Data Protection Act Policy
Personal data is any kind of information which makes it possible to identify a particular living individual. Uses of personal data (processing) are regulated by a number of different data protection, privacy or constitutional laws throughout the world. All personal data is governed under the Data Protection Act 1998.
From 28 May 2018, the current DPA 1998 will be superseded by the General Data Protection Regulation (GDPR). BCRM has already started to implement this, but until 28 May 2018, this policy shall stay in force.
The following role has been created in BCRM for managing the Data Protection Act, its implementation and operation:
- Data Protection Officer;
BCRM endorses best practice in the processing of personal data.
- personal data shall be collected with fairness and transparency by making the individual aware of all the intended uses of their data;
- personal data shall only be collected for a designated purpose or purposes. The amount and type of data shall be no more than is required to fulfil that purpose;
- no person shall be wilfully misled or deceived as to the intended use of their data by BCRM;
- no unfair pressure shall be imposed on any individual to supply personal data;
- all personal data shall be kept up to date and accurate;
- personal data shall be kept only for as long as it is needed to complete its purpose, unless there is any overriding statutory obligation to retain it for longer periods;
- personal data shall be treated with appropriate levels of confidentiality and with respect for individual rights;
- all manual (paper-based) and electronic data shall be properly protected at all times to prevent loss, damage, unauthorised access or disclosure by any person;
- information about personal data shall only be provided to the person to whom it relates and shall not be released without adequate prior verification of the identity of the requester. Third party representatives must be able to demonstrate, in writing, adequate authority to act;
- all requests connected with access to personal data shall be dealt with promptly. A detailed, dated note of any information provided to the requester shall be placed on the permanent record;
- the source of personal data shall be acknowledged on the record. Any request for amendments to the factual data record shall be dealt with with promptly. Opinions shall be avoided unless wholly substantiated and clearly distinguishable from fact;
- only data from live systems shall be provided, unless the request specifies otherwise, or it is clear that the data will be held in an archive because of the time period involved. This shall be communicated to the requester for the avoidance of doubt.
All employees shall be responsible for applying the data protection principles at all times to each and every instance of personal data processing. Any deliberate breach of policy or unauthorised disclosure of personal data shall form the basis for disciplinary action.
BCRM shall ensure that all new employees are aware of this policy as part of their induction and shall regularly review and monitor this policy to ensure its implementation and effectiveness.
This policy is issued, reviewed at least annually and maintained by the Data Protection Officer, who also provides advice and guidance on its implementation and ensures compliance
All BCRM employees shall comply with this policy.
David Lilburn Watson
Dated: 1 January 2017