There are 8 Principles of the Data Protection Act of 1998 governing the use of personal information which we must comply with, unless an exemption applies, Everyone responsible for using data has to follow strict rules called ‘data protection principles’. These are like our policies and procedures codes of practice for holding data on someone.
1. It must be collected and used fairly and inside the law.
2. It must only be held and used for the reasons given to the Information Commissioner.
3. It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. You cannot give it away or sell it unless you said you would to begin with.
4. The information held must be adequate, relevant and not excessive when compared with the purpose stated in the register. So you must have enough detail but not too much for the job that you are doing with the data.
5. It must be accurate and be kept up to date. There is a duty to keep it up to date, for example to change an address when people move.
6. It must not be kept longer than is necessary for the registered purpose. It is alright to keep information for certain lengths of time but not indefinitely. This rule means that it would be wrong to keep information about past customers longer than a few years at most.
7. The information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access. It would be wrong to leave personal data open to be viewed by just anyone.
8. The files may not be transferred outside of the European Economic Area (that’s the EU plus some small European countries) unless the country that the data is being sent to has a suitable data protection law. This part of the DPA has led to some countries passing similar laws to allow computer data centres to be located in their area.
The centre manager within my work setting is the data controller, he decides what information is required how it is obtained and stored. A Data Protection Policy has been implemented so that I and other work colleagues are fully aware of procedures for handling data. The management team are responsible for ensuring that all staff and volunteers act in accordance with this policy. The purpose and remit of this policy
• Data collection
• Data storage/security
• Data updates
• Data discloser
• Data access
• Data disposal/destruction
The board of Directors within my setting will review this policy annually to ensure that we are following the 8 principles of the Date Protection Act 1998. If there is a request for a discloser from a parent then they must put their request in writing to management.
In cases of child protection, the law requires discloser of information, without consent to the relevant Health and Social Care Trust and also PSNI. However if a request for information relating to child protection is received by telephone, then as part of our policy no information should be given until verification of identity. Only those known to be involved in child protection should be given information.
The EU General Data Protection Regulation (GDPR) has brought out a new set of data protection rules the implementation date is the 25th May 2018 they have 12 steps which organisations should take in order to be GDPR ready by 25 May 2018.