Data Protection: SBC Code of Practice
Written on: Thursday, Jul 1 2004 at 12:00 GMTWritten by: Corporate Resources - IT
Summary
We increasingly depend on computer systems and paper records (paper files) to carry out much of our normal business. A lot of the information we hold on our computer systems is about living people and so we, our staff and councillors need to keep to the Data Protection Act.
The Act came into force in 1984 and was amended in 1998 due to concerns arising as a result of rapidly developing computer technology. Under the Act, we must be open about how we use personal information and follow proper practices known as the data protection principles. The principles are set out on page 6 of this code of practice.
The Data Protection Act 1998 provides a single EU policy for sharing information between countries in the European Economic Area (EEA). It also prevents information from being shared with countries which do not have similar data protection policies. The Act now covers paper records (for example, index files) and closed circuit television systems (CCTV). Basically, if a person can be identified from the cover of a file, we should take suitable action to keep those files secure.
The Act gives the people we hold information about (known as data subjects) rights. It entitles them to find out what information we hold about them, challenge that information, have information changed or removed if appropriate, and claim compensation in certain circumstances. However, the Act does not prevent us from holding information about a person without that person knowing we hold information about them.
The Act also protects personal information from being unlawfully released. In effect, it states that:
- descriptions of all personal information must be given to the Information Commissioner (an independent officer who manages the Act and reports directly to Parliament);
- it is an offence to process information that has not been reported to the Information Commissioner or to process personal information in a way other than as authorised by the Information Commissioner; and
- we must follow the data protection principles.
To keep to the Data Protection Act, we have developed this code of practice. It gives guidance on:
- notifying the Information Commissioner (that is, giving them the details set out in part 3 on page 7);
- following the principles of good practice within the Act; and
- giving people access to information we hold about them.
Although all staff and councillors are responsible for protecting personal information held and processed on computer as well as paper files, certain specialised roles and responsibilities have been identified. The roles, and those responsible for them, are as follows.
Access to Information Officer (AIO)
This position is in the Corporate Resources IT Unit. The officer gives us guidance on keeping to the Data Protection Act and
associated laws.
Data protection liaison officers (DPLO)
Each portfolio will have at least one data protection liaison officer. These officers work with the Access to Information
Officer to make sure each portfolio or business area meets the requirements of the data protection laws.
Data controller
A data controller is a person or organisation who decides how any personal information can be held and processed, and for
what purposes. We are the data controller.
Joint data controllers
These are people or organisations (for example, us, NHS Borders or Lothian & Borders Police) who jointly process and share
information.
Data processor
This role is carried out by any person other than an employee of ours (for example, contractors and agents) who processes
personal information on our behalf.
Internal audit
Internal audit is a team who will provide an independent check on how effectively business areas are keeping to this code
of practice.
Detailed descriptions of the responsibilities of individual members of staff, councillors, the Access to Information Officer, and data protection liaison officers is given in appendix A to this code of practice.
Unified Solutions.