Caple Banks processes information as an essential part of its business function. This includes confidential information about businesses and individuals. Information is a valuable asset and business continuity is dependent on its integrity and continued availability. Therefore, these procedures are in place to protect the information under our control from unauthorised use, disclosure or destruction, either accidental or deliberate.
Caple Banks will comply with all legislative and regulatory requirements in this respect and this policy and procedure will be monitored and updated as required. The information within this policy and procedure is important and applies to the entire workforce at Caple Banks Ltd, failure to comply with the legislation and company policiesmay result in disciplinary action.
The primary purpose of data protection legislation is to protect individuals against possible misuse of information held about them by others. It is the policy of Caple Banks to ensure that all members of staff are aware of the requirements for data protection legislation and their individual responsibilities in this connection.
The Data Protection Act 1998 is all about your “personal data” which means any information relating to “living individuals”.This can be as little as a name and address. This personal data may be information held on a computer or in structured manual files. The Act also refers to “sensitive personal data ”which means; information relating to a person’s racial or ethnic origins; political beliefs; religious or other beliefs; trade union membership; physical or mental health; sexual life; criminal allegations or criminal proceedings or convictions.
Caple Banks holds and processes information about its employees, customers, suppliers and other living individuals.
3. Data Protection Officer
The Caple Banks Data Protection Officer is Kevin Caple. All queries about Caple Banks’ Data Protection policy, procedure and all information requests, i.e. requesting access to personal data, should be addressed to the Data Protection Officer.
4. Notification to the Information Commissioner
Due to the Data Protection Act 1998, Caple Banks holds an obligation, as a Data Controller, to notify and inform the current Information Commissioner (formerly Data Protection Commissioner) of the purposes for which it is processing personal data and information.
Individual data subjects can obtain full details Caple Banks data protection registration/notification no. Z2449901 with the Information Commissioner from the Information Commissioner's website http://www.ico.gov.uk.
5. Legal Obligations
Caple Banks is obliged to abide by the data protection principles embodied in the Act of 1998.
These principles require that personal data shall:
- be processed fairly and lawfully;
- be held only for specified purposes and not used or disclosed in any way incompatible with those purposes;
- be adequate, relevant and not excessive;
- be accurate and kept up-to-date;
- not be kept for longer than necessary for the particular purpose;
- be processed in accordance with data subject's rights;
- be kept secure;
- not be transferred outside the European Economic Area unless the recipient country ensures an adequate level of protection.
6. Processed fairly and lawfully
‘Processing’ of data will, in practical terms, mean anything you do with the data, including obtaining the information, accessing it, updating it, printing it, disclosing it etc. All these things must be done ‘fairly and lawfully’.
To comply with this principle, whenever Caple Banks collects information about people, those people should be made aware that it is Caple Banks they are giving their information to and be toldwhat Caple Banks intends to do with that information if not obvious. People should not be misledabout this. This rule applies to all methods of data collection, whether data is collected on-line, in writing or via the telephone.
Additionally, a condition for processing must be satisfied. See conditions at Appendix 1.
In the case of sensitive personal data, a further condition must also be met. See additional conditions at Appendix 2.
7. Held only for specified purposes
The registerentry identifies the purposes for which data is held and processed by Caple Banks. If you wish to use data for any additional purpose(s) then you must consult the Data Protection Officer before doing so. In particular, no member of staff may, without the prior authorisation of the Data Protection Officer;
- develop a new computer system for processing personal data;
- use an existing computer system to process personal data for a new purpose;
- create a new manual filing system containing personal data;
- use an existing manual filing system containing personal data for a new purpose.
8. Adequate, relevant and not excessive
Collect and process appropriate information, only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements. Do not process excessive and irrelevant information provided by customers.
9. Accurate and kept up-to-date
Ensure the quality of information used. Errors in recording information can subsequently cause problems for the Council and individuals alike.
10. Not kept longer than necessary
Personal data shall be held for no longer than is necessary. In most cases data is held in accordance with the requirements of the Financial Conduct Authority to maintain a suitable audit trail for the safeguarding of the client’s best interest.
11. Processed in accordance with and individual's rights
The Act provides individuals with rights in connection with the personal data held about them.
The following 8 points explain the client’s rights in greater detail.
The right to be informed encompasses our firm’s obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
You have the right to receive a copy of your personal information that we hold about you, subject to certain exemptions.
You have the right to ask us to correct personal information that we hold about you where it is incorrect or incomplete.
You have the right to ask that your personal information be deleted in certain circumstances subject to there being no other compelling reason to continue processing.
You have the right to suspend the use of your personal data where you believe your data to be incorrect and/or should you believe our firm has no lawful basis of processing your information.
You have the right to obtain your personal information in a structured commonly used format in order for that information to be passed to a third party of your choice, where it is technically feasible.
You have the right to object to your personal information being used where you believe Caple Banks does not have appropriate justification to process your information.
Safeguards are in place to ensure that you are not at risk when processing your data without human intervention.
Most significantly, it provides the right of access to that data. It also provides the right to seek compensation through the courts for damage and distress suffered by reason of inaccuracy or the unauthorised destruction or wrongful disclosure of data.
12. Subject Access Requests
Any person has the right of access to any personal data Caple Banks holds about them, either hard copy or soft copy. To exercise this right, they should put their request in writing to the Data Protection Officer, there is no charge for this request however, a ‘reasonable fee’ may be liable should the data requests be deemed excessive.
Caple Banks is obliged to respond to such requests within one monthof receipt of the request and the appropriate fee. Therefore, it is essential that such a requestis recognised by all members of staff and is passed expeditiously to the Data protection Officer to deal with.
The Data Protection Officer will record all such requests and ask all departmental heads to search their computer and manual files for data concerning the applicant.Altering or deleting information AFTER such a request has been made AND in order the prevent disclosure of the information is a criminal offence. However, this does not prevent any change to the data which would be made in the normal course of business.
13. Kept secure
In relation to security, the Data Controller must take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of/or damage to personal data and set out specific considerations for ensuring security.
Caple Banks adopts a risk based approach in assessing and understanding the risks, and uses physical, technical and procedural means to achieve appropriate security measures. We take into account technological developments and associated costs to achieve a level of security appropriate to the nature of our information and the harm which may result from its loss or disclosure. Members of staff will keep confidential that information which is provided to Caple Banks to conduct its business and may only disclose it when authorised to do so. Caple Banks provides training to staff to enable them to understand and carry out their responsibilities in respect of security.
Members of staff are responsible for ensuring that:
- all personal data is kept secure by using, preserving and not sharing, secure passwords, logging off when not at one’s workstation, locking data in filing cabinets or drawers, ensuring desks are clear when leaving the office and locking doors.
- data is not removed from the office on any laptop or disk or memory stick which is not encrypted.
- all documents containing personal data or other confidential information is shredded when no longer needed.
- personal data is not disclosed orally,in writing or by any other means to any unauthorised third party, and that every reasonable effort will be made to ensure that data is not disclosed accidentally.
Unauthorised disclosure is a disciplinary matter and may be considered gross misconduct. If in any doubt, consult the Data Protection Officer.
Caple Banks is responsible for ensuring computer hardware is securely disposed of, in such a way that personal and/or confidential data is impossible to retrieve from it.
Those persons and organisations who process personal data on behalf of Caple Banks (but who are not employees of Caple Banks) are classed as ‘data processors’ by the Act. There is a legal obligation for Caple Banks to have a written contract with them in relation to the security of the data whilst in their custody.Such contracts are arranged, monitored and maintained by the Data protection Officer who is also responsible for ensuring the security procedures are inspected.
14. Not transferred outside the European Economic Area
Caple Banks does not currently transfer any data outside the EEA.
15. Responsibilities of individual members of staff
A failure to comply with the provisions of the Act may render Caple Banks, and/or in certain circumstances, the individuals involved, liable to prosecution. This could also give rise to civil liabilities, enforcement action by the Information Commissioner and loss of reputation.
In particular, personal data held by Caple Banks will not be accessed, by any person, for any personal reason or for other than a Caple Banks business purpose. Such conduct constitutes a criminal offence.
All staff who record and/or process personal data in any form are encouraged to familiarise themselves with the general aspects of data protection contained in this policy and procedure.
Any breach of this policy may result in disciplinary proceedings.