Data Protection Standing Order PDF
Document Details
Uploaded by Deleted User
Argyris Efstathiades
Tags
Summary
This document outlines the six data protection principles, including lawful processing, fair and transparent procedures, legitimate purposes, accuracy, ongoing updates, identification limitations, processing manner, and secure data handling. It also details a table of contents and an introduction to those procedures.
Full Transcript
**DATA PROTECTION STANDING ORDER** **TABLE OF DOCUMENT DETAILS** +-----------------------------------+-----------------------------------+ | Title | | +===================================+===================================+ | Reference...
**DATA PROTECTION STANDING ORDER** **TABLE OF DOCUMENT DETAILS** +-----------------------------------+-----------------------------------+ | Title | | +===================================+===================================+ | Reference No | | +-----------------------------------+-----------------------------------+ | Relevant Department or Group | | +-----------------------------------+-----------------------------------+ | Ownership | | +-----------------------------------+-----------------------------------+ | Document Author | | +-----------------------------------+-----------------------------------+ | Approved by | | +-----------------------------------+-----------------------------------+ | Approval Date | | +-----------------------------------+-----------------------------------+ | Implementation Date | | +-----------------------------------+-----------------------------------+ | To be Reviewed Date | | +-----------------------------------+-----------------------------------+ | Last Revised Date | | +-----------------------------------+-----------------------------------+ | Quality Assured by | | +-----------------------------------+-----------------------------------+ | Protective Marking | | +-----------------------------------+-----------------------------------+ | Linked to other | | | | | | Standing Order | | +-----------------------------------+-----------------------------------+ | Relevant Legislation | [Data Protection Ordinance | | | 2020](https://www.sbaadministrati | | | on.org/home/legislation/01_02_09_ | | | 05_ORDINANCES/01_02_09_05_61_ORD_ | | | 2020/20201223_ORD-47_G1959.pdf) | +-----------------------------------+-----------------------------------+ | Pages | | | | | | (including this page) | | +-----------------------------------+-----------------------------------+ **TABLE OF CONTENTS** [Introduction] [Page 3] ---------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------- [The Six Data Protection Principles] [Page 3] [Principle 1: Personal Data must be processed lawfully, fairly and in a transparent manner] [Page 3] [Principle 2: Personal Data must be collected for specific, explicit, and legitimate purposes] [Page 3] [Principle 3: Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed] [Page 4] [Principle 4: Personal Data must be accurate and where necessary kept up to date] [Page 4] [Principle 5: Personal Data must be kept in a form which permits identification of data subjects for no longer than is necessary] [Page 4] [Principle 6: Personal Data must be processed in a manner that ensures appropriate security of the personal data] [Page 4] [Relevant Documentation] [Page 7] **1. Introduction** **2. The six Data Protection Principles** 2.1 The six data protection principles state that all personal data must be: 2.1.1 Processed lawfully, fairly and in a transparent manner, 2.1.2 Collected for specified, explicit and legitimate purposes, 2.1.3 Adequate, relevant, and limited to what is necessary, 2.1.4 Accurate and where necessary kept up to date, 2.1.5 Kept in a form which permits identification of data subjects for no longer than is necessary 2.1.6 Processed in a manner that ensures appropriate security of the personal data **3. Principle 1: Personal Data must be processed lawfully, fairly and in a transparent manner** 3.1 The Act requires the SBA Police, as a data controller, to identify its lawful basis before processing any personal data. ('Processing' also includes collecting and storing data.) Lawful bases could be when an individual consents to their information being processed. 3.2 You must explain why and how the data subject's personal details will be processed using clear, concise, plain language. This information must be readily available to the data subjects in the form of a privacy notice 3.3 Do not process personal data in a way that is unduly detrimental, unexpected, or misleading to the individuals concerned, as this will be considered unfair. **4. Principle 2: Personal Data must be collected for specific, explicit, and legitimate purposes** 4.1 When the SBA Police collects personal data, it must clearly explain why it needs to process it. This relates back to the need to identify a lawful basis as described under Principle 1. **4.2** During the course of your business, you might identify a new purpose for the personal data you obtained. However, you must ensure that your new reasons for processing the data are compatible with your old reasons. 4.3 Please note archiving the data (in the public interest), or using it for scientific, historic or statistical purposes is always considered compatible with its original purpose. **5.** **Principle 3: Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed** **5.1** This means that the SBA Police must not collect or process more personal data than it needs to achieve its purpose. You should not collect an excessive quantity of data on the basis that you might need it one day. 6.1 You must take every reasonable step to ensure that inaccurate personal data is rectified or erased without delay. 6.2 Establish a process to ensure that the personal data held (e.g. databases), is regularly reviewed. If you make any changes to those records, please note what you have changed and why. **7. Principle 5: Personal Data must be kept in a form which permits identification of data subjects for no longer than is necessary** 7.1 If you no longer need the personal data to achieve its purpose you should delete or anonymise it (unless you have other lawful grounds for retaining it). 7.2 One way to anonymise data is to store parts of it separately from the parts that link it to specific individuals. For instance, you could keep names and survey results on separate spreadsheets and link the two together with a code. **8. Principle 6: Personal data must be processed in a manner that ensures appropriate security of the personal data** 8.1 The SBA Police is required to use appropriate technical and organisation measures to ensure its personal data holdings are processed securely. You must take all reasonable steps to protect the personal data you hold against unlawful processing, accidental loss, destruction, or damage. 8.2 If you store personal information on SharePoint, please check that only those with a business need can access it. Equally, databases contained personal data should be encrypted or password protected. 8.3 If any personal information that is transmitted, stored, or otherwise processed by the SBA Police is accidently or unlawfully destroyed, lost, altered, disclosed or accessed without authorisation, this will be considered a breach and must be reported without delay. **8. Relevant Documentation** 8.1 [Sovereign Base Area Administration Personal Information Charter](https://modgovuk.sharepoint.com/:w:/r/teams/1536/SBAAHQ/_layouts/15/Doc.aspx?sourcedoc=%7B54C3CBDB-330D-4BF5-A1E7-C383D9F3969D%7D&file=20210810-Information_Charter.docx&action=default&mobileredirect=true&wdLOR=c57E29492-2187-487B-8915-ACCFBB8F6DC4&cid=b251cb06-78b0-4379-8cc1-5ed3e9917c08)