Bourton Group is committed to observing a strict code of practice on data protection to ensure compliance with the Data Protection Act 1998 and any subsequent relevant legislation, to ensure personal data is treated in a manner that is fair and lawful.
Our policy aims to ensure that all information about employees and other data subjects held by Bourton Group is handled in a way that complies with the Data Protection Principles set out in the 1998 Act.
The policy and procedures apply to all employees of Bourton Group. It covers all personal data including ordinary data (such as name, address etc) and sensitive data (relating to ethnic origin, health etc) and applies equally to electronic and manual systems.
The agreed procedures ensure that the 8 data protection principles are maintained. These state that personal data:
- be processed fairly and lawfully
- be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with the purpose
- be adequate, relevant and not excessive for the purpose
- be accurate and up-to-date
- not be kept for longer than necessary for the purpose
- be processed in accordance with the data subject’s rights
- be kept safe from unauthorised processing, and accidental loss, damage or destruction
- not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data, except in specified circumstances
Only relevant personal data may be collected and the person from whom it is collected will be informed of the data’s intended use, and any possible disclosures of the information that may be made.
- Personal data will be stored in a secure and safe manner.
- Electronic data will be protected by standard password and firewall systems
- Computer workstations will be positioned so that they are not visible to casual observers
- Manual data will be stored where it not accessible to anyone who does not have a legitimate reason to view or process that data
- Particular attention will be paid to the need for security of sensitive personal data
- Structuring of filing systems will be done in a way that allows specific information about the individual to be readily accessible
- Efforts will be made to ensure the data is up-to-date and accurate
- Identified errors will be communicated to any third parties who have been issued with the incorrect data
Access to data
- Personal data will only be disclosed when consent has been given, or to organisations that have a legal right to receive the data without consent being given.
- All staff are required to observe confidentiality of data and to check validity of requests before disclosing any records. They are required to use means of communication that are appropriate to the sensitivity of the information involved. A record of any personal data disclosed will be kept so that the recipient can be informed if the data is later found to be inaccurate.
- Requests from data subjects will be met within the 40 day deadline
Any deliberate or reckless breach of this policy may lead to disciplinary or legal proceedings. The Company Secretary is available to answer any queries relating to Data Protection.
Any individual who considers that the policy has not been followed should take the matter up with the Company Secretary. The grievance procedure will be invoked for any unresolved data protection issues.