Data protection/confidentiality policy

1. Introduction

The 1998 Data Protection Act came into force on 1 March 2000.  The purpose of the Act is to protect the rights of individuals about whom data (information) is obtained, stored, processed and disclosed.

What is data protection?

Data protection is essentially that area of the law that governs what may, and what may not, be done with personal information.  Such personal information may be in electronic (eg stored on computer hard drive) or manual form (in a manual filing system).

The law

The Data Protection Act is mandatory and Law Centre (NI) is therefore required under law to comply with the Act.  This means that we must:

	Notify the Information Commissioner’s (IC) Office
	Adhere to the eight data protection principles below
	Educate and train staff in the correct use of data

Consequences of breaching the Data Protection Act:

	Staff can be criminally liable if they knowingly or recklessly disclose personal data in breach of the Act.
	A serious breach of data protection is also a disciplinary offence and will be dealt with under the Law Centre’s disciplinary procedures.  If a member of staff accesses another employee’s personnel records without authority this constitutes a gross misconduct offence and could lead to summary dismissal.

2. Policy Statement

Law Centre (NI) is committed to fulfilling its legal obligations within the provisions of the Data Protection Act.

3. Notification

The Information Commissioner maintains a public register of data controllers who process data (information) and who are required to notify their details to the Commissioner.  Law Centre (NI) has notified the Information Commissioner of the types of processing we undertake since 1996 and have been placed on the register. 

4. The Eight Data Protection principles

There are eight principles of data (information) processing with which the data controller must ensure compliance.  In this instance the Law Centre is the ‘data controller’.

Personal data shall be:

Principle 1:   processed fairly and lawfully

Principle 2:   obtained only for the purpose stated

Principle 3:   adequate, relevant and not excessive

Principle 4:   accurate and, where necessary, kept up-to-date

Principle 5:   not be kept for longer than is necessary for that purpose

Principle 6:   processed in accordance with the rights of data subjects under the Act

Principle 7: appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing          personal data and against accidental loss or destruction of, or damage to, personal data 

Principle 8:   not transferred to countries without adequate protection

5. Employment: Code of Practice

Law Centre (NI) will adhere to the Employment Codes of Practice issued by the Information Commissioner on:

	Recruitment and selection
	Employment records
	Monitoring at work

The Administration Manager (Belfast) has the responsibility for the implementation of these codes.

6. Compliance with data protection principles

Principle 1    Processed fairly and lawfully

This means that when Law Centre (NI) is collecting personal information from individuals:

	that they are made aware of the uses of this information.
	individual consent has been obtained for any secondary uses of their personal information
	individuals are made aware of disclosures of their personal information to third parties.

Information held by the organisation include details on the following:

	clients
	personnel
	applicants for recruitment and selection
	training participants
	mailing lists

Sensitive personal information

The Data Protection Act introduces categories of sensitive personal information as to an individual’s:

	Racial or ethnic origin
	Political opinion
	Religious beliefs or other beliefs of a similar nature
	Trade union membership
	Physical or mental health condition
	Sexual life
	Criminal or alleged offences
	Criminal proceedings, convictions or disposal of proceedings.

Law Centre (NI) processes sensitive data for the following purposes:

	Advice/legal proceedings
	Employment law obligations
	Vital interests of the data subject
	Legal rights
	Insurance and pensions

Principle 2: obtained only for the purpose stated

Personal information can only be obtained for one or more specified and lawful purposes and should not be processed in any manner incompatible with those purposes which are described in our Data Protection Register Entry, that is:

	Staff administration
	Administration of membership records
	Fundraising
	Realising the objectives of a charitable organization or voluntary body

Principle 3:  Adequate, relevant and not excessive

Law Centre will only hold personal information which is adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.  This means that the minimum of personal information should be held in order to fulfil its purpose.  It is not acceptable to hold information on the basis that it might be useful in the future without a view of how it will be used.  The Law Centre has a responsibility to continually monitor compliance with this principle and to audit what information is kept.

Principle 4:  accurate and, where necessary, kept up-to-date

This principle places a duty on the Law Centre to take reasonable steps to ensure the accuracy of the information processed on Law Centre information systems.

In collecting information the Law Centre needs to take all reasonable steps to make sure the information is correct and the source of the information is reliable and to check this, if necessary.

Similarly, third parties who supply personal information to the Law Centre should advise the Law Centre of any corrections or amendments that need to be made.

The significance of the inaccuracy is important, obviously minor inaccuracies which have no impact are of less importance but nevertheless the validity of the system and the training and skills of staff inputting data should be checked.

Any inaccuracies should be corrected as soon as possible in order to limit the damage and distress caused.

Any information should include the source and date and any alterations should be dated.

Principle 5:  Not kept longer than is necessary

Law Centre (NI) will ensure that personal information is not retained any longer than is necessary.  This will require the Law Centre to undertake regular assessment and deletion. 

We are legally obliged to keep client files and financial records for a period of six years

Principle 6:  Processed in accordance with the rights of data subjects under the Act

Individuals have a general right of access to their own personal information, which is processed by Law Centre (NI) in accordance with established Law Centre Access procedures.  They have the right:

	To have a copy of the information
	To stop processing where this is likely to cause distress
	To have information rectified, blocked or erased
	Claim compensation

Principle 7:  Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

Law Centre (NI) has a duty to ensure that appropriate security measures are in place when handling personal information.  This applies to both information technology and manual files. 
 

7. Glossary 

Data:  means information in a form in which it can be processed (automatically)

Personal data:  means data relating to a living individual who can be identified either from the data, or from the data in conjunction with other information in the possession of the data controller

Data controller:  is a person who, either alone or with others, controls the contents and use of personal data

Data processor:  is a person who processes personal data on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of his/her employment

Data subject:  the individual person who is the subject of any relevant persona data (information)

A personal data - filing system:  any structured set of personal data accessible according to specific criteria whether centralised, decentralised or dispersed on a functional or geographical basis

Third party:  someone other than the data subject, controller, processor and persons with authority of the controller or processor to process the data

Recipient:  is the person to whom data is disclosed.  This would include employees.  The data subject has to be informed of the recipients of the data.

Data subject’s consent:  means any freely given specific and informed indication of his/her wishes by which the data subject signifies his agreement to personal data to him/her being processed.  Consent may need further clarification e.g. Should it be in some permanent form? Can it be electronic? Will oral consent do?