Background
Newby Leisure Limited needs to collect person-identifiable information about individuals in order to carry out its functions and fulfil its objectives. Personal data is defined as ‘information which relates to a living individual and from which they can be identified, either directly or indirectly’.
Personal data at Newby Leisure Limited can include employees (present, past and prospective), contractors and third parties, private and confidential information as well as sensitive information, whether in paper, electronic or other form.
Irrespective of how information is collected, recorded and processed person identifiable information must be dealt with properly to ensure compliance with the Data Protection Act (DPA) 1998 and the forthcoming General Data Protection Regulations (GDPR).
The DPA requires Newby Leisure Limited to comply with the eight Data Protection Principles (see Appendix A below) and to notify the Information Commissioner about the data that we hold and why we hold it. This is a formal notification and is renewed annually.
The DPA gives rights to data subjects (people that we hold information about) to access their own personal information, to have it corrected if wrong, in certain permitted circumstances to ask us to stop using it and to seek damages where we are using it improperly.
The lawful and correct treatment of person-identifiable information by Newby Leisure Limited is paramount to the success of the organisation and to maintaining the confidence of its service users and employees. This policy will help Newby Leisure Limited ensure that all person-identifiable information is handled and processed lawfully and correctly.
Data Protection Act and GDPR principles
Newby Leisure Limited has a legal obligation to comply with all relevant legislation in respect of data protection and information / IT security. The organisation also has a duty to comply with guidance issued by advisory groups and professional bodies.
All legislation relevant to an individual’s right to the confidentiality of their information and the ways in which that can be achieved and maintained are paramount to Newby Leisure Limited. Significant penalties can be imposed upon the organisation or its employees for non-compliance.
The aim of this policy is to outline how Newby Leisure Limited meet its legal obligations in safeguarding confidentiality and adheres to information security standards. The obligations within the policy are principally based upon the requirements of the Data Protection Act 1998 and the forthcoming GDPR, as the key legislative and regulatory provisions governing the security of personal identifiable information.
Other relevant legislation and guidance referenced and to be read in conjunction with this policy, is outlined together with a brief summary at Appendix B.
1. What information is covered?
Personal data within the respective legislation and regulatory provisions covers ‘any data that can be used to identify a living individual either directly or indirectly’. Individuals can be identified by various means including but not limited to, their address, telephone number or e-mail address. Anonymised or aggregated data is not regulated data is not regulated by the provisions, providing the anonymisation or aggregation of the data is irreversible.
2. Policy statement
This document defines the data protection policy for the NEWBY LEISURE LIMITED. It applies to all person-identifiable information obtained and processed by the organisation and its employees.
It sets out:
The organisation’s policy for the protection of all person-identifiable information that is processed §
Establishes the responsibilities (and best practice) for data protection
References the key principles of the Data Protection Act 1998 and GDPR
Principles
The objective of this policy is to ensure the protection of NEWBY LEISURE LIMITED’s information in accordance with relevant legislation, namely:
3. To ensure notification;
Annually notify the Information Commissioner about the NEWBY LEISURE LIMITED’s use of person-identifiable information.
4. To ensure professionalism;
All information is obtained, held and processed in a professional manner in accordance with the eight principles of the Data Protection Act 1998 and the provisions of the GDPR.
5. To preserve security;
All information is obtained, held, disclosed and disposed of in a secure manner.
6. To ensure awareness;
Provision of appropriate training and promote awareness to inform all employees of their responsibilities.
7. Data Subject access;
Prompt and informed responses to subject access requests.
The policy will be reviewed periodically by the NEWBY LEISURE LIMITED Leadership Team. Where review and update is necessary due to legislative changes this will be done immediately.
In accordance with the NEWBY LEISURE LIMITED’s equality and diversity policy statement, this procedure will not discriminate, either directly or indirectly, on the grounds of gender, race, colour, ethnic or national origin, sexual orientation, marital status, religion or belief, age, union membership, disability, offending background or any other personal characteristic.
2. Scope of this policy
This policy will ensure that person-identifiable information is processed, handled, transferred, disclosed and disposed of lawfully. Person-identifiable information should be handled in the most secure manner by authorised staff only, on a need to know basis.
The procedures cover all person identifiable information whether, electronic or paper which may relate to employees, contractors and third parties about whom we hold information.
2. Policy
NEWBY LEISURE LIMITED obtains and processes person-identifiable information for a variety of different purposes, including but not limited to:
staff records and administrative records
matters relating to the prevention, detection and investigation of fraud and corruption in the National Health Service and the wider heath service
complaints and requests for information.
Individual Rights
The right to be informed
To provide ‘fair processing information’ and emphasise the need for transparency
The right to access
Individuals have the right to access their personal data. The right to access enables the individuals to be aware of and check the legitimacy of the processing of personal data.
The right to get rectified
GDPR gives individuals the right to have personal data altered, if personal data is inaccurate or incomplete
The right to erasure
Commonly known as ‘the right to be forgotten’. Enabling individuals to request the deletion or removal of personal data, when there is no compelling reason for its continued process.
The right to restrict processing
An individuals right to block the processing of personal data. Restricting any process from going ahead, you are permitted to store the data, but you cannot further the process.
The right to object
Individuals have the right to object to : direct marketing and processing for purposes of scientific/historical research and statistics. (including profiling)
Such information may be kept in either computer or manual records. In processing such personal data NEWBY LEISURE LIMITED will comply with the data protection principles within the Data Protection Act 1998.
3. Data protection responsibilities
Overall responsibilities
NEWBY LEISURE LIMITED Board members, collectively known as the ‘data controller’ permit the organisation’s staff to use computers and relevant filing systems (manual records) in connection with their duties. The NEWBY LEISURE LIMITED Board members have legal responsibility for the notification process and compliance of the Data Protection Act 1998.
NEWBY LEISURE LIMITED Board members whilst retaining their legal responsibilities have delegated data protection compliance to the Data Protection Officer.
The Data Protection Officer’s responsibilities have been allocated to the organisation’s Information Governance and Risk Management Lead. Data Protection Officer’s (DPO) responsibilities
Data Protection Officer’s responsibilities include:
ensuring that the policy is produced and kept up to date
ensuring that the appropriate practice and procedures are adopted and followed by NEWBY LEISURE LIMITED.
provide advice and support to the Board on data protection issues within the organisation.
work collaboratively with Organisational Development and Governance and Assurance to help set the standard of data protection training for staff.
ensure data protection notification with the Information Commissioner’s Office is reviewed, maintained and renewed annually for all use of person identifiable information.
ensure compliance with individual rights, including subject access requests.
act as a central point of contact on data protection issues within the organisation.
implement an effective framework for the management of data protection.
Line managers’ responsibilities
All line managers across Newby Leisure Limited are directly responsible for:
Ensuring their staff are made aware of this policy and any notices
Ensuring their staff area aware of their data protection responsibilities
Ensuring their staff receive suitable data protection training
General responsibilities
All NEWBY LEISURE LIMITED employees, including temporary and contract staff are subject to compliance with this policy. Under the GDPR individuals can be held personally liable for data protection breaches.
All NEWBY LEISURE LIMITED employees have a responsibility to inform their business unit Leads and the Data Protection Officer of any new use of personal data, as soon as reasonably practicable after it has been identified.
All NEWBY LEISURE LIMITED employees will, on receipt of a request from an individual for information held, known as a subject access request or concerns about the processing of personal information, immediately notify the Information Governance Officer.
Employees must follow the subject access request procedure (see Appendix C below).
4. Monitoring
Compliance with this policy will be monitored by the Finance and Corporate Governance team, together with internal audit reviews where necessary.
The Information Governance and Risk Management Lead is responsible for the monitoring, revision and updating of this policy document on an annual basis or sooner, should the need arise.
5. Validity of this policy
This policy will be reviewed at least annually under the authority of the NEWBY LEISURE LIMITED Board members. Associated data protection standards will be subject to an ongoing development and review programme.
Appendix A - Data Protection Act 1998 - Data protection principles
Personal data shall be processed fairly and lawfully.
Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Appendix B – Summary of relevant legislation and guidance
General Data Protection Regulations (GDPR)
A legal basis must be identified and documented before personal data can be processed. ‘Controllers’ and ‘Processors’ will be required to document decisions and maintain records of processing activities.
Human Rights Act 1998
This Act binds public authorities including Health Authorities, Trusts and Primary Care Groups to respect and protect an individual’s human rights. This will include an individual’s right to privacy (under Article 8) and a service user’s right to expect confidentiality of their information at all times.
Article 8 of the Act provides that “everyone has the right to respect for his private and family life, his home and his correspondence”. However, this article also states “there shall be no interference by a public authority with the exercise of this right except as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention or disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.
Each organisation must act in a way consistent with these requirements. It must take an individual’s rights into account when sharing personal information about them.
Freedom of Information Act 2000
This Act gives individuals rights of access to information held by public authorities.
Regulation of Investigatory Powers Act 2000
This Act combines rules relating to access to protected electronic information as well as revising the “Interception of Communications Act 1985”. The aim of the Act was to modernise the legal regulation of interception of communications, in the light of the Human Rights laws and rapidly changing technology.
Crime and Disorder Act 1998
This Act introduces measures to reduce crime and disorder, including the introduction of local crime partnerships around local authority boundaries to formulate and implement strategies for reducing crime and disorder in that local area.
The Act allows disclosure of person-identifiable information to the Police, Local Authorities, Probation Service or the Health Service but only if the purposes are defined within the Crime and Disorder Act. The Act does not impose a legal requirement to disclose person-identifiable information and responsibility for disclosure rests with the organisation holding the information.
The Computer Misuse Act 1990
This Act makes it a criminal offence to access any part of a computer system, programs and/or data that a user is not entitled to access. NEWBY LEISURE LIMITED issues each employee with an individual user id and password which will only be known to the individual and must not be divulged to other staff. This is to protect the employee from the likelihood of their inadvertently contravening this Act.
NEWBY LEISURE LIMITED will adhere to the requirements of the Computer Misuse Act 1990, by ensuring that its staff are aware of their responsibilities regarding the misuse of computers for fraudulent activities or other personal gain. Any member of staff found to have contravened this Act will be considered to have committed a disciplinary offence and be dealt with accordingly.
The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
This Act allows employers to intercept and record communications in certain prescribed circumstances for legitimate monitoring, without obtaining the consent of the parties to the communication.
Information Security Management: NEWBY LEISURE LIMITED Code of Practice
The guidelines provide a framework for consistent and effective information security management that is both risk and standards-based and is fully integrated with other key NEWBY LEISURE LIMITED Information Governance areas. Without effective security, NEWBY LEISURE LIMITED information assets may become unreliable and untrustworthy, may not be accessible where or when needed, or may be compromised by unauthorised third parties.
Confidentiality: NEWBY LEISURE LIMITED Code of Practice
Gives NEWBY LEISURE LIMITED bodies guidance concerning the required practice for those who work within or under contract to NEWBY LEISURE LIMITED organisations concerning confidentiality and consent to the use of their personal data.
The Caldicott Guardian Manual 2017
Provides guidelines relating to sharing of person-identifiable information and advocates the appointment of senior organisational members to the role, to ensure adherence to the principles.
Records Management: NEWBY LEISURE LIMITED Code of Practice
The code acts as a guide to the required standards of practice in the management of records for those who work within or under contract to NEWBY LEISURE LIMITED organisations in England. It is based on current legal requirements and professional best practice.
Information Commissioner’s Guidance - Use and Disclosure of Health Data
This guidance is concerned with the application of the Act with regards to the processing of information contained within ‘health records’.
Appendix C - Subject access request process
There will be no charge for an Access Request. The process to be followed for requests is detailed in Appendix C