The Kennedy Trust for Rheumatology Research (the `Trust’) collects and uses information about people with whom it works. This includes current, past and future employees and Trustees, as well as grant applicants, reviewers and those employed on Trust grants.
This personal information must be dealt with properly and securely however it is collected, recorded and used – whether on paper, on a computer, or recorded on other material – and there are safeguards to ensure this in the Data Protection Act 1998.
The Trust is registered with the Information Commissioner’s Office and is listed on the Data Protection Register.
The Trust regards the lawful and correct treatment of personal information as very important to its successful operation and to maintaining confidence between the Trust and those with whom it deals. To this end the Trust fully endorses and adheres to the Principles of Data Protection, as set out in the Data Protection Act 1998.
The purpose of this policy is to ensure that the staff and Trustees of the Trust are clear about the purpose and principles of Data Protection and to ensure that the Trust has guidelines and procedures in place which are consistently followed.
Failure to adhere to the Data Protection Act 1998 is unlawful and could result in legal action being taken against the Trust, its staff or Trustees.
B. THE PRINCIPLES OF DATA PROTECTION
The Data Protection Act 1998 regulates the processing of information relating to living and identifiable individuals (data subjects). This includes the obtaining, holding, using or disclosing of such information, and covers computerised records as well as manual filing systems and card indexes.
Data users must comply with the data protection principles of good practice which underpin the Act. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. The Act stipulates that anyone processing personal data must comply with Eight Principles of good practice. These Principles are legally enforceable and require that personal information
- shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met
- shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes
- shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed
- shall be accurate and where necessary, kept up to date
- shall not be kept for longer than is necessary for that purpose or those purposes
- shall be processed in accordance with the rights of data subjects under the Act
- shall be kept secure – that is, protected by an appropriate degree of security
- shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.
The principles apply to “personal data” which is information held on computer or in manual filing systems from which individuals are identifiable. The Trust’s employees and Trustees who process or use any personal information in the course of their duties will ensure that these principles are followed at all times.
C. HANDLING OF PERSONAL/SENSITIVE INFORMATION
The Trust will, through appropriate management and the use of strict criteria and controls:
- observe fully conditions regarding the fair collection and use of personal information
- meet its legal obligations to specify the purpose for which information is used
- collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
- ensure the quality of information used
- apply strict checks to determine the length of time information is held
- ensure that information is accurate and, where necessary, kept up to date
- ensure that information is not kept for longer than is necessary for that purpose or those purposes ensu
- re that information is processed in accordance with the rights of data subjects under the Act
- ensure that information is kept secure i.e. protected by an appropriate degree of security
In addition, the Trust will ensure that:
- everyone managing and handling personal information understands that they are responsible for following good data protection practice
- methods of handling personal information are regularly assessed and evaluated
All employees and Trustees are to be made fully aware of this policy and of their duties and responsibilities under the Act and that they must take steps to ensure that personal data are kept secure at all times against unauthorised or unlawful loss or disclosure. In particular, they will ensure that:
- paper files and other records or documents containing personal data are kept in a secure environment
- personal data held on computers and computer systems are protected by the use of secure passwords, which where possible have forced changes periodically
- individual passwords should be such that they are not easily compromised
The procedures for ensuring the Trust meets its responsibilities in terms of Data Protection are set out in the Annex to this Policy. The Data Protection Act 1998 requires every data controller who is processing personal data, to notify and renew their notification on an annual basis. Failure to do so is a criminal offence.
PROCEDURES FOR IMPLEMENTATION OF DATA PROTECTION POLICY
The following procedures have been developed in order to ensure the Trust meets its responsibilities in terms of Data Protection. For the purposes of these procedures data collected, stored and used by the Trust falls into two broad categories:
1. INTERNAL DATA records on staff and Trustees
2. EXTERNAL DATA records on grant applicants, reviewers and those employed on grants
The Trust as a body is a Data Controller under the Act, and the Trustees are ultimately responsible for the implementation of the Trust’s policy.
INTERNAL DATA RECORDS
The Trust obtains personal data (such as names, addresses, phone numbers, email addresses), application forms, references and other documents from staff and Trustees. These data are stored and processed for the following purposes:
• To distribute relevant organisational material e.g. meeting papers
• The payment of expenses and the distribution of royalty income
The contact details of staff and Trustees will only made available to other staff and Trustees and will not be passed on to anyone outside the Trust without their explicit consent.
Staff and Trustees will be supplied with a copy of their personal data held by the Trust if a request is made.
The Trust will take reasonable steps to keep personal data up to date and accurate.
Personal data will be stored for 6 years after an employee or Trustee has worked for the Trust and brief details for longer. Unless the Trust is specifically asked by an individual to destroy their details it will normally keep them on file for future reference. The Data Protection Officer has responsibility for destroying personnel files.
Personal data shall be kept in paper-based systems and on a password-protected computer system. Every effort will be made to ensure that paper-based data are stored in organised and secure systems.
USE OF PHOTOGRAPHS
Where practicable, the Trust will seek consent from individuals before displaying photographs in which they appear. If this is not possible (for example, a large group photo), the Trust will remove any photograph if a complaint is received. This policy also applies to photographs published on the Trust’s website.
EXTERNAL DATA RECORDS
The Trust obtains personal data (such as names, addresses, phone numbers, CVs and salary information) from grant applicants and reviewers. The Trust will use information provided on grant applications for the processing of the proposal, the award of any consequential grant, and for the payment, maintenance and review of the grant.
Individuals will be made aware of when their details are being collected by the Trust and their verbal or written consent will be requested. Personal data will not be passed on to anyone outside the Trust without explicit consent from the data owner unless there is a legal duty of disclosure under other legislation. Contact details held on the Trust’s systems will not be made available to groups/ individuals outside of the Trust without prior agreement with the organisation/individual involved.
Only the Trust staff and Trustees will normally have access to personal data.
All staff and Trustees will be made aware of the Trust’s Data Protection Policy and of their obligation not to disclose personal data to anyone who is not supposed to have it. Information supplied will be kept in a secure filing, paper or electronic system. Information will not be passed on to anyone outside the Trust without the explicit consent of the data subject, excluding statutory bodies such the Inland Revenue.
The Trust will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored for as long as the data owner has business with the Trust and normally longer. Where an individual ceases to have business with the Trust and it is not deemed appropriate to keep their records, their records will be destroyed. However, unless specifically asked by an individual to destroy their details, the Trust will normally keep them on file for future reference.
RETENTION OF DATA
No documents will be stored for longer than is necessary. All documents containing personal data will be disposed of securely in accordance with Data Protection principles.