Data Protection Standing Order PDF

Summary

This document outlines the six data protection principles, including lawful processing, fair and transparent procedures, legitimate purposes, accuracy, ongoing updates, identification limitations, processing manner, and secure data handling. It also details a table of contents and an introduction to those procedures.

Full Transcript

**DATA PROTECTION STANDING ORDER**

**TABLE OF DOCUMENT DETAILS**

+-----------------------------------+-----------------------------------+
| Title | |
+===================================+===================================+
| Reference No | |
+-----------------------------------+-----------------------------------+
| Relevant Department or Group | |
+-----------------------------------+-----------------------------------+
| Ownership | |
+-----------------------------------+-----------------------------------+
| Document Author | |
+-----------------------------------+-----------------------------------+
| Approved by | |
+-----------------------------------+-----------------------------------+
| Approval Date | |
+-----------------------------------+-----------------------------------+
| Implementation Date | |
+-----------------------------------+-----------------------------------+
| To be Reviewed Date | |
+-----------------------------------+-----------------------------------+
| Last Revised Date | |
+-----------------------------------+-----------------------------------+
| Quality Assured by | |
+-----------------------------------+-----------------------------------+
| Protective Marking | |
+-----------------------------------+-----------------------------------+
| Linked to other | |
| | |
| Standing Order | |
+-----------------------------------+-----------------------------------+
| Relevant Legislation | [Data Protection Ordinance |
| | 2020](https://www.sbaadministrati |
| | on.org/home/legislation/01_02_09_ |
| | 05_ORDINANCES/01_02_09_05_61_ORD_ |
| | 2020/20201223_ORD-47_G1959.pdf) |
+-----------------------------------+-----------------------------------+
| Pages | |
| | |
| (including this page) | |
+-----------------------------------+-----------------------------------+

**TABLE OF CONTENTS**

[Introduction] [Page 3]
---------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------
[The Six Data Protection Principles] [Page 3]
[Principle 1: Personal Data must be processed lawfully, fairly and in a transparent manner] [Page 3]
[Principle 2: Personal Data must be collected for specific, explicit, and legitimate purposes] [Page 3]
[Principle 3: Personal Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed] [Page 4]
[Principle 4: Personal Data must be accurate and where necessary kept up to date] [Page 4]
[Principle 5: Personal Data must be kept in a form which permits identification of data subjects for no longer than is necessary] [Page 4]
[Principle 6: Personal Data must be processed in a manner that ensures appropriate security of the personal data] [Page 4]
[Relevant Documentation] [Page 7]

**1. Introduction**

**2. The six Data Protection Principles**

2.1 The six data protection principles state that all personal data must
be:

2.1.1 Processed lawfully, fairly and in a transparent manner,

2.1.2 Collected for specified, explicit and legitimate purposes,

2.1.3 Adequate, relevant, and limited to what is necessary,

2.1.4 Accurate and where necessary kept up to date,

2.1.5 Kept in a form which permits identification of data subjects for
no longer than is necessary

2.1.6 Processed in a manner that ensures appropriate security of the
personal data

**3. Principle 1: Personal Data must be processed lawfully, fairly and
in a transparent manner**

3.1 The Act requires the SBA Police, as a data controller, to identify
its lawful basis before processing any personal data. ('Processing' also
includes collecting and storing data.) Lawful bases could be when an
individual consents to their information being processed.

3.2 You must explain why and how the data subject's personal details
will be processed using clear, concise, plain language. This information
must be readily available to the data subjects in the form of a privacy
notice

3.3 Do not process personal data in a way that is unduly detrimental,
unexpected, or misleading to the individuals concerned, as this will be
considered unfair.

**4. Principle 2: Personal Data must be collected for specific,
explicit, and legitimate purposes**

4.1 When the SBA Police collects personal data, it must clearly explain
why it needs to process it. This relates back to the need to identify a
lawful basis as described under Principle 1.

**4.2** During the course of your business, you might identify a new
purpose for the personal data you obtained. However, you must ensure
that your new reasons for processing the data are compatible with your
old reasons.

4.3 Please note archiving the data (in the public interest), or using it
for scientific, historic or statistical purposes is always considered
compatible with its original purpose.

**5.** **Principle 3: Personal Data must be adequate, relevant, and
limited to what is necessary in relation to the purposes for which they
are processed**

**5.1** This means that the SBA Police must not collect or process more
personal data than it needs to achieve its purpose. You should not
collect an excessive quantity of data on the basis that you might need
it one day.

6.1 You must take every reasonable step to ensure that inaccurate
personal data is rectified or erased without delay.

6.2 Establish a process to ensure that the personal data held (e.g.
databases), is regularly reviewed. If you make any changes to those
records, please note what you have changed and why.

**7. Principle 5: Personal Data must be kept in a form which permits
identification of data subjects for no longer than is necessary**

7.1 If you no longer need the personal data to achieve its purpose you
should delete or anonymise it (unless you have other lawful grounds for
retaining it).

7.2 One way to anonymise data is to store parts of it separately from
the parts that link it to specific individuals. For instance, you could
keep names and survey results on separate spreadsheets and link the two
together with a code.

**8. Principle 6: Personal data must be processed in a manner that
ensures appropriate security of the personal data**

8.1 The SBA Police is required to use appropriate technical and
organisation measures to ensure its personal data holdings are processed
securely. You must take all reasonable steps to protect the personal
data you hold against unlawful processing, accidental loss, destruction,
or damage.

8.2 If you store personal information on SharePoint, please check that
only those with a business need can access it. Equally, databases
contained personal data should be encrypted or password protected.

8.3 If any personal information that is transmitted, stored, or
otherwise processed by the SBA Police is accidently or unlawfully
destroyed, lost, altered, disclosed or accessed without authorisation,
this will be considered a breach and must be reported without delay.

**8. Relevant Documentation**

8.1 [Sovereign Base Area Administration Personal Information
Charter](https://modgovuk.sharepoint.com/:w:/r/teams/1536/SBAAHQ/_layouts/15/Doc.aspx?sourcedoc=%7B54C3CBDB-330D-4BF5-A1E7-C383D9F3969D%7D&file=20210810-Information_Charter.docx&action=default&mobileredirect=true&wdLOR=c57E29492-2187-487B-8915-ACCFBB8F6DC4&cid=b251cb06-78b0-4379-8cc1-5ed3e9917c08)