B5: Data Protection Policy

The Data Protection Act 1998 (DPA)

1.     Terminology used in the DPA

  • Data Controller
    A data controller is: a person who alone, jointly or in common with others determines the purposes for which and the manner in which any personal data are processed; and is responsible for ensuring that the provisions of the Data Protection Act are complied with.
    The term ‘person’ includes legal entities, so in the eyes of the law, Outreach Rescue Medic Skills (‘ORMS’) is the data controller for ORMS, FBoS and MedicSkills, but everyone who is employed by ORMS and its agencies and who processes personal data has a duty to discharge the data controller’s responsibilities. Accountability for information assets rests with ORMS.
  • ORMS Data Controller is the Head of the Admin Team, Haf Thomas.
  • Data processor
    In some cases external contractors process data on our behalf. These are known as data processors under the Act. But ORMS, as the data controller, nevertheless remains responsible for the data processors.
  • Data subject
    The data subject is the individual who the personal data is about, ie the subject of the data.

2.     The Data Protection principles

  • The Data Protection principles form a central part of the Act and are the ‘golden rules’ for processing personal data. They must be observed and all staff who process data must be aware of these principles.
  • The eight principles, together with the conditions for fair and lawful processing mentioned in the first principle, are set out in full on Information Commissioner’s Office web site. In summary, however, they require that the data must be:
  • fairly and lawfully processed and, in particular, shall not be processed unless certain conditions are met (more stringent conditions apply if the data being processed are classified as “sensitive”)
  • obtained only for one or more specified and lawful purposes
  • adequate, relevant and not excessive to the purpose for which the data are required
  • accurate and, where necessary, kept up-to-date
  • kept no longer than necessary
  • processed in accordance with the rights of the data subject (which are specified in the Act)
  • kept secure against unlawful or unauthorised processing, or accidental loss or erasure
  • not transferred to a country outside the European Economic Area (EEA) unless that country ensures an adequate level of protection.

3.     Important points when processing personal data

When personal data are being obtained, every effort must be made to ensure that the following information is made available to the data subject:

  • the identity of the data controller (see definition of data controller above)
  • the purposes(s) for which the data are to be processed
  • the likely consequences of the processing
  • to whom the data are likely to be disclosed
  • any other information which may be appropriate in the circumstances

Where personal data are obtained from someone other than the data subject, the information above (3.1 – 3.5) must be made available to the data subject at the earliest opportunity.

  • Persons whose data you are processing must not be misled or deceived as to the purposes for which you are processing their data, or as to whom you may disclose the data.
  • Data subjects have a statutory right of access to their data, so whatever you commit to paper or to the computer – including your personal opinions – may have to be retrieved and disclosed to them if a formal enquiry is made.
  • Paper and electronic documents must be properly filed, on either registered paper or electronic files. Such files will be subject to disposal agreements which will help to meet the requirement of the Act that personal data must be kept for no longer than necessary.
  • ORMS rules on security must be observed.

4.     What if something goes wrong?

  • If you discover that data has been lost, or if you believe there has a breach of the data protection principles in the way data is handled, you must immediately inform the Data Protection Officer who must follow the policy on reporting unclassified breaches.
  • The first priority must always be to close or contain the breach and then to mitigate the risks to those individuals that may be affected by it. You should inform the Data Protection Officer as soon as possible.

5.     How should Data Protection affect the way I organise my work?

  • It is even more important that documents, including emails, which contain personal data are:
  • kept in an orderly fashion;
  • filed on registered electronic or paper files as soon as practicable if they are to be retained;
  • erased or destroyed when they are no longer required.

You should not keep random collections of odd papers or old emails. If they need to be retained, they should be properly filed, as mentioned above.

  • You should observe ORMS’ clear desk policy.
  • You should not store personal data on memory sticks or personal laptops, which are not securely encrypted.
  • You should satisfy yourself that, if required, you could retrieve personal data for which you are responsible to answer an enquiry from a data subject.

6.     Sending personal data by email

  • A common method of sharing information is by email. By necessity the TO, FROM, DATE and SUBJECT fields of an email are transmitted in plain text and may be accessed by any unintended recipient or third-party who intercepts the communication. Without additional encryption methods in place the email body and any attachments will also be accessible to any unintended recipient or third-party who intercepts the communication.
  • A common type of personal data disclosure occurs when an email is sent to an incorrect recipient. Data controllers should be aware that encryption will only provide protection to personal data send by email if the incorrect recipient does not have the means to decrypt the data (eg does not have the decryption key).
  • Personal data can also be at risk if an individual gains unauthorised access to the email server or online account storing emails which have been read or waiting to be read. The choice of password securing the server or email account is similarly important when considering the security requirements of the email system.
  • Example: North Somerset Council was served with a civil monetary penalty of £60,000 after five emails, two of which contained details of a child’s serious case review, were sent to the wrong NHS employee. A council employee selected the wrong email address during the creation of a personal distribution list.
    The data itself was not encrypted, and thus was able to be viewed by the unintended recipient. Following the receipt of the data, the council employee was informed of the error by the recipient, yet the information was emailed to this individual on several further occasions.
    After an internal investigation the recipient confirmed the emails had been destroyed. The ICO also found that the Council had not delivered appropriate data protection training to relevant staff, and recommended that the Council adopt a more secure means of sending information electronically such as using encryption.

7.     Sound and Image information

  • When considering the processing of ‘data’ we usually think of either text information held on computer or information held on paper in traditional manual files.
  • The definition of ‘data’ is, however, not limited to these two forms of information. Information in any form (photographs, sound recordings or microfiche records) may come within the scope of the Act if it falls within any of the definitions of ‘data’ in paragraphs (a) to (e) of subsection 1(1) of the Act.
  • This section is concerned with the concept of ‘data’ in relation to information in non-paper form (captured on audio or video tape or photographic film) and electronically processed non-text information (in particular, sound and image information recorded in a digital format).

Non-text information (sound and image information)

  • Sound and image information may be captured by a variety of means, the most common of which are recordings on photographic film or magnetic tape or the digital capture of sounds or images.

Sounds and images held in an automatically processed form

  • In the business environment, the most common purposes for which sound and image information is processed are for security, crime detection and fraud prevention, staff training, quality control checking, and legislative and regulatory compliance. In addition, evidence from financial and other business organisations indicates that it is now increasingly common for businesses to record telephone conversations to record business transactions or client instructions that may be time critical.
  • The recording of sounds and images involves the use of highly sophisticated equipment. Information may be recorded on magnetic tape or, increasingly, businesses are making use of digital recording techniques to capture both sound and image information. The process of capturing and viewing sound and moving image information clearly involves a considerable degree of automation. Sound and moving image information, when processed by appropriate equipment, is processed automatically for the purposes of the DPA. Such information may also be ‘personal data’ for the purposes of the DPA.

Freedom to photograph and film

  • Members of the public and the media do not need a permit to film or photograph in public places and police have no power to stop them filming or photographing incidents or police personnel. However, taking photographs of a student in a classroom or other learning situation is a different matter.
  • The student firstly has to give explicit permission for photographs to be taken where they could be identified.
  • The purpose of the photograph has to be made clear; is it for assessment evidence, marketing or for creating a bank of images for training purposes?
  • Where will the image be displayed? Flyers, websites, Facebook, public or private exhibitions of work?
  • For how long will they be held?

8.     Rights of the individual under the DPA

  • The most commonly used is the right of an individual to request copies of any personal data being processed about them by the data controller. These requests are known as subject access requests.
  • In response to a valid request, the individual is entitled to be told:
  • whether personal data about them are being processed and, if so, for what purpose(s)
  • to whom the data may be disclosed
  • the source of the data
  • The individual, or data subject, is entitled to receive, in an intelligible form, all the information, including email messages where appropriate, which forms the personal data. This may be by way of a transcript, a photocopy or a print-out.
  • An explanation must be provided if the personal data are held in a form not immediately intelligible to the data subject.
  • Information which identifies a third party may be withheld unless the individual concerned consents to its disclosure.

9.     To release or not to release?

  • The Act specifies certain circumstances under which personal data can properly be withheld. These are set out in Exemptions from the right of subject access (part of this guidance).
  • However, it is ORMS’ policy to be as open as possible in response to a subject access enquiry. For example, personal data which are known to exist and are accessible, but which do not necessarily form part of a “relevant filing system” as described in the Act should, as a matter of course, be released unless they are caught by one of the exemptions.

10.            As an employee or sub-contractor of ORMS, what rights do I have under the Data Protection Act?

  • Subject to certain exemptions, you are entitled to see personal data held by ORMS about you, such as your personnel records. No fee is charged for applications made under the Act by ORMS employees, former employees or contractors for access to personal data about themselves as employees or contractors.
  • If you want to make an appointment to see your Personnel files or to make an application for access to your personal data in other records please contact the Head of the Admin Team.

11.            Exemptions from the right of subject access

  • Personal data held for the following purposes will generally be exempt from the right of subject access and should not therefore be disclosed in response to an enquiry from a data subject.
  • National security
  • Crime and taxation, including
  • the prevention or detection of crime;
  • the apprehension or prosecution of offenders;
  • the assessment or collection of any tax or duty
  • Health, education and social work (this exemption is subject to orders being made by the Home Secretary to bring such exemptions into effect)
  • Regulatory activity concerning the protection of members of the public, charities or fair competition in business

‘Special purposes’, namely:

  • the purposes of journalism;
  • artistic purposes;
  • literary purposes
  • Research, history and statistics
  • Information made available to the public under any enactment
  • Confidential references given by the data controller
  • Judicial appointments and honours
  • Crown employment and Crown or Ministerial appointments

If, in response to a subject access enquiry, you are asked to disclose personal data which you think may be covered by one of these exemptions, you should seek advice from ORMS’ Data Protection Officer.

12.            What do I do if I receive a request for personal data (a ‘subject access enquiry’)?

If you receive a request from a member of the public, or a colleague, asking to see their personal data, refer it without delay to ORMS’ Data Protection Officer.

13.            How is a subject access enquiry handled?

  • The Data Protection Officer (DPO) will ensure that it is a valid enquiry. Subject access enquiries are not valid unless they:
  • are made in writing by the data subject or his/her legal representative
  • contain sufficient information to enable the required information to be located
  • are accompanied by the appropriate fee (currently £10.00)
    • Once the DPO is satisfied that the request is valid, staff likely to be holding the personal data will be asked to interrogate their systems and to produce the necessary information. The DPO will check that the requirements of the Act have been met and then pass the information to the data subject.
    • ORMS must answer a valid request within 40 calendar days of its receipt.
    • In certain circumstances, the data subject has the right to prevent further processing or to order the rectification, blocking or erasure of inaccurate data and to claim compensation for damage or distress caused by a breach of the Act.

14.            What information must ORMS produce?

  • In response to a valid enquiry, the data subject is entitled to be told:
    • whether personal data about the individual are being processed and, if so, for what purpose(s)
    • to whom the data may be disclosed
    • the source of the data

Where personal data are being processed automatically for the purpose of evaluating matters relating to the data subject, and the processing is likely to constitute the sole basis for a decision affecting the data subject, he/she is entitled to be given an explanation of the logic involved in the decision process.

  • The data subject is also entitled to receive, in an intelligible form, all the information, including email messages where appropriate*, which forms the personal data. This may be by way of a transcript, a photocopy or a print-out. An explanation must be provided if the personal data are held in a form which means they are not immediately intelligible to the data subject. Information which identifies a third party may be withheld unless the individual concerned consents to its disclosure.
    (*Note: Advice about subject access to personal data contained in emails can be found on the Information Commissioner’s Office web site.)

15.            How does Data Protection differ from Freedom of Information?

  • The Data Protection Act 1998 relates only to personal data, ie data from which living individuals can be identified. The scope of the Freedom of Information Act 2000 is much wider and gives a general right of access to information – other than personal data – held by public authorities.
  • The Freedom of Information Act 2000 provides public access to information held by public authorities. It does this in two ways:
  • public authorities are obliged to publish certain information about their activities; and
  • members of the public are entitled to request information from public authorities.
  • The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002.
  • Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.
  • Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.
  • The Act does not give people access to their own personal data (information about themselves) such as their health records or credit reference file. If a member of the public wants to see information that a public authority holds about them, they should make a subject access request under the Data Protection Act 1998.
  • ORMS is not a public authority, but a commercial organisation, and is not obliged to respond to FOI requests as the information may be commercially sensitive.

16.            ORMS Clear Desk Policy

  • ORMS’ clear-desk policy covers business offices, classrooms and meeting rooms, and home offices. Clean whiteboards and flipcharts after a meeting ensuring that confidential notes are cleaned away.
  • Confidential documents should never be left unattended, and flip charts and whiteboards are no different.
  • At the end of the working day or when leaving the office, we expect that employees ensure that:
  • All documents, including in-trays, are returned to the appropriate filing systems or storage furniture.
  • Newly created documents are correctly filed.
  • All sensitive documents are removed from printers and faxes for filing or disposal.
  • Expired, scrapped and unwanted copies of documents are disposed of in the correct manner.
  • All removable computer media, including floppy disks, CDs, DVDs, digital storage media and drives, are filed away.
  • Filing systems or furniture, desks, pedestals and cupboards are locked and keys stored in the correct locations.
  • Computer systems are logged off and, where appropriate, closed down.
  • Laptops left in the office are removed from the desk and locked away.
  • Offices are locked and keys stored in the correct locations.

17.            Sources and References

The following sources were used to compile these statements:

http://www.dft.gov.uk/vca/data-protection-act-guidance-on-compliance.asp

http://content.met.police.uk/Site/photographyadvice

https://ico.org.uk/