There are 8 rules of Data Protection:
Obtain and process information fairly
Rule Number One: Keep it only for one or more specified, explicit and lawful purpose
Each data controller needs to ask themselves the following questions:
- What type of personal information do you hold?
- How did you collect that information - was it directly from the individual or through a third party?
- Are people made aware of how their information will be used and was their consent obtained including consent for any secondary purposes such as marketing?
- Do you have a good electronic and manual records management system?
- Is there someone in your organisation responsible for data protection compliance?
Rule Number Two: Keep Information only for one or more specified, explicit and lawful purposes.
Your section may collect several categories of personal information, depending on functions. What is the primary purpose for collecting each category?
Rule Number Three: Use and disclose information only in ways compatible with these purposes.
- To whom do you disclose personal information; is disclosure consistent with the purpose for which the data was obtained?
- Do you consult with someone in the organisation before disclosing personal data?
- Do you use the personal information you hold in ways consistent with the purpose for which you obtained it?
- Do you know the circumstances in which personal information can be disclosed without the consent of the individual concerned?
Rule Number Four: Keep information you have about people safe and secure
- The keyword in relation to security measures is 'appropriate'. Have you examined what personal information you hold and what level of security should be applied to it?
- Is access to information restricted to authorised staff on a need to know basis?
- Are your servers protected from unauthorised access?
- Are appropriate security measures applied to desktop PCs?
- Do you have back-up procedures in place?
- What measures do you have in place for securely disposing of waste paper, printouts, etc.?
- Are your premises secure when unoccupied?
- Ho often do you review your security measures and do you have a written policy in place?
Rule Number Five: Keep information accurate, complete and up to date.
- Are your clerical and computer procedures adequate to ensure high levels of data accuracy?
- Do you have appropriate procedures in place to ensure that information is kept up to date?
- Do you need to carry out periodic reviews and audits of information held, to assist in complying with your obligations?
- When staff become aware of inaccuracies, what should they do?
Rule Number Six: Ensure that the information is adequate, relevant and not excessive?
- Is all the information you keep relevant and necessary for your purposes?
- Have you specific criteria to judge what is adequate, relevant and not excessive 0 ask yourself 'do I really need to keep all of this personal information'?
Rule Number Seven: Retain information for no longer than is necessary for the purposes or purposes
- Do you have a defined policy on how long you retain information?
- Do you have procedures in place to implement such a policy?
- Are you aware of any legal requirements to retain certain categories of data?
- Are there different periods of retention for different data?
- Do you purge your manual and electronic filing system on a regular basis?
Rule Number Eight: Give a person a copy of his/her personal data, if they request it
- Do you have procedures in place for dealing with an access request and is there someone responsible for this?
- What are the legal requirements on your organisation in complying with access requests?
- In what circumstances can you refuse to release information on an access request?
- Would you be happy with what a person might see if they accessed their own file?
- Will this affect the way you process information?
A Review of the As-Is
Review all interactions with citizens and staff where personal information is captured.
Examples:
- Library memberships
- Sick Certs
- Names and addresses
- Car Regs and PPSNs
- CCTV
- Financial Information
- Health Information (e.g. in housing)
- FI Requests in planning
- And so on and so forth
Details to be captured are:
Form/Information Request Name
What is the name of this form or information request.
Form/Information Request Description
What is the purpose of this request for information?
Form Review
As Data Controller are you happy that you have reviewed the form and are happy that the personal information sought on the form is appropriate to its use. Particular attention to be paid to items such as PPSNs, nationality, car regs, birth cert information, financial information, health information etc.
How is this information collected? Are the people aware of the reason for collecting this data? (Example; If you collect the PPSN from a citizen do you make them aware of why you are collecting this?)
Storage and Access
If there are physical forms (as opposed to information captured directly into computer system) where is the information stored? How is it accessed? Is it locked? Who has the key? Is it easy for an unauthorised person to gain access to personal information?
Where are the records stored on computerised systems? Who has access to this data? If someone leaves your section do you inform IT to remove their right of access? Have you reviewed who currently has access to what on the systems (IT to assist upon request).
Disclosure
What internal and external disclosure of personal information is facilitated?
Accuracy and Retention
How long does this data need to be kept? How do you keep it accurate and up to date?
Publishing
Is any of this personal information published, how and for what purpose? Doe sit appear on the web?
Current known issues
List what issues (perceived or real) do you see with the personal information captured on this form/information request?
Resolution Details
For each issue listed, how is this resolved?
Next Steps
- Write a Data Protection Policy
- Implement a training programme for the organisation