Data protection policy

Introduction

This document sets out Co-operative UK’s policy regarding compliance with the Data Protection Act 1998 and associated legislation. It also outlines the responsibilities for data protection compliance, and how compliance is maintained and monitored. The policy covers all business areas within Co-operatives UK and applies to all staff employed, including any temporary or contract staff. Any breach of the Data Protection Act or the Data Protection Policy is considered to be an offence and a breach may result in disciplinary action.

Policy statement

Co-operatives UK is committed to a policy of protecting the rights and privacy of individuals, including our staff, members and customers, in accordance with the Data Protection Act.

In line with our co-operative values and principles, Co-operatives UK believes that people have a right to know what data is being held about them - in whatever form - and the intended use of that data.

Co-operatives UK will inform all individuals of the purpose or purposes for which we are collecting and processing personal data.

Co-operatives UK, will, in accordance with the Act, make available details of the personal data held on individuals when requested and correct it when necessary. We will never sell personal details to third parties for marketing purposes.

Context

The Data Protection Act 1998 regulates the way that personal information, about individuals, whether held electronically or in a manual filing system, is obtained, stored, used and disclosed. More specific conditions are required in order for sensitive personal data (as defined in the appendix) to be processed in accordance with the Act. The legislation also grants rights to individuals to see the data stored about them, and to require modification of the information if it is incorrect.

The Act is based on eight principles, set out below:

  1. 1. Personal information shall be processed fairly and lawfully Co-operatives UK (“we”) must always make it clear to individuals why we are asking for their information, what we are going to do with it, and to whom we might disclose it.
  2. 2. Personal information shall be processed for limited purposes If we have told the individual what we are going to use their information for, then we cannot presume that they will agree to us using it for any other purpose unless we have told them about it in advance of it being used.
  3. 3. Personal information shall be adequate, relevant and not excessive We should only collect information that is strictly necessary for the purpose for which it is being obtained. Any information given which becomes excessive for the purpose should be immediately disposed of or deleted in a secure manner.
  4. 4. Personal information shall be accurate and, where necessary, kept up to date. We must take all reasonable efforts to ensure that the information that we hold is as accurate as possible, and that if we are advised of a change to the information, the change is made as quickly as possible.
  5. 5. Personal information shall not be kept for longer than is necessary Personal information shall only be retained for as long as is necessary, and once there is no requirement, whether a business or statutory requirement, to retain the information, it shall be disposed of in an appropriate manner.
  6. 6. Personal information shall be processed in accordance with the rights of individuals Individuals can ask us to stop processing their information in certain circumstances, ask for copies of information we hold about them (Subject Access Request) and also ask for an explanation of automated decision making. Processes need to be in place to deal with these issues.
  7.  7. Personal information must be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures. We need to make sure that any systems and processes that we adopt adequately protect personal data. We also need to make sure that any personal information passed to a third party is adequately protected.
  8. 8. Personal information must not be transferred to countries without adequate protection. If personal information is to be transferred outside of the European Economic Area, we must ensure that contracts are established to put proper controls in place so that the security of the information is not compromised.

  9. Procedures

  • Co-operatives UK has a nominated Data Controller whose responsibility is to ensure that the Society remains compliant with the Data Protection Act 1998 and any associated legislation. Roles and Responsibilities
  • Board of Directors (collectively)
    • Endorse and actively promote the Data Protection Policy through the Society
  • Senior Management (within their area of responsibility)
    • Promote a culture of data protection awareness and ownership
      • Ensure an appropriate level of data protection compliance
  • All colleagues
    • Familiar with the concept of Data Protection within Co-operatives UK
      • Aware of the implications of data protection on the information that they process
        • To process all personal data in accordance with the Data Protection Act and guidelines and policies issued by Co-operatives UK
  • Data Controller o Act as central contact with the regulator, the Information Commissioner
    • Provide guidance and advise to staff
      • Facilitate awareness training to staff processing personal data
    • Respond to Subject Access Requests for copies of information held on individuals Notifications Our purposes for holding personal data and a general description of the categories of people and organisations to which we may disclose it are listed in the notifications in the name of Co-operatives UK Limited on the Data Controllers register maintained by the Information Commissioner’s Office. You may inspect this or obtain a copy from the Information Commissioner’s Office website www.ico.gov.uk/tools_and_resources/register_of_data_controllers.aspx

APPENDIX Definitions

PERSONAL INFORMATION

Personal information means information which relates to a living individual who can be identified from that information, or from that information and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

SENSITIVE PERSONAL DATA

Any Personal information about an individual which relates to his or her racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, state of mental or physical health, sex life and/or actual or alleged convictions

PROCESSING

Processing, in relation to information means obtaining, recording or holding the information which includes, in relation to personal data, obtaining or recording the information, or carrying out any operation or set of operations on the information including:- - organisation, adaptation or alteration of the information - retrieval, consultation or use of the information, - disclosure of the information by transmission, dissemination or otherwise making available - alignment, combination, blocking, erasure or destruction of the information.

DATA SUBJECT

Data Subject means an individual who is the subject of personal data.

DATA CONTROLLER

Data Controller means a person or organisation who (either alone or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.

DATA PROCESSOR

Data processor in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

RECIPIENT

Recipient, in relation to personal data, means any person to whom the information is disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of the data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as power conferred by law.

THIRD PARTY

Third party, in relation to personal data, means any person other than:

  • the data subject
  • the data controller, or
  • any data processor or other person authorised to process data for the data controller or processor.

INFORMATION COMMISSIONER

The regulatory body for the Data Protection Act and Freedom of Information Act.

SUBJECT ACCESS REQUEST

A Subject Access Request is a formal request made of the Data Controller under the Data Protection Act by an individual (known as a data subject) for information held about them, outside of business as usual requests. Subject Access Requests may not necessarily quote the Data Protection Act.

SECTION 29(3) REQUESTS

Definition: A request for information under section 29(3) of the data protection act for the ‘prevention and detection of crime’.

Drupal theme by wave, developed by Co-operative Web using wind power