Data Protection
DATA PROTECTION
Background
The Data Protection Act 1998, which came into force on 1 March 2000, governs the collection, retention, and transmission of information held about living individuals and the rights of those individuals to see this information. The Trust is aware of the potentially far-reaching effects of this legislation. Those that record and use personal information are required to follow eight data protection principles. In particular, personal data must:
• be processed fairly and lawfully.
• be held only for specified and lawful purposes and must not be further processed in any manner incompatible with those purposes.
• be adequate, relevant and not excessive in relation to the purpose for which it is processed.
• be accurate and where necessary kept up to date.
• not be kept for longer than is necessary.
• be processed in accordance with the rights of the data subject under the Act.
• be protected using appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of the data.
• not be transferred to a country or a territory outside the European Economic Area without an adequate level of protection for the rights and freedoms of data.
The legislation is no longer limited specifically to data held electronically: it now applies to all personal information, as long as the data is in a system that allows the information to be readily accessible. Under the new Act, processing of information includes any activity concerning the data involved such as altering or deleting it, downloading, reviewing or transferring it. The Act extends the rights of individuals, as well as requiring the use of appropriate security measures for the protection of personal data. Special treatment is required for the processing of ‘sensitive data’ (e.g religion, ethnicity, health etc).
Separate guidance covering definitions and specific procedures can be found under Data Protection Guidelines.
Responsibilities of Staff of Volunteers
All staff or volunteers, who have responsibilities for the collection, access or processing of personal data, must comply with the provisions of the act in accordance with the principles outlined above.
All staff and volunteers are responsible for ensuring that any information that they provide to the Trust in connection with their employment is accurate and up to date.
It is a condition of any staff of volunteers contributing to the Trust must abide by the Data Protection Policy and failure to do so may render individuals liable for legal or disciplinary proceedings.
Data Security
The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff are responsible for ensuring that:
• any personal data which they hold is kept securely: and
• personal information is not disclosed either orally, in writing or otherwise to any unauthorized third party.
Detailed advice on data security is contained in the Data Protection Guidelines.
Rights of Data Subjects
The Trust will provide all data subjects, on request to a Trustee, details of what information is held and processed about them and why; how to gain access to this information, how to keep it up to date and, finally, what measures are in place to ensure compliance with the 1998 Act.
CCTV
The Trust maintains two CCTV systems as part of the overall integrated security systems. The main system operates 24/7, day and night, with image (NO audio) recording. The alternative system operates during opening hours only and enables manned CCTV coverage of unmanned galleries. Chair of Trust is the responsible officer. The system is signed around the gallery and is operated in accordance with the 8 data principles.
Information Requests
Where personal information is made available to both staff and volunteers via the internet or Trust, all data subjects have a right of access, with some exceptions, to personal information kept about them by the Trust. This right applies to both electronic and hard copy files. Data subject access requests must be made on the appropriate form available on the web pages under Records Management and addressed to the Trustees. He or she will then process the request through the Trust Board and in conjunction with the Manager. It is necessary to specify what personal data is required. The Trust has a duty to respond within forty days from the date on which the request is received. Specific procedures apply to the provision of data to third parties. The Trust may make a charge on each occasion that access is requested, subject to the amount of work which is required.
Data subjects have the right to request that a copy of their own personal data be provided normally within 40 days, but in the case of examinations the Act specifically notes that a request may be made before results are announced. In this case there is a limit of five months from the request or 40 days from the announcement of the result, whichever is the earlier.
Publication of Trust Information
Information that is already in the public domain is exempt from the 1998 Act. This would include, for example, information on staff contained within externally circulated publications such as the Trust programme or on the website. Any individual who has good reason for wishing details in such publications to remain confidential should inform a Trustee, which will ensure that the Trust complies as quickly as possible.
The Data Protection Officer
Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the Chair of the Rag Trust (Chair of Trustees - email: ryeartgallery@googlemail.com ).
Security of Personal and other Sensitive Data
All those staff and volunteers who deal in any way with personal data have a responsibility under the Data Protection Act to take all possible precautions to protect data against unauthorised loss, destruction or disclosure. Data should only be held in accordance with the Data Protection Principles as laid out in the Data Protection Policy.
Information concerning individuals involved in any way with the Trust must not be shared with any other persons (unless required to do so by law or; for the purpose of Trust or registered charity business, or with the specific consent of the person concerned). Unauthorised disclosure would constitute an offence under the Act.
The Trustees define the description and purpose of all data held by the Trust. All staff and volunteers dealing with personal data should undergo adequate briefing in the use of personal data and be told the purpose and disclosure which have been registered for the data. They should be reminded that the use of the data for any other purpose would be an offence. The Trustees must be informed of any changes to the personal data that is handled, which may affect the Trust’s registration.
Care must be taken to ensure that personal data is kept securely and away from people not entitled to see it. For example personal data on the computer network when appearing on VDU screens should be masked from the public and cleared of data when the user concludes the session to prevent casual sight of the screen. Care must also be taken when sending and receiving any electronic or physical data with personal details. Terminals used for processing personal data will normally be located in the Trust office, where unauthorised persons do not have access to VDU screens and paper files/printed output. Out of hours computers are switched and logged off; physical data should be securely locked away. A shredder must be used to dispose of unwanted material. Waste should be placed in bin bags clearly marked ‘confidential waste’. Care must be taken to ensure that personal files and data, including that held on disk, are not left unattended on desks or kept in unlocked cabinets.
Computers should not be shared between users unless password protection is available at least at user level. Unauthorised (by Trustees) disclosure or use of a password may result in disciplinary action. Stored data and backups should be held in the Trust office.
Emails referring to an individual are covered by the Act and need to be disclosed to an individual making a subject access request. Care must be taken over the contents of emails and over storing emails, which may be used for a specific purpose e.g. a claim or employment appeal.
All computer equipment or media which is earmarked for disposal will have its disks reformatted by over writing or degaussing. Personal data will not normally be carried off site unless with specific the approval of Trustees.
Off-site Working Guidelines
Staff or volunteers are not permitted to remove any other personal data with the intention of processing the data elsewhere, unless such use is recognised and authorised by Trustees. Data should always be processed in accordance with the Trust’s data policy.
Exceptionally, those individuals authorised to process data should make appropriate arrangements for security and access to their data whenever they are absent from the Trust and are responsible for anticipating both security and access considerations in the event of emergencies such as power/utility failures, computer network failure, fire, flood or occupation of the work area by unauthorised people.
Staff and volunteers must ensure adequate security for Trust equipment at all times. Portable equipment or documentation must not be left unattended in a place where it is accessible to the public or in any vehicle unless the vehicle is locked and the equipment/ documentation is not in public view. The leaving of Trust equipment in any vehicles must only be on “a last resort” basis only and only where it is not possible to carry the equipment. In these rare circumstances, the equipment must be secured out of site in the vehicle.
In the event that staff or volunteers cease to be involved with the Trust, all equipment and data owned by the Trust must be returned or destroyed/ deleted in accordance with the Trustees’ guidelines. This includes all manual and electronic documents, floppy disks or any other media containing personal or commercial in confidence data or information on the means to access such data.
Chair RAG Trust
January 2010