitive personal data, but should be treated with similar care.
Manual Personal Data (LT employees only)
Personal data recorded as part of a relevant filing system in paper or other non-electronic format.
Obtaining, recording or holding personal data. This includes organisation, adaptation or alteration; retrieval, consultation or use; disclosure; and alignment, combination, blocking, erasure or destruction.
Relevant Filing System
Manual personal data structured by reference to individuals in such a way that information relating to a particular individual is readily accessible.
A collection of one or more data sets or files that are being processed for permitted purposes under the direction of a clearly identified member of LT staff - the Data Owner.
As the organisation which determines the purposes of the processing, LT is the Data Processor for the personal data that it manages.
Data Protection Officer
The LT member of staff with lead responsibility for LT’s compliance with the DPA. (Mr Paul Pieterse – Director)
The LT member of staff with lead responsibility for permitting and managing the retention and processing of a data holding for which LT is the Data Processor. Data Owners delegate responsibility for personal data elements to Data Custodians.
The individual unit or person identified by the data owner to be responsible for the collection, creation, modification and deletion of specified personal data element(s)
A person appointed by a Head of Department or Division with responsibility and authority to implement the Information Security Policy and supporting policies in respect of a LT-wide or departmental system, to ensure that the security measures adopted for systems under his/her control meet the requirements of these policies and to carry out the duties as set out in the associated Codes of Practice. In the case of a large system some duties may be delegated, to named persons whose particular duties are set out in writing, although the Custodian retains overall responsibility for the security of that system.
A living individual who is the subject of personal data
Any third party (other than LT staff) who processes personal data on behalf of and on the instructions of the Data Controller.
5. Roles and responsibilities
Information Strategy Committee
The Committee is responsible for defining 3BD’s information security policy and for ensuring it is discharged by all academic and administrative departments and divisions through Heads of Departments.
ICT Infrastructure Sub-Committee
ICT Infrastructure Sub-Committee advises the ISC on matters related to compliance with this policy, and is responsible for regularly reviewing it for completeness, effectiveness and usability.
Security Working Group
The Security Working Group acts as a focus for technical and other issues relating to information security and data protection within LT. It makes recommendations to the ICTISC on strategy and policy matters in relation to data protection, and receives reports from the Data Protection Officer.
Data Protection Officer
The Data Protection Officer (firstname.lastname@example.org) has primary responsibility for LT’s compliance with the DPA. This comprises:
- maintaining LT’s notification with the Information Commissioner’s Office
- ensuring completion of the Annual Survey of Personal Data Holdings
- handling subject access requests and requests from third parties for personal data
- promoting and maintaining awareness of the DPA and regulations, including training
- investigating losses and unauthorised disclosures of personal data.
The DPO is LT’s main contact for the Information Commissioner’s Office.
Clients and general users of Liaison Technology
Heads of Department and client managers are responsible for ensuring all users understands the role of the data protection principles in their day-to-day work, through induction, training and performance monitoring, and for monitoring compliance within their own areas of responsibility. They should also ensure Data Protection Coordinators are designated for their departments or divisions, and provided with appropriate training and support.
Data Protection Coordinators
Coordinators are required to:
- advise staff in their departments on the implementation of and compliance with this policy and any associated guidance / codes of practice
- ensure appropriate technical and organisational measures are taken within their departments to ensure against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- support LT’s notification with the Information Commissioner’s Office by maintaining the register of holdings of personal data, including databases and relevant filing systems, and the purposes of processing
- keep the Data Protection Officer informed of changes in the collection, use, and security of personal data within their department
- report any loss of personal data to the Head of Department / Division and the Data Protection Officer
- ensure the proper completion of applications for the data protection registration of new research projects before they are submitted to the Records Office
- confirm compliance with the PCI Data Security Standard in relation to the records of credit card payments made through the department.
Data Owners are responsible for:
- establishing and monitoring measures, in accordance with this policy and the information security policy, to protect any holdings of personal data for which they are responsible
- ensuring that those holdings are registered as part of the annual survey of personal data holdings
- ensuring that any transfer of personal data to third parties is authorised, lawful and uses appropriate safe transport mechanisms such as encryption.
- authorising the downloading of electronic personal data on to portable devices or the removal of manual personal data from LT premises or its data hosting partners
- informing their departmental Data Protection Coordinator when new holdings of personal data are established or when the purposes of processing change.
Data Custodians should ensure that their processing of personal data is compatible with the data protection principles, including the security and integrity of data sets.
Data processors have a contractual responsibility to act only on LT’s instructions and to ensure that their processing of personal data provided by LT is carried out in compliance with this policy and in accordance with the eight data protection principles. There should be a written agreement with data processors which adequately addresses these responsibilities.
Staff and Clients
All staff and Clients are responsible for:
- ensuring that their processing of personal data is compatible with the data protection principles
- raising any concerns in respect of the processing of personal data with the Data Protection Officer
- promptly passing on to the Data Protection Officer all subject access requests and requests from third parties for personal data
- reporting losses or unauthorised disclosures of personal data to the Data Protection Coordinator.
In order that LT can continue to comply with the fourth data protection principle, staff and students should ensure the personal data they provide about themselves is up to date.
6. Security of personal data
All staff Clients processing personal data should ensure that the data are secure: appropriate measures must be taken to prevent unauthorised access, disclosure and loss. Staff whose work includes responsibility for supervision of students have a duty to ensure that students observe the eight principles of the Act.
It is rarely necessary to store electronic personal data on portable devices such as laptops, USB flash drives, portable hard drives, CDs, DVDs, or any computer not owned by LT. Similarly, manual personal data should not be regularly removed from LT premises. In the case of electronic data, to minimise the risk of loss or disclosure, a secure remote connection to LT should be used wherever possible.
Downloading personal data on to portable devices or taking manual personal data off-site must be authorised in writing by the Data Owner, who must explain and justify the operational need in relation to the volume and sensitivity of the data. The data must be strongly encrypted. To avoid loss of encrypted data, or in case of failure of the encryption software, an unencrypted copy of the data must be held in a secure environment.
Manual personal data and portable electronic devices should be stored in locked units, and they should not be left on desks overnight or in view of third parties.
In order to comply with the fifth data protection principle personal data should be securely destroyed when no longer required, with consideration for the format of the data.
Personal data must not be disclosed unlawfully to any third party. Transfers of personal data to third parties must be authorised in writing by the data owner and protected by adequate contractual provisions or data processor agreements, agree with LT’s notification and must use safe transport mechanisms.
All losses of personal data must be reported to the Departmental Data Protection Coordinator and the Data Protection Officer. Negligent loss or unauthorised disclosure of personal data, or failure to report such events, may be treated as a disciplinary matter and could be considered gross misconduct.
7. Publication of staff information
LT will make public as much corporate information as possible. LT will however not publish or make available any personal information held on any of the LT data centres that is owned by our clients and managed by us.
8. Access to personal data
8.1 Subject access rights
Data subjects have a right of access to their personal data, including some unstructured manual personal data. Access is controlled and regulated by the Liaison Technology.
Access is permissioned controlled at set-up stage and is managed by the DPA. The DPA is not able to view any password created by the individual user but is able to re-set the password on the recommendation of the user. LT will not charge a fee for any user to access his personal information.
Although the DPA applies only to living individuals, data about deceased persons who at the time of processing would be under 100 years old should be treated as personal data, unless the information is the subject of a valid request under Freedom of Information legislation.
It is sometimes necessary for 3BD to monitor information and communications. This may include personal data. The circumstances in which monitoring may be carried out, and procedures for doing so:
8.3 Third party access
In certain circumstances the DPA provides for disclosure of personal data, without the consent of the data subject, to certain organisations. Requests for such disclosures from third parties, such as the police, UK Border Agency, local authorities or sponsors, should be made in writing and handled by the Data Protection Officer. This will ensure the validity of the request and any warrants or orders of court can be checked. Staff disclosing personal data may not be protected by an invalid warrant.
9. Records Management
Records in all formats containing personal data must be created, stored and disposed of in accordance with LT’s Records Management Policy and any associated procedures and codes of practice. They must be authentic, reliable and usable and capable of speedy and efficient retrieval. They must be retained for no longer than the periods permitted in LT’s retention schedule and, when no longer required for operational reasons, must be transferred to LT’s in-house records storage facility or institutional archive (if selected for permanent preservation) or disposed of securely and confidentially.
10. Research using personal data
Personal data processed for research, statistical and historical purposes must not be used to support decisions with respect to data subjects or processed so as to cause them substantial damage or distress. Notwithstanding the fifth data protection principle, such data may be kept indefinitely. They may also be further processed for other research purposes and are exempt from the right of subject access as long as the results of the research do not identify data subjects.
Staff and students using personal data in research must:
- understand how personal data may be used in research
- use the minimum data necessary for the research, including, wherever possible, anonymised or pseudonymised data
- ensure their processing complies with all the data protection principles
- inform Data Protection Coordinators about research before processing of personal data begins
- register all research projects involving personal data with the Records Office before processing begins
- where relevant, inform data subjects about the purposes of the processing and ensure valid written consent is obtained
- ensure all personal data collected are necessary for the purpose(s) of the research
- keep the data securely
- ensure personal data are destroyed confidentially, stored with the Records Office or otherwise disposed of in compliance with agreements with funders.
This document is a part of LT's information security policy and has been approved by LT's Information Strategy Committee. It is a condition of employment that employees will abide by the regulations and policies made by LT. Likewise, these latter are an integral part of the regulations for students.
THE DATA PROTECTION PRINCIPLES
It is the duty of data controllers and data processors to comply with all the data protection principles. These are set out in Schedule 1 of the Data Protection Act 1998, from which the following extract is taken:
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data