DATA PROTECTION POLICY

DATA PROTECTION POLICY

This personal information must be collected and dealt with appropriately whether is collected on paper, stored in a computer database, or recorded on other material and there are safeguards to ensure this under the Data Protection Legislation

DATA CONTROLLER
 
[Organisation name] is the Data Controller under the Data Protection Legislation, which means that it determines what purposes personal information held, will be used for. It is also responsible for notifying the Information Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for.

DISCLOSURE
 
[Organisation name] may share data with other organisations, but only in-so-far-as it is necessary for us to be able to operate and provide services.

[Organisation name] have Privacy Notices for each key service area and this sets out the basics. In some cases there may be additional documents - contract, agreement, terms - with more details specific to the person or service.

The Individual/Service User will be made aware how and with whom their information will be shared. There are circumstances where the law demands [Organisation name] to disclose data (including sensitive data) without the data subjects consent.

These include:
Item a) Carrying out a legal duty
Item b) Protecting vital interests of a Individual/Service User or other person
Item c) The Individual/Service User has already made the information public
Item d) Conducting any legal proceedings, obtaining legal advice or defending any legal rights
Item f) Monitoring for equal opportunities purposes i.e. race, disability or religion

[Organisation name] regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal. [Organisation name] intends to ensure that personal information is treated lawfully and correctly.

To this end, [Organisation name] will adhere to the Principles of Data Protection, as detailed in the Data Protection Legislation, and following the latest guidance generally available from the ICO website

Specifically, the Principles require that personal information:

Item 1) Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met,
Item 2) Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes,
Item 3) Shall be adequate, relevant and not excessive in relation to those purpose(s)
Item 4) Shall be accurate and, where necessary, kept up to date,
Item 5) Shall not be kept for longer than is necessary
Item 6) Shall be processed in accordance with the rights of data subjects under the Act,
Item 7) Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information,
Item 8) Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Individuals/Service Users in relation to the processing of personal information, without the knowledge and agreement of the data-subject.

[Organisation name] will, through appropriate management and strict application of criteria and controls:

Item a) Observe fully conditions regarding the fair collection and use of information
Item b) Meet its legal obligations to specify the purposes for which information is used
Item c) Collect and process appropriate information, and only to the extent that it is needed to fulfil its operational needs or to comply with any legal requirements
Item d) Ensure the quality of information used

DATA COLLECTION

[Organisation name] will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form, or by mutual agreement (eg contract, terms-and-conditions, etc.)

[Organisation name] have a Privacy Notice and this sets out the basics. In some cases there may be additional documents - contract, agreement, terms - with more details specific to the person or service.

When collecting data, [Organisation name] will ensure that the Individual/Service User:

Item 1) Clearly understands why the information is needed
Item 2) Understands what it will be used for and what the consequences are should the Individual/Service User decide not to give consent to processing
Item 3) As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
Item 4) Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
Item 5) Has received sufficient information on why their data is needed and how it will be used

DATA RETENTION AND STORAGE
 
Information and records relating to service users will be stored securely and will only be accessible to authorised personnel.

We operate a records retention policy which sees the deletion, archive, return of documents at the point of their expire and in accordance with the policy and processes outlined in the records retention policy.

[Organisation Name] have a Records Management Policy and Data Retention
Schedule to ensure information will be stored for only as long as it is needed or
required by statute, legislation or regulation and will be disposed of appropriately.

For contracts with the States of Jersey [Organisation Name] are bound by Freedom
of Information FOI, and will act in accordance for States of Jersey Contracts.

We operate an information security policy which complies with Cyber Essentials principles

Secure your Internet connection
Secure your devices and software
Control access to your data and services
Protect from viruses and other malware
Keep your devices and software up to date

It is [Organisation Name] responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.

DATA ACCESS AND ACCURACY

All Individuals/Service Users have the right to access the information [Organisation Name] holds about them. [Organisation Name] will also take reasonable steps to ensure that this information is kept up to date by asking data subjects whether there have been any changes.

In addition, [Organisation Name] will ensure that:

  1. It has a Data Protection Manager with specific responsibility for ensuring compliance with Data Protection
  2. Everyone processing personal information understands that they are contractually responsible for following good data protection practice
  3. Everyone processing personal information is appropriately trained to do so
  4. Everyone processing personal information is appropriately supervised
  5. Anybody wanting to make enquiries about handling personal information knows what to do
  6. It deals promptly and courteously with any enquiries about handling personal information
  7. It describes clearly how it handles personal information
  8. It will regularly review and audit the ways it holds, manages and uses personal information
  9. It regularly assesses and evaluates its methods and performance in relation to handling personal information
  10. All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them

DATA TRANSFERS

[Organisation Name] have a Data Transfers Policy and Schedule which lists all the systems, applications or services that may transfer data outside the EU. This also lists the measures taken to ensure that personally identifiable data is private, safe and secure using appropriate technical and organisational measures .

DATA PROTECTION RIGHTS

We will respect Data Protection Rights. Under the GDPR, individuals will have the right to obtain:

  • confirmation that their data is being processed
  • access to their personal data and
  • other supplementary information
  1. the purposes of the processing
  2. the categories of personal data concerned
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
  6. the right to lodge a complaint with a supervisory authority
  7. where the personal data are not collected from the data subject, any available information as to their source
  8. the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.