The objective of Ross & Roberts Ltd is to ensure compliance with the Data Protection Act, mindful of other relevant legislation such as the Human Rights Act, Freedom of Information Act and any other appropriate legislation.
This policy statement applies to all employees of Ross & Roberts Ltd, temporary staff, agents and contractors acting on behalf of the Company.
Anyone falling within the scope of this policy must be aware that non-compliance with this policy statement may result in disciplinary action after proper investigation under the Company's disciplinary policy and could incur a risk of prosecution.
- Relevant personnel must ensure that personal data is handled in accordance with the eight data protection principles which (in outline) are as follows:-
Personal data must be:
- fairly and lawfully processed;
- processed for limited purposes and not in any manner incompatible with those purposes;
- adequate, relevant and not excessive;
- not kept for longer than is necessary;
- processed in line with the data subject's rights;
- not transferred to countries without adequate protection.
- Members of staff should understand the definitions contained in the act in order to ensure compliance.
- Personal data should be handled with the appropriate level of security.
- No personal data should be processed unless the Company is properly notified to do so.
- New information systems must be designed to ensure compliance with the Act can be achieved.
- Reference to the Act must be included in all relevant documents including contracts with organisations/individuals acting on behalf of the Company to ensure that compliance with the principles of the Act is achieved whenever personal data is processed.
Strict conditions apply to the passing of information both internally and externally. Respect to confidentiality should be given when appropriate and no disclosures can be made that do not follow the Code of Practice, staff guidelines and procedures.
Guidance can be given and obtained from the Office Managers and/or Operations Managers, if required. Guidance can also be obtained from the company's designated data controller.
The Company's policy will be reviewed in the light of any changes to the Data Protection Act and in accordance with any implementation of the Freedom of Information Act.
Regular checks will be carried out by the Company's data controller to ensure the Company's compliance.
The Data Protection Act applies to 'personal data' that is, data about identifiable living individuals.
- Processing personal data
'Processing' is broadly defined and takes place when any operation or set of operations is carried out on personal data. The Act requires that personal data be processed "fairly and lawfully". Personal data will not be considered to be processed fairly unless certain conditions are met. A data subject must be told the identity of the data controller and why that information is or is to be processed.
Processing Non-Sensitive Data
Processing may only be carried out where one of the following conditions has been met:
- the individual has given his or her consent to the processing;
- the processing is necessary for the performance of a contract with the individual;
- the processing is required under a legal obligation;
- the processing is necessary to protect the vital interests of the individual;
- the processing is necessary to carry out public functions;
- the processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could prejudice the interests of the individual).
Processing sensitive data
The Data Protection Act makes specific provision for sensitive personal data. Sensitive data include: racial or ethnic origin; political opinions; religious or other beliefs; trade union membership; health; sex life; criminal proceedings or convictions.
Sensitive data can only be processed under strict conditions, which include:
- having the explicit consent of the individual;
- being required by law to process the data for employment purposes;
- needing to process the information in order to protect the vital interests of the data subject or another;
- dealing with the administration of justice or legal proceedings.
The Data Protection Act covers information which is recorded as part of a 'relevant filing system', that is, a set of information in which the records are structured, either by reference to individuals or by reference to criteria relating to individuals, so that 'specific information relating to a particular individual is readily accessible'.
Data controllers must take security measures to safeguard personal data. The 1998 Act requires that data controllers must take appropriate technical or organisational measures to prevent the unauthorised or unlawful processing, or disclosure, of data. Where a controller uses the services of a data processor the security arrangements must be part of a written agreement between the two.
Transfer of Personal Data Overseas
The eighth principle restricts the transfer of personal data outside the EEA (which consists of Norway, Iceland and Liechtenstein as well as the 15 EU Member States). Personal data may only be transferred to third countries if those countries ensure an "adequate level of protection for the rights and freedoms of data subjects".
Most data controllers need to notify the Commissioner, in broad terms, of the purposes of their processing, the personal data processed, the recipients of the personal data processed and the places overseas to which the data are transferred. This information is made publicly available in a register. Notification is not linked to enforcement. Data controllers have a single register entry. Notifications are renewable annually.
The rights of individuals
- The right of subject access
The Data Protection Act allows individuals to find out what information is held about themselves on computer and some paper records. This is known as the right of subject access.
- The right of rectification, blocking, erasure and destruction
The Data Protection Act allows individuals to apply to the Court to order a data controller to rectify, block, erase or destroy personal details if they are inaccurate or contain expressions of opinion which are based on inaccurate data.
- The right to prevent processing
A data subject can ask a data controller to stop or request that they do not begin processing relating to him or her where it is causing, or is likely to cause, substantial unwarranted damage or substantial distress to them or anyone else. However, this right is not available in all cases and data controllers do not always have to comply with the request.
- The right to prevent processing for direct marketing
A data subject can ask a data controller to stop or not to begin processing data relating to him or her for direct marketing purposes. This is an absolute right.
- The right to compensation
A data subject can claim compensation from a data controller for damage or damage and distress caused by any breach of the Data Protection Act. Compensation for distress alone can only be claimed in limited circumstances.
- Rights in relation to automated decision-taking
An individual can ask a data controller to ensure that no decision which significantly affects them is based solely on processing his or her personal data by automatic means. There are, however, some exemptions to this.
The Telecommunications Regulations 1999 (Data Protection and Privacy) imposes special rules for dealing with data in public telecommunications systems, faxes, telephones, and automated calling systems for unsolicited marketing.
- Unsolicited marketing faxes must not be sent to individual subscribers without their prior consent.
- Individual subscribers have a statutory right to opt-out of unsolicited telephone marketing either by telling the caller or by registering on a central stop list.
- Corporate subscribers cannot opt-out of telephone sales but have the right to opt-out of unsolicited marketing faxes.
- Automated calling systems must have the prior consent of both corporate and individual subscribers.
- Notification offences
These are committed where processing is being undertaken by a data controller who has not notified the Commissioner either of the processing being undertaken or of any changes that have been made to that processing. Failure to notify is a strict liability offence.
- Procuring and selling offences
It is an offence to obtain, disclose, sell or advertise for sale, or bring about the disclosure of personal data, without the consent of the data controller. It is also an offence to access personal data or to disclose it without proper authorisation. This covers unauthorised access to and disclosure of personal data. There are some exceptions to this.
- Enforced subject access offence
Unless one of the limited statutory exceptions apply, it is an offence for a person to ask another person to make a subject access request in order to obtain personal data about that person for specified purposes, such as a precondition to employment.
- Other offences
It is an offence to fail to respond to an information notice or to breach an enforcement notice. Unauthorised disclosures by the Commissioner or her staff are forbidden and breach of those provisions is an offence.
Collection of Personal Information
The information which we collect and store during normal use of the site is used to monitor and analyse how parts of the site are used. Such use does not result in any personally identifiable data being collected or stored.
You have the option on certain pages within this site to submit personal information to Ross and Roberts in order that we might send you further information or email alerts. These pages provide explanations as to how this information is to be used.
We will not disclose without your consent any personal information we collect about you when you visit the site to a third party outside Ross and Roberts. In connection with any application, request or enquiry you make, your information will be passed directly to the relevant business unit within the group.
By submitting your personal information through this website, you shall be consenting to it being processed in the manner described above by Ross and Roberts.
If you have submitted personal information through this website and wish us to cease using it for the purposes submitted, please contact Ross and Roberts, Unit 8 Wessex Park, Bancombe Road Trading Estate, Somerton, Somerset, TA11 6SB.