General Optical Council. Data Protection Policy

Similar documents
Data Protection Policy

DATA PROTECTION POLICY 2016

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

DATA PROTECTION POLICY

Tourettes Action Data Protection Policy

VMS Software Ltd- Data Protection Privacy Policy

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

POLICY ON INFORMATION, SECURITY & DATA PROTECTION

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

Data Protection. Policy

SHENLEY BROOK END SCHOOL

Data Management and Protection Policy

Data Protection Policy for the Grimsby Institute of Further & Higher Education

Data Protection Policy

Data Protection Policy

GROUP DATA PROTECTION POLICY

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

RAW MARKETING DATA PROTECTION POLICY

DATA PROTECTION POLICY 2018

Baptist Union of Scotland DATA PROTECTION POLICY

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

This personal information must be dealt with properly, with appropriate safeguards in place to ensure the rights and freedoms of data subjects.

Data Protection Policy

DATA PROTECTION POLICY

Data protection (GDPR) policy

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

Data Protection Policy

Data Protection Policy

GENERAL DATA PROTECTION REGULATION Guidance Notes

Data Protection Policy

Queen s Croft High School DATA PROTECTION POLICY AND PRIVACY NOTICE

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

Data Protection Policy

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

LIFE STYLE CARE PLC. Privacy Statement for Employees. August 2018

St Mark s Church of England Academy Data Protection Policy

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

DATA PROTECTION POLICY

PRIVACY POLICY. Your Village Pty Ltd ABN ( Steam Capital ) is committed to protecting your privacy.

REDDISH VALE HIGH SCHOOL PRIMARY PRIVACY NOTICE

Data Protection Policy & Procedures

Data Protection Employee Privacy Notice

Privacy Impact Assessment: Standard Operating Procedure

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Regulates the way data controllers process personal data

Data Protection Policy

Data Protection Policy and Handbook. Scottish Information Commissioner

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent

Data Protection Policy for Staff DJJK. Apr of 10

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers

DATA PROTECTION POLICY

THE COMPETITION AND CONSUMER PROTECTION COMMISSION JOB APPLICANT PRIVACY NOTICE 1. INTRODUCTION... 2

Data subject access policy

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

Brasenose College Data Protection Policy Statement v1.2

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

PRIVACY NOTICE FOR JOB APPLICANTS

KRONOS WORLDWIDE, INC. SAFE HARBOR PRIVACY POLICY Effective December 1, 2009 Amended and Restated as of July 20, 2012

Parent / Carer Privacy Notice

Freedom of Information/Environmental Information Regulations Policy and Procedure

IQ Data Protection Policy

Data Protection Policy

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

UK Research and Innovation (UKRI) Data Protection Policy

GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS

Responsible Business Alliance. Data Privacy and GDPR Compliance Policy

Introduction Why is data protection important? How does it apply to volunteers? What volunteers need to do?...

The SENAD Group. Section 5 Data Protection Protocol

Privacy Statement About this privacy policy Who are we and how to contact us

Data Protection Policy

Data Protection Act Policy Statement Status/Version: 0.1 Review Information Classification: Unclassified Effective:

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

Hendre Infants School DATA PROTECTION POLICY. Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris

DATA PROTECTION POLICY VERSION 1.0

DATA PROTECTION POLICY WINCHESTER CITY COUNCIL. Data Protection Policy

Data Protection Policy, including Key Procedures

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

DATA PROTECTION POLICY

GUIDANCE NOTES DATA PRIVACY IMPACT ASSESSMENT

Data Protection Act 1998 Employee Fair Processing Notice

Data Protection Policy.

Orbit Recruitment Privacy Policy

Swansea University Recruitment Privacy Policy

CHANNING SCHOOL DATA PROTECTION POLICY

General Personal Data Protection Policy

The (Scheme) Actuary as a Data Controller

Information Sharing Policy

Security of Personal Data Policy and Guidelines

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

The Data Controller for all personal data stored and processed by Horiba MIRA Ltd is:

HR Garda Vetting Privacy Notice. Kerry County Council Comhairle Contae Chiarraí

Privacy notice for the school workforce

Privacy notice for the school workforce (all staff) The personal data we hold

SSI SERVICES (UK) LTD APPLICANT PRIVACY NOTICE

LSEG Recruitment Privacy Notice

The Society of St Stephen s House Site Security and Monitoring Privacy Notice

Our Volunteer Privacy Notice: protecting and respecting your information

Disciplinary Procedure. General Policy

Transcription:

General Optical Council Data Protection Policy Authors: Lisa Sparkes Version: 1.2 Status: Live Date: September 2013 Review Date: September 2014 Location: Internet / Intranet

Document History Version Date 1.0 8 December 2011 1.1 24 September 2013 1.2 15 October 2013 Description of Change Draft Content changes as discussed at SMT Content changes as discussed at Audit & Risk Committee Author L Sparkes L Sparkes L Sparkes Authorisation 2 P a g e

Contents 1 Policy Statement... 4 2 Purpose and Scope... 4 3 Policy... 4 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 Satisfaction of Principles... 6 Subject Access... 7 Employee Responsibilities... 7 Data Security... 7 Rights to Access Information... 8 Publication of GDC information... 8 Subject Consent... 9 Retention of Data... 9 Accountability... 9 3 P a g e

1 Policy Statement The General Optical Council (GOC) is required to maintain certain personal data about living individuals for the purposes of satisfying operational and legal obligations. The GOC recognises the importance of the correct and lawful treatment of personal data; it maintains confidence in the organisation and provides for successful operations. The Data Protection Act 1998 (DPA) aims to strike a balance between the rights of individuals to privacy and the ability of organisations to use personal information for the purposes of their business. The types of personal data that the GOC holds will include information about current, past and prospective staff, those working on behalf of the GOC i.e Council, Committees and panel members; registrants; suppliers and others with whom it communicates. This personal data, whether it is held on paper, on computer or other media, will be subject to the appropriate legal safeguards as specified in the Data Protection Act 1998. The GOC fully endorses and adheres to the eight principles of the DPA. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation, and storage of personal data. Staff and those working on behalf of the GOC who obtain, handle, process, transport and store personal data for the GOC must adhere to these principles. 2 Purpose and Scope The purpose of this policy is to outline the key measures that need to be taken in order to adhere to the eight principles of the DPA. This policy applies to all employees of the GOC and any others who obtain, handle, process, transport and store personal data for the GOC. 3 Policy 3.1 Data Protection Principles In processing information the GOC complies with the requirements of the Data Protection Act 1998, the Human Rights Act 1998, and common law on duty of confidentiality. The GOC complies fully with the Data Protection Act 1998, and its eight principles when processing personal data. The principles say that personal data must be: processed fairly and lawfully and in line with specific conditions set out in the DP Act; processed for a specific purpose or purposes; adequate, relevant and not excessive; 4 P a g e

accurate and up to date; not kept for longer than is necessary; processed in accordance with the data subjects rights; secure; not transferred to a country outside the European Economic Area that does not have adequate data protection rules. Fair and Lawful The GOC ensures that we tell people what we do with the information that we hold about them. The data subject should be told: who the data controller is (i.e. the GOC) the purpose or purposes for which the data is to be processed; any other information to make the processing fair for example, this could be information about third parties to whom the data may be disclosed. Personal data processing may only take place if specific conditions set out in the DPA are met. For processing sensitive personal data there are additional, more stringent conditions to fulfill. Conditions particularly relevant to our business might be: when we have the data subject's consent; when processing information is necessary for us to carry out our legal obligations; and when it is necessary for the exercise of a public function in the public interest. Specified purpose The GOC will only use the personal data we have collected for the purposes we have stated both in our notification to the Information Commissioner and those that we have told the data subject when we collected the information. If we have gathered information for one specific purpose we cannot go ahead and use the same information for another purpose. If any new processing is proposed, the Registrar should be consulted to check whether this is compatible with the original purpose. 5 P a g e

Adequate, accurate and kept no longer than necessary The GOC ensures that we collect sufficient personal data or sensitive personal data to enable us to carry out our work, and no more. We use our best endeavours to ensure that the records we keep about optometrists, patients and complainants are accurate and up to date. Data subject rights A data subject has certain rights conferred under the DPA including: request access to his or her personal data; prevent processing likely to cause damage or distress. Security The GOC takes appropriate technical, physical and organisational measures to ensure that our information is held securely and safeguarded from; destruction, loss, unauthorised access and disclosure. Transfer of personal data We will not transfer data outside of the EEA except as part of a publicly held register, when we are confident that it is in the substantial public interest to do so, or if another Data Protection Act exemption applies. 3.2 Satisfaction of Principles In order to meet the requirements of the principles, the GOC: observes fully the conditions regarding the fair collection and use of personal data; meets its obligations to specify the purposes for which personal data is used; collects and processes appropriate personal data only to the extent that it is needed to fulfil operational or any legal requirements; ensures the quality of personal data used; applies strict checks to determine the length of time personal data is held; ensures that the rights of individuals about whom the personal data is held, can be fully exercised under the Act; takes appropriate technical and organisational security measures to safeguard personal data; 6 P a g e

and ensures that personal data is not transferred abroad without suitable safeguards. 3.3 Subject Access All individuals who are the subject of personal data held by the GOC are entitled to: Ask what information the GOC holds about them and why; Ask how to gain access to it; Be informed how to keep it up to date; Be informed what the GOC is doing to comply with its obligations under the DPA. 3.4 Responsibilities All staff and those working on behalf of the GOC are responsible for: Checking that any personal data that they provide to the GOC is accurate and up to date; Informing the GOC of any changes to information which they have provided, e.g. changes of address; Checking any information that the GOC may send out from time to time is accurate; Sending personal data in a secure way with envelopes marked Private and Confidential with a return address. Recorded delivery should generally be used where personal data is being sent to a third party. If the data is of a sensitive nature then registered post shall be used; If, as part of their responsibilities, staff and those working on behalf of the GOC collect information about other people (e.g. about personal circumstances which would contain sensitive personal data), they must comply with the DPA. 3.5 Data Security The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff and those working on behalf of the GOC are responsible for ensuring that: Any personal data which they hold is kept securely Personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party. Please refer to the GOC Information Security Policy. 7 P a g e

3.6 Sensitive Personal Data Sensitive personal data means personal data consisting of information as to a) the racial or ethnic origin of the data subject, b) his/her political opinions, c) his/her religious beliefs or other beliefs of a similar nature, d) whether he/she is a member of a trade union, e) his/her physical or mental health or condition, f) his/her sexual life g) the commission or alleged commission by him/her of any offence, or h) any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings or the sentence of any court in such proceedings. 3.7 Rights to Access Information Staff, those working on behalf of the GOC and other subjects of personal data held by the GOC have the right to access any personal data that is being kept about them on computer and also have access to paper-based data held in certain manual filing systems. This right is subject to certain exemptions which are set out in the Data Protection Act. Any person who wishes to exercise this right should make the request in writing to the GOC's Information Governance Project Manager. The GOC reserves the right to charge the maximum fee payable (currently 10.00) for each subject access request. If personal details are inaccurate, they can be amended upon request. The GOC aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 calendar days of receipt of a request and appropriate payment unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request. 3.8 Publication of GOC information Information that is already in the public domain is exempt from the 1998 Act. This would include, for example, information on staff and those working on behalf of the GOC contained within externally circulated publications. Any individual who has good reason for wishing details in such publications to remain confidential should contact the GOC's Information Governance Project Manager. 8 P a g e

3.9 Subject Consent The need to process data for normal purposes has been communicated to all data subjects. In some cases, if the data is sensitive, for example information about health, race or gender, express consent to process the data must be obtained. Processing may be necessary to operate GOC policies, such as health and safety and equal opportunities. 3.10 Retention of Data The GOC keeps some forms of information for longer than others. All staff and those working on behalf of the GOC are responsible for ensuring that information is not kept for longer than necessary. Please refer to the GOC Document Retention and Disposal Policy. 4. Accountability 4.1 Registrar The Registrar has an overall duty to ensure that the GOC complies with legislation affecting the handling of personal data and with supporting regulations and codes. 4.2 All staff, Council, Committee and Panel Members All staff and those working on behalf of the GOC are accountable for compliance with this policy and with related policies, standards and guidance. They have a responsibility to handle personal data in accordance with the principles of the DPA. Individual can be liable in law under the terms of the DPA. Deliberate misuse of personal data or a serious breach of DPA may result in disciplinary action being taken. 4.3 Associates and externals Many people contribute to the work of the GOC whether in a paid or contractual basis. The GOC are responsible for ensuring that associates and externals are aware of and comply with the principles of the DPA in the course of the work they undertake for the GOC. The responsibility of externals and associates to comply with the DPA will be made known to them when they begin working for the GOC. 9 P a g e

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback