Data Protection

DEFINITIONS

In this document:

  • The term “Organisation” will refer to Roch Valley Radio.
  • The term “Data Controller” will refer to the Organisation in its capacity to record and use personal information.
  • The term “Committee” will refer to the managing committee of Roch Valley Radio.
  • The term “Member” will refer to any full, associate or probationary member of Roch Valley Radio.
  • The term “Data Subject” will refer to any Member or any other identifiable living individual whose personal data is held by the organisation.

 

THE DATA PROTECTION ACT 1998

The Data Protection Act 1998 works in two ways:

  1. It says that anyone who records and uses personal information (data controllers) must be open about how the information is used and must follow eight principles of good information handling.
  2. It also gives us all as individuals (data subjects) certain rights, including the right to see information that is held about us and to have it corrected if it is wrong.

 

THE PRINCIPLES OF GOOD INFORMATION HANDLING

All data controllers must follow the eight data protection principles. They say that data must be:

  1. Fairly and lawfully processed;
  2. Processed for limited purposes;
  3. Adequate, relevant and not excessive;
  4. Accurate;
  5. Not kept for longer than is necessary;
  6. Processed in line with the data subject’s rights;
  7. Secure;
  8. Not transferred to countries outside the EU without adequate protection.

 

CONFIDENTIALITY

In the interests of confidentiality, the Organisation shall limit the number of Members who may process data.

They shall normally be members of the Committee of the Organisation.

Those individuals who process such data, shall be responsible for its security and maintenance.

They must pass this data over to any other named Member or delete or destroy the data forthwith, when required so to do by the Committee.

 

ENFORCEMENT

The Information Commissioner enforces and oversees the Data Protection Act 1998 and the Freedom of Information Act 2000.

The Commissioner maintains a public register of data controllers. Notification is the process by which a data controller’s processing details are added to the register.

Under the Data Protection Act every data controller needs to notify unless they are exempt.

Even if you are exempt from notification you must still comply with the principles.

 

EXEMPTION FROM NOTIFICATION

As a not for profit organisation Roch Valley Radio has no requirement to notify.

The Organisation is exempt, provided all of its processing conforms to the following guidelines:

  1. The processing is only for the purposes of establishing or maintaining membership or support for a body or association not established or conducted for profit, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it.
  2. The data subjects are restricted to any person the processing of whose personal data is necessary for this exempt purpose.
  3. The data classes are restricted to data which is necessary for this exempt purpose.
  4. Disclosures other than those made with the consent of the data subjects are restricted to those third parties which are necessary for this exempt purpose.
  5. Personal data is not kept after the relationship between the organisation and the data subject ends, unless and for so long as it is necessary to do so for the exempt purpose.

 

THE RIGHT OF SUBJECT ACCESS

Under the Data Protection Act individuals can see the information about themselves that is held on computer and in some paper records. This is known as the right of subject access.

If the Organisation receives a subject access request then the individual must be sent:

  1. A copy of the information held on them;
  2. A description of why this information is processed;
  3. Details of anyone it may be passed to or seen by; and
  4. The logic involved in any automated decisions.

A subject access request must be dealt with within 40 days from the date of receipt. If further details are required from the person making the request to help find the data, or in order to confirm their identity, the 40 days will begin on receipt of this extra information.

A fee of £10 will be levied for responding to such a request and the 40 days will not begin until payment is received. Individuals making a subject access request will be given a copy of the information held about them, both on computer and specific paper records.

They will be furnished with a description of why their information is being processed, anyone it may be passed to, and where the data came from.

The information will be provided in an easy to understand format and any codes used must be explained.

 

PROCESSING SENSITIVE DATA

The Organisation shall not process sensitive data including: racial or ethnic origin; political opinions; religious or other beliefs; trade union membership; health; sex life; criminal proceedings or convictions, unless the Organisation:

  1. Has the explicit consent of the individual.
  2. Needs to process the information in order to protect the vital interests of the data subject or another.