Data Protection Policy
This policy sets out Botley Bridges commitment to the lawful and fair handling of personal data in accordance with the Data Protection Act 1998.
The Data Protection Act 1998 (“the Act”) regulates the holding and processing of personal data – that is information relating to living individuals, which is held in such a way that it allows identification of an individual. The Act also gives rights to individuals whose personal information is held by organisations.
Botley Bridges needs to collect and use personal information in order to carry out its functions effectively and to report usage of services to funders. Information can be held concerning its current, past and prospective employees, suppliers and other service users, Botley Bridges and in some circumstances its individual employees could face prosecution for failure to handle personal data in accordance with the Act.
Since April 2010, the Information Commissioner (the Commissioner) has had a new power to fine up to £500,000 for serious data protection breaches (section 55A, DPA). There have been several high profile cases
Data which Botley Bridges collects, records or uses in any way whether it is held on paper, computer or other media will be subject to appropriate safeguards to ensure that Botley Bridges complies with the Act.
Botley Bridges fully endorses and adheres to the eight Data Protection Principles which are set out in the Act and summarised below:
Personal data shall:
- be fairly and lawfully processed
- be processed for specified and lawful purposes and not in any other way which would be incompatible with those purposes
- be adequate, relevant and not excessive
- be accurate and kept up to date
- not be kept for longer than is necessary
- be processed in line with the data subject’s rights
- be kept secure
- not be transferred to a country which does not have adequate data protection laws.
In order to meet the requirements of the data protection principles and its obligations under the Act Botley Bridges will ensure the following:
- Any forms used to collect data will contain a ‘privacy notice’ to inform the data subject of the reasons for collecting the personal information and the intended uses;
- Any personal information that has been collected will be used only for the purposes for which it was collected; names will not be shared with any other party unless there are child protection concerns. Aggregate data will be shared such as how many users from a particular postcode area use the service.
- Data subjects (individuals to whom the personal information relates) are able to exercise their rights under the Act, including the right: to be informed that their personal information is being processed and have the right of access to their personal information to correct, rectify, block or erase information that is regarded as wrong
- Personal data will only be disclosed to third parties when it is fair and lawful to do so in accordance with the Act.
- Procedures are in place to check the accuracy of personal data collected, retained and disclosed;
- Review the time that personal information is retained or stored to ensure that it is erased at the appropriate time;
- Compliance with the Code of Good Practice set out in ISO 17799 which sets out the requirements for an Information Security Management System;
- Any incidents involving breaches of this policy or the Act are recorded, analysed and disciplinary action taken as appropriate.
- This policy is reviewed regularly and updated when necessary (at least every 3 years)
The Information Commissioner’s Office (ICO) is the independent authority set up to monitor compliance with the Act. It also issues guidance and good practice notes. The ICO’s website address is www.ico.gov.uk. The ICO can consider complaints about an organisation’s failure to comply with the Act following the initial reply from that organization.