Statement of Policy
The Data Protection Act 1998 requires every data controller who is processing personal data to notify unless they are exempt. Failure to notify is a criminal offence. The Glenmavis Group is current exempt as we only process personally identifiable data for the following purposes:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
If the Glevmavis Group needs to collect personally identifiable data for any purpose not stated above we will notify the Information Commissioner before collecting that data.
To whom does the policy apply?
- Job applicants and potential applicants
- Employees
- Contract workers
- Agency workers
- Trainee workers and students on work experience or placements
- Volunteer workers
- Former employees
- Sub contractors
Eight Data Protection Principles
Whenever collecting information about people, the Glenmavis Group agrees to apply the Eight Data Protection Principles:
- Personal data should be processed fairly and lawfully
- Personal data should be obtained only for the purpose specified
- Data should be adequate, relevant and not excessive for the purposes required
- Data should be accurate and kept up-to-date
- Data should not be kept for longer than is necessary for purpose
- Data processed in accordance with the rights of data subjects under this act
- Security: appropriate technical and organizational measures should be taken unauthorized or unlawful processing of personal data and against accidental loss or destruction or damage to personal data
- Personal data shall not be transferred outside the EEA unless that country or territory ensures an adequate level of data protection.
Notes for Staff
As a data controller (the Glenmavis Group), staff must provide their identify, people should be told exactly what the information is being collected for and any other information necessary. We must get their consent.
We should think in advance about what we wish to do with personal data – ie – if we get names and addresses for a specific campaign we should only use that info for that campaign – we should from now on add other purposes to forms – e.g. I wish to be kept up-to-date with Glenmavis Group activities.
Individuals have a right to see what data is being kept on them, and for what purpose in 40 days
Same principals need to apply regardless of where data is held, e.g. in office, at home etc.
If we buy in a mailing list we cannot use it for any other purpose than the original Data Controller specified – we must check original use.
Working from home
The Glenmavis Group will keep a note of which staff take work home with them.
- Certain types of data are not permitted to be taken home
- If working on something at home and at work, try to keep both sets of information up to date
- Home computers should have records removed once project/work records no longer needed at home
- Staff agree to try to keep work taken home relatively secure, to return all work related material upon the completion/termination of their contract; and organization should be informed if information have got into wrong hands
Security Statement
The Glenmavis Group has taken measures to guard against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage.
This includes:
- Adopting an information security policy (this document is our policy)
- Taking steps to control physical security (projects and staff records are all kept in a locked filing cabinet)
- Putting in place controls on access to information (password protection on files and server access)
- Establishing a business continuity/disaster recovery plan (regular back-ups of data which is stored away from the office at a safe location)
- Training all staff on security systems and procedures
- Detecting and investigating breaches of security should they occur
