Skip to main content Skip to navigation

Data protection policy

Contents
Introduction
Key Values
Understanding the terms used in the Act
The Eight Data Protection Principles
Appendix 1
Appendix 2 - The meaning of 'Consent' and 'Fair Processing'
Appendix 3 - Schedules of Conditions
Appendix 4 - Procedure in response to a subject access request
The right to prevent processing

Introduction

The Data Protection Act 1998 came fully into force in 1999 and there has been a period of transitional relief to allow organisations sufficient time to comply with it. Organisations must comply in respect of information held electronically by 24 October 2001 and in respect of manual data by 24 Oct 2007 where the data was held immediately before 24 Oct 1998 and subject to processing. Manual data added on or after 24 October 1998 will generally become subject to the 24 October 2001 deadline.

The provisions of the Act are derived from a EU Directive, that says:

“ Member States (are required) to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data.”

The Act does not impose an unnecessary burden on an organisation providing it builds compliance with the Act into its operating practices in a way that ensures respect for the privacy of its supporters, partners, staff and volunteers.

It should also be noted that the European Court of Human Rights has held that the protection of personal records is fundamental to a person’s right to private life. If an individual cannot access information about her/himself, this can be a breach of Article 8, which protects the right to private and family life.

This document sets out the Multiple Sclerosis Trust’s (MST) Data Protection Policy. On occasions information is included in Appendices for ease of presentation and these form an integral part of the Policy and equal emphasis should be placed on them.

Key Values

The key values underpinning MST’s Data Protection Policy are the same as those in the Act. The MST has a responsibility to act fairly and in particular:

  • individuals should know by whom their information will be used and what for, and
  • their consent is important for its use,
  • individuals should not have any surprises as a result of what is done with their information,
  • an individual’s information should be adequate, relevant and
  • there should be appropriate security in place.

In addition those processing information should consider whether:

  • they have legitimate grounds for the processing that they are intending to do
  • damage or distress could be caused to the individual whose information is being processed.

The Policy applies to all information held by the MST, its employees and volunteers. There should be no extra caches of information held about individuals. All information is to be kept in accordance with this policy.

Understanding the Terms Used in the Act

A brief explanation is included below of the terms ‘data’, ‘processing’ and ‘Data Controller’.

’Data’ means information which is being processed and which consists of a set, or organised information, from which a living individual can be identified. It also includes other information being held on them, such as any expression of opinion about them and also the intentions towards the individual. It includes computer and manual information. Photographs and audio/visual material are ‘data’ and are included in the Act.

This definition is amplified in Appendix 1 which also explains manual data and relevant filing systems.

’Processing’ means almost any action involving data. It includes obtaining, recording, holding, altering, organising, retrieving, disclosing or adapting information. It is a far wider definition than the term used in the 1984 Act and it is difficult to envisage any action to do with data that would not fit the term ‘processing’.

’Data Controller’ is a ‘legal person’ and not necessarily therefore an individual. A staff member is an agent of the Data Controller.

The Eight Data Protection Principles

The MST’s Data Protection Policy follows the eight principles in the Act. These are set out below together with an explanation in some cases.

The First Principle

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

  • At least one of the conditions in Schedule 2 of the Act, (see below) is met and
  • In the case of sensitive personal data, at least one of the conditions in Schedule 3 of the Act (see below) is also met.’

The first two conditions for ‘Schedule 2’ are of particular relevance to the MST and are:

  • that consent for the processing has been given by the individual;
  • the processing is necessary so that a contract involving the individual can happen, or for initial steps to be taken at the request of the individual for them to enter into a contract;

An explanation of 'consent' is included in Appendix 2.

The remaining conditions for Schedule 2 are:

  • the processing will protect the vital interests of the individual, for example if it is a matter of life or death e.g. telling a hospital department the individual’s medical history in an emergency it is permissible;
  • the data user is under a legal obligation;
  • processing is necessary for the administration of justice or to comply with an Act;
  • to comply with any function of government, or of a public nature in the public interest, for example under emergency powers.

If the data is ‘Sensitive’ (see below) at least one of the conditions in Schedule 3 (see Appendix 3) together with at least one of the above Schedule 2 conditions must be met. The first condition in Schedule 3 is ‘explicit’ consent.

Sensitive data includes any of the following:

  • racial/ethnic origin
  • political opinion;
  • religious belief;
  • membership of a trades union;
  • physical or mental health;
  • sexual life;
  • offences – actual or alleged – any sentence or proceedings.

However, non-profit making organisations which are established for political, religious, or trade union purposes can hold sensitive data as long as this relates to their members or individuals who have regular contact with them in connection with their purposes. In addition information on a person’s racial/ethnic origin may also be processed for the purposes of monitoring equal opportunities.

The MST should have a legitimate basis for processing and the question should be asked: “ do I have a legitimate ground for my processing operation?”

Meeting the First Principle is key to avoiding enforcement action.

The meaning of ‘Fair Processing’ is contained in Appendix 2.

The Second Principle

“Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”

The MST will explain in writing to an individual the purpose for which their personal data is being obtained.

The Third Principle

“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.

The Fourth Principle

“Personal data shall be accurate and, where necessary, kept up to date.”

The MST will take reasonable steps to ensure that information is accurate and up to date. Where an individual informs the MST that something is inaccurate the Trust will update its records and keep a record of the communication with the individual.

As ‘reasonable steps’ have not yet been defined in law the Trust’s policy is to take more steps than it believes the law requires to ensure the accuracy of the data.

The Fifth Principle

“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

The Sixth Principle

“Personal data shall be processed in accordance with the rights of data subjects under the Act.”

The MST will always provide information when a data subject asks the Trust to do so in accordance with the guidelines in Appendix 4. In addition the Trust will comply with the right to prevent processing, direct marketing and automated decision making as outlined in Appendix 5.

The Seventh Principle

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The MST will have appropriate security measures in place which take into account:

  • the state of technological development at the time;
  • the cost of implementing the security measures;
  • the nature of the data to be protected;
  • the reliability of staff who have access to the data and;
  • which ensure a level of security appropriate to the harm that might result from a breach of security.

Where the MST uses other organisations to process its data it will only do so where the organisation:

  • can provide sufficient guarantees about the security measures they operate;
  • guarantees to only act on the instructions of the MST;
  • will comply with obligations equivalent to those imposed on the MST by the seventh principle and;
  • will only do so on the basis of a written contract.

In addition the MST will take reasonable steps to ensure that the organisation is continuing to comply with its security measures

The Eighth Principle

“Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA), unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

(The EEA consists of the EU plus Iceland, Norway and Liechtenstein).

Transfers outside the EEA cannot take place without the prior approval of the Company Secretary except in the following circumstances:

  • the data subject has given their consent to the transfer and
  • if the transfer is necessary for the performance of a contract between the data subject and the MST
  • or is part of a preliminary process to entering into a contract with the MST

A transfer may also take place if it is to fulfil a contract between the MST and another legal person e.g. a partner, which is entered into at the request of the data subject or is in their ‘interests’.

In addition a transfer may also take place if it is necessary for legal proceedings, obtaining legal advice, or defending legal rights.

Appendix 1

With Manual data to be covered by the Act there must be a set of information about individuals. A ‘set’ suggests a grouping. For example a set of information may be held on customers, employees, supporters. These may be grouped in a file, by a prefix code or by a sticker within a file. It doesn’t have to be grouped together in a drawer or filing cabinet or maintained centrally by the organisation. It may be held in different departments, or by home -workers such as volunteers. There would have to be a structure to the information, such as age, sickness record, type of job, hobbies etc.

The information must be ‘specific’ to the individual to be covered by the act. To help understand what is specific decide what information is reasonably likely to be utilised during the relationship with the individual concerned. If the information is likely to be used it is ‘specific’ information. It then has to be readily accessible to be covered by the Act.

This means that if the information held on an individual is available to one or more people in the organisation during the day-to-day operation it is ‘accessible’. For example, manual systems that form part of a card index or records are likely to fall within the scope of the Act.

If unsure about whether the information fits the definition in the act of a relevant filing system it is suggested that an evaluation of risk be made. Ask the question: how would assuming that the information isn’t covered by the Act prejudice the individual concerned. Look at what damage or distress would be caused to the individual?

Appendix 2

The meaning of ‘Consent’ and ‘Fair Processing’

Consent

”Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”

Key points are:

  • active communication between parties. Non-response such as failure to return or respond to a leaflet is not consent.
  • there must not be duress, nor misleading information given
  • the individual should be able to withdraw their consent at some time in the future. If it is intended to last indefinitely or after the end of a trading relationship the consent must cover this.
  • consent must be appropriate to the circumstances
  • consent must be ‘explicit’ for sensitive personal data, which means it must be completely clear. It should, in the case of sensitive personal data cover the specific detail, the type of data to be processed, the purposes, and any disclosure which may be made.

If the use isn’t reasonably foreseeable data users should provide further information. Tell the data subject what you are going to do with their data. There shouldn’t be any surprises.

Fair Processing

It will be assumed that processing is fair unless there is evidence to the contrary. The way information is obtained is important. Such examples of fairness include no deception, or misleading about what is to be processed and why. If the information is obtained from a person who is authorised or required to supply it under any enactment it is fair.

The identity of the data controller must be made known and the purposes the data is being obtained for. If the data subject is not likely to understand the consequences of the processing then further information should be provided to them.

Appendix 3

Schedule 3 Conditions

In order to hold the information a data controller normally has to:

  • get the individual’s explicit consent,
  • or prove that using the information is necessary. For example: to exercise a right or perform a duty in connection with employment;
  • protect the interests of the individual or another person; where consent cannot be given by the individual or on their behalf or the MSRT cannot reasonably be expected to obtain their consent;
  • the processing:
  • is carried out in the course of its legitimate activities by a body which exists for charitable purposes and which is a non-profit making organisation;
  • has appropriate safeguards for the rights and freedoms of the individual who is the subject of the information;
  • relates to those who have regular contact with it in connection with its purposes;
  • does not involve disclosure of information to a third party without the consent of the individual concerned;
  • necessary for legal proceedings, obtaining legal advice, establishing, exercising or defending legal rights

These are considered to be the key additions to explicit consent and the performance of employment rights and obligations.

Appendix 4

Procedure in Response To a Subject Access Request

From 23 October 2001 the following records are included in the rights of access:

  • Manual records forming part of a relevant filing system;
  • Computer backup data;
  • Computer records processed for payroll and accounts;
  • Computer records for mailing lists.

Existing records would include, for example, an existing database to which new personal details are added. A new database, set up after 24 October 1998, or redesigned so as to substantially alter its structure or function, would be considered to be a new record and would be accessible after 1 March 2000.

A request must be in writing to the data controller. This includes a request by email.

The applicant is entitled to be told if the data controller is processing information about him/her, to be given a full description of all data held, the purposes for which it is being processed, and to whom they may be disclosed. He/she can be given a written copy of the data and an explanation of that information where it cannot be easily understood. If he/she agrees a copy can be emailed to him. He/she can be told where the data controller got the information about him, who else the information may be given to, and ask to have any inaccuracies taken out.

The request should have enough personal details in it to identify the individual, such as name and address, date of birth, appropriate references such as an NI number, an account number etc.

If a third party requests information concerning the individual the data controller should not usually release that information unless the individual expressly consents.

The Data Controller can normally only charge up to £10.00 for supplying a copy of the record. The data controller is under no obligation to start looking for data until the fee is paid.

The request must usually be complied with within 40 days of the receipt of the request. The time starts to run from when the fee is received and/or sufficient information is received.

If the records would disclose information about another individual who has not given permission for it to be released it does not have to be released.

The right to prevent processing

A request to stop processing can be made if the data is likely to cause substantial unwarranted damage or distress unless:

  • Consent to the processing has already been given;
  • it is necessary for the performance of a contract;
  • it is necessary to comply with a legal obligation;
  • it will protect the vital interests of the data subject.

A request must be made in writing, including email, specifying the reasons why it is believed the processing will cause damage or distress. The data controller has 21 days from receiving the notice to make a response. The response must be in writing and should specify whether the data controller regards the request as justified.

If the individual is dissatisfied with the response a court order for compliance can be applied for. The court will have to satisfy itself that the request for compliance is justified.

Direct marketing

The individual can ask the data controller not to process information about him for the purposes of direct marketing. Direct marketing includes any communication, by whatever means, of any advertising or marketing material that is directed to particular individuals. The request should be in writing and no reason needs to be given.

Automated decision making

The individual has the right to prevent significant decisions being taken solely on the results of automatic processing of information about him. Examples of this are psychometric testing to establish the person’s performance at work or reliability of his/her behaviour. The individual has the right to know the logic behind the decisions taken in this way.

The individual can write to the data controller asking that a decision, which significantly affects her/him, not be based on the processing of personal information by automatic means. The data controller has 21 days to provide the response, which must be in writing.

The individual does not have the right to prevent automated decision making if this is in the context of a contract to which he/she is a party, or if such decision making is necessary to comply with a legal obligation.