The aim of the Data Protection Guide is to ensure that all personal information handled by Great Benefit Ltd, whether in electronic or paper format is managed in accordance with the Data Protection Act 1998. Anyone processing personal data must comply with the basic principles for handling information defined in the Data Protection Act. Data must be:
• Fairly and lawfully processed
• Processes for limited purposes and not in any other way which would be incompatible with those purposes
• Adequate, relevant and not excessive
• Accurate and kept up-to-date
• Not kept for longer than is necessary
• Processed in line with the data subject’s rights
• Kept secure
• Not transferred to a country which does not have adequate data protection laws.
The management and rights of data protection are outlined below.
• A public register is held of all data controllers, as defined by the Data Protection Act.
• All organisations that handle data, which might be subject to the Data Protection Act, are required to register with the Information Commissioners (https://ico.org.uk).
• The legal Data Controller is the company – Great Benefit Ltd – and the company representative responsible for updating the register and for monitoring and maintaining the data protection policy and procedures is the Managing Director
• No ‘Processing’ takes place when an activity or chain of activities involves personal data.
• The subject of the data processing (individual or organisation) must be informed that information is or is to be processed.
• Processing may only be carried out when one of the following conditions has been met:
• The individual has given his or her consent to the processing
• The processing is necessary for the performance of a contract with an individual
• The processing is required under a legal obligation
• The protecting is necessary to protect the vital interests of the individual
• The processing is necessary to carry out public functions
• The processing is necessary in order to pursue the legitimate interests of the data controlled or third parties (unless it could prejudice the interests of the individual.
Notification commenced in October 2001 and is renewed every year. Processing’ takes place when an activity or chain of activities involves personal data. The Data Protection Act makes specific provisions for sensitive personal data. Sensitive Data includes: racial or ethnic origins, political opinions, religious or other beliefs, trade union membership, health, sex life, criminal proceedings, conviction.
Sensitive data can only be processed under the following circumstances:
• Having the explicit consent of the individual
• Being required by law to process the data for employment purposes
• Needing to process the information in order to protect the vital interests of the data subject or another
• Dealing with the administration of justice or legal proceedings.
Any electronic data, whether processed as an e-mail or stored within the system, is subject to the Data Protection Act if it:
• Identifies living individuals
• Is held in automated form in live, archive or back-up systems, or has been ‘deleted’ from the system, but is still capable of recovery
• Is stored as print outs in ‘relevant filing system’.
The Data Protection Act covers information which is recorded as part of that ‘relevant filing system’. A relevant filing system is one which in which the records are structured, either by referenced to an individual or to criteria relating to an individual, so that specific information relating to a particular individual is readily accessible.
Under the Telecommunications Regulations 1999 (Data Protection and Privacy) special rules apply to telecommunications, faxes, telephones and automated calling systems for unsolicited marketing.
• Unsolicited marketing faxes must not be sent to individual subscribers without their prior consent
• Individual subscribers have the statutory right to opt-out of unsolicited telephone marketing either by telling the caller or by registering on a central stop line
• Corporate subscribers cannot opt-out of telephone sales but have a right to opt out of unsolicited marketing faxes
• Automated calling systems must have prior consent of both corporate and individual subscribers.
Data controllers are required to take appropriate technical or organisational measures to prevent the unauthorised processing, or disclosure of data.
• Individuals have ‘right of access’ under the Data Protection Act, to find out what information is held about themselves on computer and on some paper records.
• Individuals can apply to Court to enforce a data controller to rectify, block, erase or destroy personal records if they are inaccurate or contain expressions of opinion which are based on inaccurate data.
• In most circumstances, a data subject can stop or prevent the processing of data, which may cause substantial unwarranted or distress, either to themselves or another party.
• A data subject has an absolute right to ask a data controller to stop or not begin processing data relating themselves for direct marketing purposes.
• A Data subject can claim compensation from a data controller for damage or distress caused by a breach of the Data Protection Act.