Data Protection Policy
Introduction
This document outlines the Museum Trust’s position and responsibilities under the Data Protection Act 1998 and its policy for compliance.
This Act came into force in 1999. It aims to promote high standards in the handling of personal information and to protect the individual’s right to privacy, as well as right of access to his/her own records. It applies to computerised personal information and to written documents. All organisations using personal data must comply with the data protection principles and some also have to register that they use personal information.
Registration
The Act lays down rules for the provision of a public register of certain organisations. This register is maintained by the Information Commissioner’s Office and the Museum has registered with the Information Commissioner’s Office.
The Eight Principles we are legally obliged to observe-
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. - Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Data Obligations
We will comply with all our obligations. We shall:
- Process only as much information as we need for specific and lawful purposes and , if necessary, apply extra restrictions on the use of particularly sensitive data
- Ensure that individuals whose records we hold are fully informed of what we hold and what we intend to do with their information
- Ensure that the information we hold will be accurate and up to date. We should be able to prove that we have taken reasonable steps to meet this requirement and are prepared to investigate and act on nay complaints received.
- Ensure that this applies equally to data filed electronically and in document form.
- Apply all the rules above to data which is collected when interviewing potential trustees, employees and volunteers.
- Make it clear that all have a right to see what is recorded about them
Data held
- Under company law we are obliged to maintain
- A list of members of the Company( Trust), including names and addresses. A copy of the list is available for scrutiny at 14 Bailiffgate, Alnwick and copies provided, on request, to members of the public, on payment of a charge.
- The museum also maintains records of employees, volunteers and donors.
- The information about employees includes that which was recorded on application forms and may include the following
- Name, home address, telephone and email contact details;
- Marital status
- Bank account details;
- Tax code;
- Next of kin and / or contact details in the event of an emergency;
- CRB
- Copies of references obtained or written about the employee
- Details of qualifications or skills;
- Details of trade union membership/activities;
- Terms and conditions of employment;
- Grievances and disciplinary matters;
- Appraisal forms;
- Holiday records;
- Accident records;
- Self-certification sickness forms and doctors’ sick notes;
- Medical reports;
- Documentation relating to or authorising deductions from pay;
- Consent forms.
- The information about volunteers includes that which was recorded on the Volunteer Application forms.
It may also hold
- Attendance record as a volunteer
- CRB, if required
- Copies of any references obtained or of any references written about the volunteer
- Accident records
- Complaints and disciplinary matters
- Records of any personal development meetings
- Consent forms
In all of these cases there are no legal obligations to disclose information, except for the individual record of the person concerned, or for the purposes of administering employee pay and complying with any statutory employment requirements
- The museum will maintain information about donors which relates purely to specific donations. In this case there is no legal obligation to disclose information, except for the individual record of the person or organisation concerned.
- The museum also maintains a list email addresses and addresses of members of the public for the sole purpose of marketing events at the museum. In this case there is no legal obligation to disclose information, except for the individual record of the person concerned.
Procedures
- All hard copies of personal information by the museum must be held at its registered office and is be kept in a locked cabinet in the museum office both of which can only be accessed by named keyholders.
- All data held on a computer must be protected by a password which is known only by specified users, agreed by the trustees.
- A record must be maintained by the Museum Coordinator of copy of any lists in use outside the office for essential work at home ( eg arranging volunteer rota)
- Any changes to data stored should be incorporated immediately by the Museum Coordinator and arrangements should be put in place to review all information annually to ensure that it is correct.
- All email communications will use ‘bcc’ to ensure data protection, unless individuals have agreed to have their email address identified
- The accountants (Greaves Grindle) must be informed immediately of changes affecting the list of trustees.
- All electronic or written requests for personal information will make our policy clear to users
- All members of the trust, staff and volunteers must be advised of these procedures and requested to comply with its obligations.
Statement of Policy
It is the Trust’s policy to comply with all the above requirements and procedures. Further it is the Trust’s policy not to disclose personal information unless legally required to do so.
Date agreed June 2012
Review date 2014
Signed Chair of Trustees