All personal data has to be managed in accordance with the principles of the Data Protection Act 1998. It is the policy of Lara Nichols to comply with the Act and this policy is a guide for all employees.
This policy and guide must be read in conjunction with any Confidentiality Policy contained within this handbook.
What is personal data?
Personal data is information that relates to an identifiable living person. It does not need to be ‘confidential’ or ‘private’ to be deemed personal data. A note describing when access can be gained to a named individual’s premises is ‘personal data’ as is an ex-directory telephone number. In practice, most information held about an individual with the person as the focus (past or present), and which is biographical, is ‘personal data’. This applies to information on fellow workers and individual customers.
Sensitive personal data
Some data is especially sensitive and this includes physical and mental health, disabilities, racial or ethnic origin and religious belief. Where you are aware of such information it must not be disclosed, or even recorded, without the explicit permission of the person concerned (there are a few very specific exceptions).
What are my responsibilities?
You must not, except in the proper course of your duties either during your employment or thereafter, use, communicate, or disclose directly or indirectly to any person or organisation, personal data that you come into contact with during the course of your work. You must use your best endeavours to prevent any unauthorised communications or disclosures. In particular, you must:
- be sure all personal data has been fairly and lawfully obtained and is so used. Do not, for example, keep information on the political beliefs of customers
- use data only for the purposes specified by Lara Nichols
- make sure that whatever personal data you keep on behalf of Lara Nichols is adequate, relevant and not excessive in relation to that purpose or purposes
- keep such data accurate and up to date
- not keep such data longer than necessary for the purpose in question
- respect the rights of individuals in using the data (the right to privacy, for example)
- keep such data secure and not remove it from the company premises without written permission. You are required to return on request any information that is held at your home, for example. Having returned such information then you must delete it from your own data store(s)
- consult the Managing Director before transferring such data outside the European Economic Area unless in line with explicit instructions authorised by the Managing Director.
In areas of uncertainty contact the Finance Manager in the first instance. Casual ‘gossip’ about customers, for example, is a breach of this policy and is a disciplinary offence. Any serious breach, such as discussing customers’ health problems with other customers, may be regarded as gross misconduct.
No employee may give a reference on behalf of Lara Nichols without the explicit authority of the Managing Director. An unauthorised reference is a disciplinary offence and if it exposes Lara Nichols to a claim for damages it will be regarded as gross misconduct.