Data Protection Policy & Procedures Policy
Our data protection policy sets out our commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.
We are committed to:
Data Protection Principles
Overall responsibility for the policy implementation rests with the Board. However, all staff are obliged to adhere to, support and implement this policy.
Gôl Centres Ltd requires all staff to be vigilant and exercise caution when asked to provide personal data held on another individual. They must ensure that requests for personal information which they are concerned about being improper should be directed to the Data Protection Representative and under no circumstances should personal information be disclosed either orally or in writing to any external person, which includes family members and friends without the express prior consent of the relevant individual or the Data Protection Representative.
When staff are required to collect personal data, they must adhere to the requirements of this policy.
All staff must ensure that any personal information which they hold is kept securely and that they take appropriate security precautions by seeking to ensure the following:
Logged on PCs are not left unattended where data is visible on screen to unauthorised personnel.
When manual records are no longer required, they should be shredded or bagged and disposed of securely and the hard drives of redundant PCs should be wiped clean. Off-site use of personal data presents a greater risk of loss, theft or damage and the company and personal liability that may accrue from the off-site use of personal data is similarly increased. For these reasons staff should:
Rights of Individuals
Under the Act, an individual has the following rights:
Access to Personal Data Subject to exemptions, the Act gives any individual who has personal data kept about them by the Company the right to request in writing a copy of the information held relating to the individual in electronic format and also in some manual filling systems. Any person who wants to exercise this right should in the first instance make a written request to the Company. The Company will make an administrative charge of £10 each time that a request is made.
After receipt of a written request, the fee and any information needed as proof of identity of the person making the request, the Company will ensure that the individual receives access within 40 calendar days, unless there is a valid reason for delay or an exemption is applicable.
The Act does not prevent an individual making a subject access request via a third party, including by a solicitor acting on behalf of a client. In these cases and prior to the disclosure of any personal information, the Company would need to be satisfied that the third party making the request is entitled to act on behalf of the individual and would require evidence of this entitlement.
Whilst the Act does not limit the number of subject access requests an individual can make to any organisation, the Company is not obliged to comply with an identical or similar request to one already dealt with, unless a reasonable interval has elapsed between the first request and any subsequent ones.
Accuracy of Data
Staff are responsible for:
Retention and Disposal of Data
The Company is not permitted to keep personal information of staff for longer than is required for its purpose or is required by law.
Personal and confidential information will be disposed of by means that protect the rights of those individuals ie. shredding, disposal of confidential waste, secure electronic deletion.
The Company is dedicated to being compliant with the Act. Any member of staff or a student wishing to report concerns relating to the Act should, in the first instance, contact the Data Protection Representative who will aim to resolve any issue or will refer to the Board of Directors or if necessary the Information Commissioner’s Office.