BBA Data Protection Policy

The BBA Approach to Data Protection

The BBA is committed to a policy of protecting the rights and privacy of individuals (which includes staff, individual members and non-members) in accordance with the Data Protection Act.

The BBA needs to process certain information about its staff, and other individuals it has dealings with for administrative purposes (e.g. to recruit and pay staff, to administer staff training, to record progress, to process requests for products and services, to supply information, and to comply with legal obligations).

To comply with the law, information about individuals must be accurately collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.

The policy applies to all BBA staff, contractors, and the employees of organisations, who either directly or indirectly, use and/or support this organisation’s IT systems. Any breach of the Data Protection Act or the BBA Data Protection Policy is considered to be an offence and in that event, BBA disciplinary procedures will apply.

As a matter of good practice, other agencies and individuals working with the BBA, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that departments/sections who deal with external agencies will take responsibility for ensuring that such agencies sign a contract agreeing to abide by this policy.

The Act applies to personal data held on any personal computers, (including home PCs used by staff for business purposes), personal organisers, and in structured manual files, even if not owned by the organisation, when used by members of staff, temporary staff or external contractors and advisors, specifically to support the business activities of the organisation.

The data belongs to the BBA and must be processed in compliance with the Act. Staff are discouraged from holding BBA data on personal organisers or home computers. In particular, BBA data must be kept secure and not be able to be accessed by any member of the family or friends. If using BBA data outside the office, adequate security such as passwords should be used along with good anti-virus protection.

The Data Protection Act

The Data Protection Act (DPA) came into force on 1 st March 2000 and has major implications for all users of personal data. The new act enhances and broadens the scope of the previous 1984 act demanding stricter regulation of staff use and access. Its purpose is to protect the rights and privacy of living individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, is processed with their consent.

Definitions of the Data Protection Act

Personal Data

Data relating to a living individual who can be identified from that information or from that data and other information in possession of the data controller. This includes name, address, and telephone number. It also includes expression of opinion about the individual, and of the intentions of the data controller in respect of that individual.

Sensitive Data

Different from ordinary personal data (such as name, address, telephone) and relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Sensitive data is subject to much stricter conditions of processing.

Data Controller

Any person (or organisation) that makes decisions with regard to particular personal data, including decisions regarding the purposes for which personal data is processed and the way in which the personal data is processed.

Data Subject

Any living individual who is the subject of personal data held by an organisation.

Processing

Any operation related to organisation, retrieval, disclosure and deletion of data and includes: obtaining and recording data, accessing, altering, adding to, merging, deleting, data retrieval, consultation or use of data disclosure or otherwise making available of data.

Third Party

Any individual/organisation other than the data subject, the data controller (the BBA) or its agents.

Relevant Filing System

Any paper filing system or other manual filing system which is structured so that information about an individual is readily accessible. Please note that this is the definition of “Relevant Filing System” in the Act. Personal data as defined, and covered, by the Act can be held in any format, electronic (including websites and emails), paper-based, photographic etc. from which the individual’s information can be readily extracted.

The 8 Data Protection Principles

All processing of personal data must be done in accordance with the eight data protection principles. These are principles of good practice and are legally enforceable

1. Personal data shall be processed fairly and lawfully. 
Those responsible for processing personal data must make reasonable efforts to ensure that data subjects are informed of the identity of the data controller, the purpose of the processing, any disclosures to third parties that are envisaged and an indication of the period for which the data will be kept.

2. Personal data shall be obtained for specific and lawful purposes and not processed in a manner incompatible with those purposes.
Data obtained for specified purposes must not be used for a purpose that differs from those.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is held. 
Information, which is not strictly necessary for the purpose for which it is obtained, should not be collected. If data is given or obtained which is excessive for the purpose, it should be immediately deleted or destroyed.

4. Personal data shall be accurate and, where necessary, kept up to date.
Data, which are kept for a long time, must be reviewed and updated as necessary.

No data should be kept unless it is reasonable to assume that they are accurate. It is the responsibility of individuals to ensure that data held by the Association are accurate and up–to–date. Completion of a conference or training booking form, or publications order form or BBA internal form or application form etc will be taken as an indication that the data contained therein is accurate.

Individuals should notify the BBA of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of the BBA to ensure that any notification regarding change of circumstances is noted and acted upon.

5. Personal data shall be kept only for as long as necessary.

6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.

8. Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Data must not be transferred outside of the European Economic Area (EEA) – the fifteen EU Member States together with Iceland, Liechtenstein and Norway – without the explicit consent of the individual. Members of the BBA should be particularly aware of this when publishing information on the Internet, which can be accessed from anywhere in the globe. This is because transfer includes placing data on a web site that can be accessed from outside the EEA.

BBA’s Responsibilities under the Act

  • The BBA is the data controller under the new Act.
  • A Data Protection Officer has been appointed (David Poyser) who is responsible for notification of the use of personal data to the Information Commissioner and for developing specific guidance notes on data protection issues for staff of the BBA.
  • BBA Senior Management, Executive Directors and all those in managerial or supervisory roles are responsible for developing and encouraging good information handling practice within the BBA.
  • Compliance with data protection legislation is the responsibility of all staff of the BBA who process personal information and all staff are responsible for ensuring that any personal data supplied to the Association is accurate and up-to-date. Specifically, the BBA employs a Database Administrator who has responsibility for managing the organisation’s primary electronic data store, the Integra database, and ensuring the accuracy and integrity of data held therein.
  • The BBA will ensure that there are appropriate controls in place to ensure that personal data held in the primary electronic data store, Integra, is of a high standard and processed in accordance with the provisions of the Act.

The BBA’s undertaking in relation to the handling of personal/sensitive information ’s

The BBA will, through appropriate management and the use of strict criteria and controls ensure that all staff:–

  • Observe fully the conditions regarding the fair collection and use of personal information
  • Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
  • Ensure the quality of information used
  • Ensure that personal information is not transferred abroad without suitable safeguards
  • Ensure all queries about handling personal information are promptly and courteously dealt with

In addition the senior management of BBA will:–

  • Ensure there is someone with specific responsibility for data protection in the organisation (the Data Protection Officer);
  • Ensure everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
  • Ensure everyone managing and handling personal information is appropriately trained to do so;
  • Ensure everyone managing and handling personal information is appropriately supervised;
  • Ensure that anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do;
  • Ensure methods of handling personal information are regularly assessed and evaluated;
  • Ensure that performance with handling personal information is regularly assessed and evaluated;
  • Ensure that data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedure
  • Ensure that the BBA meets its legal obligations to specify the purpose for which information is used
  • Apply strict checks to determine the length of time information is held
  • Take appropriate technical and organisational security measures to safeguard personal information;
  • Ensure that the rights of people about whom the information is held can be fully exercised under the Act.

Notification

Notification is the responsibility of the Data Protection Officer. Details of the Associations’ Notifications (both BBA and BBAE) are published on theInformation Commissioner’s website. Anyone who is, or intends, processing data for purposes not included in the Associations’ Notifications should seek advice from the Data Protection Officer.

Data Subject Rights

Data Subjects have the following rights regarding data processing, and the data that are recorded about them:

  • The right to be informed that processing is being undertaken
  • The right of make subject access requests regarding the nature of information held and to whom it has been disclosed within the statutory 40 days
  • The right to prevent processing likely to cause damage or distress
  • The right to prevent processing for purposes of direct marketing
  • The right to be informed about mechanics of any automated decision taking process that will significantly affect them
  • The right not to have significant decisions that will affect them taken solely by automated process
  • The right to sue for compensation if they suffer damage by any contravention of the Act
  • The right to take action to rectify, block, erase or destroy inaccurate data.
  • The right to request the Commissioner to assess whether any provision of the Act has been contravened

Rights of Access to Data

All individuals held on the BBA database have the right to access any personal data which is held by the Association in electronic format and manual records which form part of a relevant filing system.

Any individual who wishes to exercise this right should apply in writing to the Data Protection Officer (DPO). The Association reserves the right to charge a fee for data subject access requests (currently £10). Any such request will normally be complied with within 40 days of receipt of the written request and, where appropriate, the fee.

Security of Data

All staff are responsible for ensuring that any personal data (on others) which they hold is kept securely and that it is not disclosed to any unauthorised third party. All personal data should be accessible only to those who need to use it. You should form a judgment based upon the sensitivity and value of the information in question, but always consider keeping personal data:

  • in a lockable room with controlled access, or
  • in a locked drawer or filing cabinet, or
  • if computerised, password protected, or
  • kept on disks which are themselves kept securely.
  • Care should be taken to ensure that PCs and terminals are not visible except to authorised staff and that computer passwords are kept confidential. PC screens should not be left unattended without password protected screen-savers and manual records should not be left where they can be accessed by unauthorised personnel.
  • Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data. Manual records should be shredded or disposed of as “confidential waste”. Hard drives of redundant PCs should be wiped clean before disposal.

Disclosure of Data

The BBA must ensure that personal data is not disclosed to unauthorised third parties which may include colleagues, government bodies, and other organisations and in certain circumstances, the Police. All staff should exercise caution when asked to disclose personal data held on another individual to a third party.

For instance, it would usually be deemed appropriate to disclose a colleague’s work contact details in response to an enquiry regarding a particular function for which they are responsible. However, it would not usually be appropriate to disclose a colleague’s work details to someone who wished to contact them regarding a non-work related matter.

The important thing to bear in mind is whether or not disclosure of the information is relevant to, and necessary for, the conduct of Association business. Best practice, however, would be to take the contact details of the person making the enquiry and pass them onto the relevant individual concerned.

This policy determines that personal data may be legitimately disclosed where one of the following conditions apply:

  • the individual has given their consent (e.g. an individual has agreed to have their details passed to a third party through completion of the relevant data protection forms);
  • where the disclosure is in the legitimate interests of the institution (e.g. disclosure to staff – personal information can be disclosed to other BBA employees if it is clear that those members of staff require the information to enable them to perform their jobs);
  • where the institution is legally obliged to disclose the data (e.g. ethnic minority and disability monitoring);
  • where disclosure of data is required for the performance of a contract

The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:

  • to safeguard national security*;
  • prevention or detection of crime including the apprehension or prosecution of offenders*;
  • assessment or collection of tax duty*;
  • discharge of regulatory functions (includes health, safety and welfare of persons at work) *;
  • to prevent serious harm to a third party;
  • to protect the vital interests of the individual, this refers to life and death situations.

*Requests must be supported by appropriate paperwork.

Direct Marketing

BBAE uses personal data for direct marketing purposes and must inform data subjects of this at the time of collection of the data. Individuals must be provided with the opportunity to object to the use of their data for direct marketing purposes (e.g. an opt-out box on a form).

Right to prevent processing likely to cause damage or distress to the individual

An individual is entitled to require the BBA to cease (or not to begin) processing of the individual’s personal data on the grounds that:

  • the processing is causing or likely to cause substantial damage or distress to the individual or to another, and;
  • the damage or distress is or would be unwarranted.

The BBA would not be required to comply with a request to cease processing in the circumstances where:

  • the data subject has consented to the processing, or;
  • the processing is necessary for entering into or for the performance of a contract with the data subject, or;
  • the processing is necessary for compliance of a legal obligation; or
  • the processing is necessary to protect the vital interests of the data subject.

Within 21 days of receiving a request to prevent processing, the BBA must provide the individual with a written notice:

  • stating whether the BBA has complied or intends to comply, or
  • stating the reasons for regarding the request to be unjustified and the extent (if any) to which the BBA has complied or intends to comply.

Right to prevent processing for purposes of direct marketing

The BBA will not process or continue to process personal data for the purposes of direct marketing if the individual:

  • writes requesting the BBA not to do so;
  • has completed a Data Protection form to this effect;
  • has ticked the relevant box on the conference flyer;
  • has ticked the relevant box on the training flyer;
  • has ticked the relecant box on the publications order forms;
  • telephoned requesting the BBA not to do so.

Complaints by Data Subjects

The Data Protection Officer (DPO) is responsible for responding to a data subject’s complaints about the processing of personal data relating to the individual, by the organisation. A response outlining the actions that will be taken by the organisation will be made within 21 days of the receipt of a written notice. Staff are required to immediately pass to the DPO any subject access request or complaint received.

New Uses of Personal Data

Before any collection or processing of data commences staff are required to inform the DPO of:

  • any proposed new uses of personal data;
  • changes to the current uses of data;
  • holding personal data about a new class of data subject;
  • holding a new class of data;
  • disclosing data to a new class of recipient, or;
  • using a ‘processor’ to process the data on behalf of the BBA.

Disposal of Computer Equipment

All computer equipment and accessories which are disposed of are wiped clean of any data by the IT department.

Sending data outside the EEA

Before transferring personal data to countries outside of the EEA (including verbal disclosure by telephone, or disclosure over the Internet), the data subject’s agreement must be sought.

Related Links

Information Commissioner’s Webpage