i-Comply-GDPR - Data Protection
Version: December 2017
Point Progress is fully committed to compliance with the requirements of the Data Protection Act 1998 (“the Act”), which came into force on the 1st March 2000.
We therefore follow procedures that aim to ensure that all employees, contractors,consultants and partners who have access to any personal data held by or on behalf of the company, are fully aware of and abide by their duties and responsibilities under the Act.
Statement of policy
In order to operate efficiently, i-Comply-GDPR may need to collect and use information about people with whom it works. These may include members of the public, current, past and prospective employees, clients and customers, and suppliers.
In addition, it may be required by law to collect and use information in order to comply with the requirements of central government. This personal information is handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, and there are safeguards within the Act to ensure this.
We regard the lawful and correct treatment of personal information as very important to its successful operations and to maintaining confidence between the company and those with whom it carries out business. We will ensure that we treat personal information lawfully and correctly.
To this end the company fully endorses and adheres to the Principles of Data Protection as set out in the Data Protection Act 1998.
The principles of data protection
The Act stipulates that anyone processing personal data must comply with Eight Principles of good practice. These Principles are legally enforceable.
The Principles require that personal information:
- Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met;
- Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
- Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
- Shall be accurate and where necessary, kept up to date;
- Shall not be kept for longer than is necessary for that purpose or those purposes;
- Shall be processed in accordance with the rights of data subjects under the Act;
- Shall be kept secure i.e. protected by an appropriate degree of security;
- Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.
Handling of personal/sensitive information
Point Progress will, through appropriate management and the use of strict criteria and controls:
- Observe fully conditions regarding the fair collection and use of personal information;
- Meet its legal obligations to specify the purpose for which information is used;
- Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
- Ensure the quality of information used;
- Apply strict checks to determine the length of time information is held;
- Take appropriate technical and organisational security measures to safeguard personal information;
- Ensure that personal information is not transferred abroad without suitable safeguards;
- Ensure that the rights of people about whom the information is held can be fully exercised under the Act.
- The right to be informed that processing is being undertaken;
- The right of access to one’s personal information within the statutory 40 days;
- The right to prevent processing in certain circumstances;
- The right to correct, rectify, block or erase information regarded as wrong information.
In addition, we will ensure that:
- There is someone with specific responsibility for data protection in the organisation;
- Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
- Anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do;
All elected members are to be made fully aware of this policy and of their duties and responsibilities under the Act.
All managers and staff will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:
- Paper files and other records or documents containing personal/sensitive data are kept in a secure environment;
- Personal data held on computers and computer systems is protected by the use of secure passwords, which where possible have forced changes periodically;
- Individual passwords should be such that they are not easily compromised.
Notification to the Information Commissioner
The Information Commissioner maintains a public register of data controllers. Point Progress is registered as such.
The Data Protection Act 1998 requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence.
To this end the designated officers will be responsible for notifying and updating the Information Officer of the processing of personal data, within their directorate.
The Information Officer will review the Data Protection Register with designated officers annually, prior to notification to the Information Commissioner.
Any changes to the register must be notified to the Information Commissioner, within 28 days.
To this end, any changes made between reviews will be brought to the attention of the Information Officer immediately.