Data Protection Policy 2018
Note: the definition of health is considered broadly under the Act; it is not defined exhaustively but includes preventative medicine, medical diagnosis, DNA sequences, medical research, provision of care and treatment and the management of healthcare services. It will also include any information about disability or learning difficulty.
some forms of information for longer than others. Information shall be retained in accordance with BSW’s Records Retention Policy and associated Records Retention Schedule and disposed of securely at the end of retention.
Anyone in BSW processing personal data shall consider the following:
As required by the Act, BSW has notified the U.K. Information Commissioner that it processes personal data. The registration number of the Notification is ZA307893 and can be viewed by searching the register on the ICO website at: http://www.ico.org.uk/esdwebpages/search. The Data Protection Officer for BSW is the Centre Manager.
Guidelines are appended to this policy to advise staff on best practice procedures to follow. These guidelines may be subject to change or revision by the Data Protection Officer or a delegate.
Further information about this policy, Subject Access Requests, retention and disposal of data and/or any other data protection issues should be addressed to firstname.lastname@example.org
These Guidelines should be read in conjunction with BSW’s Data Protection Policy. Examples are set out below to illustrate some of the scenarios staff might experience and best practice to be adopted.
All staff will process personal data in one form or another and as such have a duty to ensure that this is done fairly (1st Principle), stored securely (7th Principle) and disposed of when it is no longer required (5th Principle). As such, all staff should be aware of the eight Data Protection Principles and bear in mind the ‘Checklist for Processing Data’ detailed in the Policy. In particular, be aware of what constitutes sensitive personal data and the special circumstances under which it can be processed. Any and all of the below may be applicable to you.
Anyone who wishes to make a data Subject Access Request (SAR) should fill in an SAR Form available from the centre manager, though it is not mandatory. Any SAR received within BSW should be copied to the centre manager so it can be logged. If in doubt as to whether you have received an SAR or how to respond to it, please contact him for assistance.
BSW, as Data Controller, must respond to such a request, in full, within forty calendar days. There are certain requirements that must be satisfied by the Data Subject before the forty day period begins:
† this fee will be waived for basic requests from current employees.
* data which may be produced in the event of an SAR is usually to be found in what the Act defines as a ‘relevant filing system’. However, if the request contains a description of the data, the individual would have a right of access to unstructured data. For further details, please use the contact details below.
When processing personal data it is important that this complies with the eight Data Protection Principles. For example, at the point of collection the form, web page or similar should state the purpose for collection and no data other than that required for that particular transaction should be collected. For help drafting such a fair processing/privacy notice please use the contact details below. It is good practice to collect consent at this point and keep a record of the consent given as an audit trail. The fair processing notice to students, displayed on (re-)enrolment in MySIS, makes data sharing between departments possible. Also, appropriate security measures must be taken when storing, moving or transmitting data, such as encryption.
At the point of collection the following information should be provided:
III (i) Storage, handling and disposal of data
Personal data should be marked with an appropriate classification
and stored and handled (and disposed of) as determined by these. Data is to be given appropriate levels of access control and security. This means that it should be safeguarded by means of lockable cabinets and password and/or encryption protection, depending on format.
Make sure you use passwords which are strong and hard to guess. Never share or write passwords down and keep a log of who has access to secure areas. Secure personal information physically by restricting access to only those who need it for the performance of their duties and lock cabinets, rooms and computers when the information is not in use. Use confidential waste facilities/shredding.
Sensitive personal data should usually only be recorded when the Data Subject has given express consent. There are some exceptions to this listed in Schedule 3 of the Act such as to protect the vital interests of the individual or another person or to monitor equal opportunities.
– What to do
When recording data like absences, extenuating circumstances or disciplinary offences on a file, only brief notes should be made with little or no detail e.g. “absent due to ill health”.
Staff and volunteers are entitled to information about their marks for all types of assessment, as well as decisions made on development progress, award and classification. These are normally available as a matter of course but BSW may withhold marks, transcripts and certificates or notification of decisions relating to progression or award where a Data Subject has not passed a qualification. However, access to this information is within the provisions of the Act and marks and other data will be released if a subject access request is made. Examination scripts (answer books) are exempt from the right of access.
Markers could make their comments on a separate sheet (although it should be remembered that data must be presented in “an intelligible form” to a Data Subject making an SAR). It is acceptable to destroy the marking sheets/scripts once marks have been finalised, if this is part of standard procedure but this should be done in accordance with the Records Retention Policy. In all cases examiners should be aware that their comments may be read by the candidate, so offensive, subjective or opinionated statements must be avoided.
If any form of assessment relies purely on automated means then a Data Subject has the right:
IV (ii) Disclosure of results
What to do
If exams are not marked until fees are paid then there will be no data to access. However, this could be argued to be a form of student bias and even infringe human rights. Exam results should be provided if an SAR is submitted but re-enrolment or graduation could be prevented. Publishing examination results is a common and accepted practice. Nonetheless, if exam results or classifications are to be published publicly, such as at a degree ceremony, it is good practice to gain consent and offer an opt-out. See also the current Assessment Handbook.
NB The timescale for responding to SARs that relate to examination marks or results is extended from forty days to:
IV (iii) Examination boards
Board secretaries should ensure that minutes are purely factual. If access is provided, any other individual’s details must be redacted unless they have given their consent to the disclosure
VII (i) Disciplinary procedures
If there is a disciplinary process against an employee, then only that employee has a right to know the details of that process. For example, if an accusation is made by a student or member of staff against another member of staff, expectations should be managed from the start. The accuser does not have a right to be kept informed or to
know the outcome of the process. Only tell them that the procedure has been completed when it has, but not how.
VII (ii) Sick notes
Sick notes should not have to be seen by line managers unless explicit consent has been given by the employee.
Images of identifiable individuals are personal data.
Consent should be sought wherever possible, especially of individual shots because they can be readily identified. Where this is not practical for each individual, for example at an event or at a degree ceremony, Data Subjects should be made aware so that it is within their expectations: a statement should appear on tickets/programmes and/or a notice be displayed explaining that photographs/video are being taken and the purpose to which these may be put. All photographers should be clearly identified, e.g. with a visible badge. If taking photographs of children consent must be obtained from a parent or guardian.
If a guest, visitor, volunteer or staff member objects to having a photograph published, on the website for instance, then it must be removed. Prior consent should be sought wherever possible.
In addition, individuals whose image has been recorded by CCTV have a right of access to a copy of those images by making a subject access request.
It is accepted that, for example, staff, and volunteers might reasonably expect BSW to send a variety of mailings to them. However, anyone else receiving direct marketing material should be advised of their rights and given the opportunity to opt out in every communication.
The Act makes it clear that it is a serious offence to disclose any personal data to a non-authorised person, including orally. It can usually only be released with the Data Subject’s consent, unless one of the exemptions is met or a court order issued.
Parties may process data which has been passed to it by BSW. It is important to ensure that a written agreement is in place covering the services the third party is to provide and that it includes specific provisions covering its responsibilities for the personal data passed on to them (e.g. an obligation to assist BSW in responding to an SAR) and references the Act. Ideally the third party should provide an indemnity covering any penalties BSW might suffer as a result of their use of the data. The burden is on BSW to ensure that Data Processors do not breach the Act. Other data processors of BSW might be East Sussex County Scout Council.
The correct procedure is to pass any message on to the Data Subject (if over 18) and leave it up to them to contact the caller. Even if the message is from an apparently anxious parent, there is no requirement to reveal details or even confirm the Data Subject exists! If an enquirer telephones and claims to be the Data Subject, to provide some measure of authentication, offer to call back. Otherwise there needs to be some system of security questions/passwords to confirm the identity of the caller.
These requests most commonly come from the police but may also come from an investigation in to tax/benefit fraud or immigration e.g. from local government or the UKVI. The agency must complete a Section 29 form (available on request) to apply for access specifying the purposes for which it is required. The data must be necessary, not just helpful to these purposes. Even then BSW is not compelled to release the data without the Data Subject’s consent: there is a need to ensure proportionality, so rights and interests should be balanced in coming to a decision. It’s important to verify the identity of anyone making such requests and ensure the request is counter-signed by an authorised individual. This should be someone who is senior in rank/position to the requester.
The consent of the Data Subject is not required if a failure to release data would result in her or a third party’s harm or if required to perform a regulatory function, such as securing health and safety at work.
This is relevant for compliance with the 8th Principle. The European Commission has recognised the following territories as having adequate data protection:
All losses or unauthorised disclosures must be reported to the Centre Manager. Any (suspected) breaches should then be notified to the ICO. Although there is no legal obligation on Data Controllers to report breaches of security which result in loss, release or corruption of personal data, the ICO believes serious breaches should be brought to its attention.
Any new purposes must be added to BSW’s Registration with the ICO before the processing of data begins. Therefore, you must inform the Centre Manager to notify the ICO to make the amendment.
There are other policies and procedures which are applicable to data protection, for example the Information Security Policy provides guidance on storage, access, safeguards, removal etc. and the Records Retention Schedule details how long data should be kept. The Records Retention Policy lays out staff responsibilities. In addition, the Guidelines on the right to privacy and the monitoring of data give information on the rights of employees and the right of BSW to monitor employees’ activities.
The advice above is not exhaustive. Please contact the Centre Manager for further information
Broadstone Warren Scout Site and Activity Centre
tel: 01342 822573