Usage Policy

Data Protection Policy, Disability Peterborough

 

Disability Peterborough holds information on staff, volunteers and clients.  This information is personal data, and therefore subject to the 1998 DATA protection Act.  Data protection legislation has been around since 1984.  This has been strengthened by the Date Protection Act, which gives rights to Data Subjects and creates a framework of good practice for those holding personal data.  Disability Peterborough is registered with the Data Protection Register.

What is personal data?

  • Held on computer
  • Held in relevant manual files
  • Information intended for those systems (e.g. questionnaire forms)
  • Certain other information held by government and local government agencies

Who is responsible for the Data?

The manager is ultimately responsible for dealing with the personal data in the appropriate manner.  In addition, all staff and volunteers have a duty to protect the privacy of all out clients and will follow the procedure in this policy.

 

Duties under the act

There are eight principles of good practice under the Act

Data must be:

  1. Fairly and lawfully processed
  2. Processed only for specified and lawful purposes
  3. Adequate, relevant and not excessive
  4. Accurate and up to date
  5. Not kept longer than necessary for purpose specified
  6. Processed in accordance with the rights of the data subject
  7. Secure from the point of collection through to disposal
  8. Not transferred to countries without adequate protection of data subjects (e.g. the Internet)

When are you allowed to process data?

The 1998 Act states that personal data should be processed fairly and lawfully.  Processing of data can only be carried out where at least one of the following applies:

  1. The Data Subject has given consent
  2. Processing is necessary to fulfil contractual obligations to which the Data Subject is party
  3. Processing is necessary due to legal obligation
  4. Processing is necessary to protect the vital interests of the Data Subject
  5. Processing is necessary for various judicial and government functions
  6. Processing is in the legitimate interests of the Data Controller, unless it conflicts with the Date Subject’s rights, interests and freedoms

 

Sensitive Data

This is information about:

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs or similar
  • Alleged criminality/criminality
  • Trade union membership
  • Physical or mental health
  • Sex life

The intention of the 1998 Act is that, wherever possible, to process sensitive data, one should obtain the explicit consent of the client e.g. use of client consent form.  To hold sensitive information you should meet at least one of the following conditions.

  1. There is explicit consent
  2. There is a legal obligation to process data in connection with employment
  3. The data is in the vital interests of the data subject or another person, or it is reasonable to proceed without it.
  4. The data has been made public by the Data Subject
  5. You are processing data in connection with giving legal advice or representation
  6. You are processing data in connection with certain judicial or government functions
  7. You are processing data in connection with medical care and are bound by a practitioner’s duty of confidentiality
  8. You are processing data in order to monitor equal opportunities
  9. You are processing data in connection with giving confidential counselling, advice, support or other services, and can’t obtain permission, or it is reasonable to proceed without it
  10. You are processing data in connection with various insurance activities

 

Security

Security has two main principles.  They are, to stop anyone seeing the information that they shouldn’t, and to stop data getting damaged, lost or destroyed.  All staff and volunteers will follow the guidelines below

Controlling access

  • Keep confidential files locked away
  • Don’t allow unauthorised people to be left alone with personal data
  • Clear away personal data before leaving the office (and letting the cleaners in)
  • Encrypt and password-protect databases and e-mail
  • Keep tract of personal data that people take out of the office
  • When you delete files ensure that they’ve left the system (i.e empty recycle bin)
  • Change passwords regularly
  • Shred manual files when case expiry date is reached

Measure for avoiding loss or damage

  • keep backups of electronic data
  • Protect manual files and backups from fire
  • Protect against computer viruses
  • Don’t take client case files out of the office unless it’s a secure copy

 

Rights of the Data Subject

Clients have the right to make a ‘Subject Access Request’.  This request, made in writing (letter, fax, or e-mail) entitles the client to:

  • Description of the data being processed
  • An explanation of why the data is being processed
  • A copy of all the data you hold on them
  • A description of the source of the data
  • A description of potential recipients of the data

The client has the right to prevent processing likely to cause damage or distress.