1. Data Protection Policy Statement
Vision Training (North East) Ltd is fully committed to full compliance with the requirements of the Data Protection Act 1998. We will therefore follow procedures which aim to ensure that all employees, who have access to any personal data held by or on behalf of the company, are fully aware of and abide by their duties under the Data Protection Act 1998.
Vision Training (North East) Ltd needs to collect and use information about people with whom it works in order to operate and carry out its functions. These may include current, past and prospective employees, learners, clients and suppliers. This personal information must be handled and dealt with properly, however it is collected, recorded and used and whether it is on paper, in computer records or recorded by other means.
Vision Training (North East) Ltd regards the lawful and appropriate treatment of personal information as very important to the successful operation of its’ business and essential to maintaining confidence between itself and those with whom it carries out business. We therefore fully endorse and adhere to the Principles of the Data Protection Act 1998.
This policy applies to all employees and directors of Vision Training (North East) Ltd.
4. Roles and Responsibilities
The Managing Director has responsibility for ensuring everyone handling personal data complies with the Data Protection Act and this policy and will act as the Caldicott Guardian – Data Protection Officer. They are also responsible for ensuring everyone handling personal data receives adequate Data Protection training and support and will investigate all breaches of the Act.
All employees have a duty to protect the information held by the company, and access to personal data must be on a strict need to know basis. Personal data must not be discussed or disclosed without appropriate authorisation.
5. Data Protection Policy Implementation – Procedures
5.1 Vision Training will, through management and use of appropriate controls, monitoring and review:
- Use personal data in the most efficient and effective way to deliver better services
- Strive to collect and process only the data or information which is needed
- Use personal data for such purposes as are described at the point of collection, or for purposes which are legally permitted
- Strive to ensure information is accurate
- Not keep information for longer than is necessary
- Securely destroy data which is no longer needed
- Take appropriate technical and organisational security measures to safeguard information (including unauthorised or unlawful processing and accidental loss or damage of data)
- Ensure that information is not transferred abroad without suitable safeguards
- Ensure that the rights of people about whom information is held can be fully exercised under the Data Protection Act 1998
- These rights include:
- The right to access their own personal information within 40 days of request
- The right to prevent processing in certain circumstances
- The right to correct, rectify, block or erase information regarded as wrong information
- Ensure that the company has an employee that is specifically responsible for data protection
- Provide guidance and training, as part of the induction training, at an appropriate level
- Ensure that any breaches of this policy are dealt with appropriately through the disciplinary procedure
5.2 The Principles of Data Protection
The Data Protection Act stipulates that anyone processing personal data must comply with 8 principles of good practice. These principles are legally enforceable.
Summarised, the principles require that personal data :
- Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met
- Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes
- Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed
- Shall be accurate and where necessary, kept up to date
- Shall not be kept for longer than is necessary for that purpose or those purposes
- Shall be processed in accordance with the rights of data subjects under the Act
- Shall be kept secure, i.e. protected by an appropriate degree of security
- Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection
The Act provides conditions for the processing of any personal data. It also makes a distinction between personal data and ‘sensitive’ personal data.
Personal data is defined as data relating to a living individual who can be identified from:
- That data
- That data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual
Sensitive personal data is defined as personal data consisting of information as to:
- Racial or ethnic origin
- Political opinion
- Religious or other beliefs
- Trade union membership
- Physical or mental health or condition
- Sexual life
- Criminal proceedings or convictions
5.3 INFORMATION SECURITY
Effective methods of security must be in place to help prevent the inappropriate disclosure or loss of personal data.
5.3.1 Access to areas where data is stored and used must be controlled as follows:
- Paper files must be locked away when not in use and electronic systems must be password protected, with only authorised users being given access.
- Access to paper records or screens which display confidential data relating to other individuals must be protected at all times. Employees working away from the office must ensure records are adequately protected at all times, preventing damage, theft / loss and unauthorised access to personal data, no personal records are to be left unattended at any time e.g. employee must not leave records in their cars.
- Electronic data must be stored only on Vision Training (North East) computers/systems and be regularly backed up to prevent the loss of valuable data.
- Personal data must never be stored on a computer desktop or on an unsecured mobile device such as a memory stick or compact disc. Data must not be stored on any personal equipment belonging to employees, such as home computers, laptops, mobile phones, memory sticks, compact discs, MP3 players, cameras or any other device.
- Desktop computers, laptops and smartphones must be password protected and locked when left unattended during the day. Employees are required to log off and shut down all systems at the end of the working day and must not disclose passwords to colleagues or use passwords belonging to other employees. The password holder will be held liable for any breach of the Act.
5.4 INFORMATION SHARING
Sensitive personal data will only be disclosed with the informed consent of the data subject (except in the circumstances outlined below), and the signed consent form must be retained on the relevant employee/client file. In some cases verbal consent may be given and this must be recorded accurately within the relevant file. Consent cannot be assumed by a non-response to a request for consent.
5.4.1 There are circumstances in which personal data may be disclosed without obtaining the data subject’s consent such as safeguarding the data subject or others, and to assist with the prevention and detection of crime. Wherever possible, express informed consent for sharing sensitive personal data will be sought from the data subject. Where this is not possible or contrary to the public interest, Vision Training (North East) Ltd will ensure that the sharing of data meets the relevant condition or exemptions from the non-disclosure provision contained within the Act.
5.5 SECURE TRANSFER OF DATA
The transfer of data in all formats (e.g. in writing, by email or fax, face to face or by phone) must be completed in a secure manner, ensuring the identity of the recipient has been verified. This will help prevent personal data being misplaced or disclosed in error.
When providing information by email, personal details must not be placed in the subject heading, personal email accounts must not be used to send personal data.
5.5.2 Postal mail
Paper based data must be delivered to a named individual using the Royal Mail. Personal and sensitive information (for example, Data Capture Forms and Individual Learning Plans) must be assessed by a manager before posting. In certain circumstances it may be appropriate to consider the use of Recorded Delivery to protect information.
5.6 Complaints about Personal Data
A data subject has the right have inaccurate factual data corrected, and to have comments or views added to the original record. Individuals wishing to make a complaint about the way in which their data has been handled should be referred to Vision Training (North East) Ltd.’s complaints procedure in the first instance. Where the complaint cannot be resolved the complainant has the right to refer the case to the ICO for advice.
Vision Training (North East) Ltd provides training and guidance, and expects all employees to comply with its policies on confidentiality. Personal data is provided in confidence and must be processed and used in accordance with the eight Data Protection principles. Wherever possible the data subject must be informed when we disclose data to a third party. Where the company has a statutory duty to provide information in relation to a police investigation, or where an individual is at risk of harm, information may be disclosed without notifying the data subject.
Vision Training (North East) Ltd. provides basic Data Protection training to all employees as part of their induction training.