The Data Protection Act 1998, places legal responsibilities on organisations who collect and use personal information and gives individuals certain rights of access. The Act covers information that is structured, including data processed automatically by computer, and information which is recorded as part of a relevant filing system. The Act has been amended by the Freedom of Information Act 2000 to include all personal information whether or not it is processed automatically or part of a relevant filing structure. There are stricter requirements in the Act in respect of processing sensitive personal data. Information can be held in any format e.g. computer systems, paper records, CCTV. ‘Personal information’, ‘sensitive personal data’, ‘processing’ and ‘relevant filing system’ are defined in Appendix A. In the course of carrying out its business, Muss Consulting LTD (“the Company”) needs to collect and use certain types of information about people such as, employees, clients, customers and suppliers, and is subject to the Act. This policy document sets out the Company’s intentions to fulfil its obligations under the Act and the arrangements it has put in place to comply with it.
Responsibility for the Act
The Company is committed to ensuring that all staff comply with the Act. The Company has a Registered Data Controller responsible for compliance with the Act.
Adhering to the Eight Principles of the Act
The Company will collect and use personal information in accordance with the eight principles of the Act which require that:
- Personal data shall be processed fairly and lawfully. This includes observing at least one of the conditions described in Schedule 2 of the Act (and Schedule 3 in relation to sensitive personal data)
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
- Personal data held for any purpose should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. The Company will collect and process appropriate information required only to fulfil operational needs or comply with legal requirements
- Personal data shall be accurate and where necessary, kept up to date
- Personal data shall not be kept for longer than is necessary
- Personal data shall be processed in accordance with the rights of data subjects under the Act
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to personal data
- Personal data shall not be transferred to a Country outside the European economic area unless that Country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
The Company will also:
- Ensure that all staff receive training and guidance so that they understand that they are contractually responsible for complying with the law and know how to process information in accordance with the 8 principles
- Put in place procedures for complying with the eight principles
- Put in place appropriate technical and organisational security measures to safeguard personal information
- Ensure that individuals are informed of the purposes for which their data will be used and that consent is sought for such use, where required by the Act
The Company will ensure that individuals’ can exercise their rights described in the Act, including the right of subject access to personal information; the right to prevent processing personal information in certain circumstances, including for purposes of direct marketing; and a right to rectify, block, erase or destroy inaccurate information.
Section 7 of the Act provides the right for individuals to be told by Data Controllers (those responsible for the collection of the information):
- Whether they process information about them (the subject)
- To be given a description of the information that they process
- To be told to whom the information is disclosed
- And to have copies of such information provided to them in a form that they can understand
The Company will supply this information providing the request is in writing; sufficient information is given by the applicant to enable the Company to locate the information requested; a fee of £10 is paid by the person making the enquiry, in advance. The Company will respond to such requests within 40 calendar days of receipt. Additional fees may be charged for searching for unstructured manual information (that is information held that is not on computer, or does not form part of a relevant filing structure) but only if such information would take more than 3 days work to locate and retrieve.
The Company will provide the information in a permanent format that is understandable to the applicant, unless the supply of such a copy would involve disproportionate effort, or the applicant agrees otherwise. Where this is the case, the Company will arrange for the applicant to inspect the records.
Personal information may be withheld from disclosure to the applicant if it falls under any of the exemptions described in the Data Protection Act and subordinate legislation. The Company’s Directors shall decide whether information may be withheld from a response to a Subject Access Request, pursuant to exemptions contained in the Act and subordinate legislation.
The Right to Prevent Processing Personal Information in Certain Circumstances, Including for Purposes of Direct Marketing
The Company will comply with the rights of individuals under Sections 10, 11 & 12 of the Act. For example, the Company will not use personal information for marketing purposes where the person it refers to has asked the Company not to use it for such purposes.
The Right to Rectify, Block, Erase or Destroy Inaccurate Information
The Company will comply with responsibilities to amend any inaccurate data it holds about an individual, pursuant to Section 14 of the Act.
Any complaints about the way in which the Company deals with personal information will be dealt with by the Company’s CEO who will arrange for the matter to be investigated. If the complainant is dissatisfied with the outcome of the investigation by the Company, they may complain directly to the Information Commissioner. Appeals against the decision of the Information Commissioner can be made to the Information Tribunal.
Appendix A - Definitions
“Personal information” or “personal data” is that which affects a person’s privacy, whether in his/her personal or family life, business or professional capacity. It is information which will have the individual as its focus. An individual’s name is unlikely to be personal data where it is not associated with any other personal information. If it is coupled with other information about him/her e.g. his/her address or phone number, it is likely to be personal information. Information about medical history, salary and bank statements are all examples of personal information. Personal information may also include any expression of opinion about the individual. Information which has something else as its focus e.g. a property survey will not be personal information. The mere fact that a person is mentioned in a document does not mean that it is personal information.
“Sensitive Personal Data” means information about a person relating to their ethnic or racial origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, and criminal records.
“Processing”, in relation to information or data, means obtaining, recording, holding or using the information. Using the information would include, altering it, retrieving or consulting it, disclosing it by making it available to others, or destroying it.
“Relevant filing system” means a set of information structured, either by reference to individuals, or by reference to criteria relating to individuals, so that specific information about individuals is readily accessible.