The Data Protection Act
Our data protection policy sets out Unicorn’s commitment to protecting personal data and how we implement that commitment with regards to the collection and use of personal data.
We are committed to:
- ensuring that we comply with the eight data protection principles, as listed below
- meeting our legal obligations as laid down by the Data Protection Act
- ensuring that data is collected and used fairly and lawfully
- processing personal data only in order to meet our operational needs or fulfil legal requirements
- taking steps to ensure that personal data is up to date and accurate
- establishing appropriate retention periods for personal data
- ensuring that data subjects' rights can be appropriately exercised
- providing adequate security measures to protect personal data
- ensuring that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues
- ensuring that all staff are made aware of good practice in data protection
- providing adequate training for all staff responsible for personal data
- ensuring that everyone handling personal data knows where to find further guidance
- ensuring that queries about data protection, internal and external to the organisation, is dealt with effectively and promptly
- regularly reviewing data protection procedures and guidelines within the organisation.
Data protection principles
Here are the data protection principles:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act.
- Appropriate technical and organisational measures shall be taken against unauthorised and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Unicorn Training’s Responsibilities under the Act
Here are our responsibilities under the Act:
- For the purposes of client data Unicorn is the data processor and the data controller for Unicorn employees.
- Unicorn Senior Management, Executive Directors and all those in managerial or supervisory roles are responsible for developing and encouraging good information handling practice within Unicorn.
- Compliance with data protection legislation is the responsibility of all Unicorn staff that process client data or employee.
Unicorn Training’s undertaking in relation to the handling of personal/sensitive information
We will, through appropriate management and the use of strict criteria and controls, ensure that all staff:
- Fully observe the conditions regarding the fair collection and use of personal information;
- Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
- Ensure the quality of information used;
- Ensure that personal information is not transferred abroad without suitable safeguards; and
- Ensure all queries about handling personal information are promptly and courteously dealt with.
In addition, all Senior Management and Executive Directors will:
- Ensure there is someone with specific responsibility for data protection in the organisation (the Data Protection Officer);
- Ensure everyone managing and handling personal information understands that they’re contractually responsible for following good data protection practice;
- Ensure everyone managing and handling personal information is appropriately trained to do so;
- Ensure everyone managing and handling personal information is appropriately supervised;
- Ensure that anyone wanting to make enquiries about handling personal information, whether a member of staff or a member of the public, knows what to do;
- Ensure methods of handling personal information are regularly assessed and evaluated;
- Ensure that performance with handling personal information is regularly assessed and evaluated;
- Ensure that data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedure;
- Ensure that Unicorn meets its legal obligations to specify the purpose for which information is used;
- Apply strict checks to determine the length of time information is held;
- Take appropriate technical and organisational security measures to safeguard personal information; and
- Ensure that the rights of people about whom the information is held can be fully exercised under the Act.
Notification is the responsibility of our Data Protection Officer. Details of the Associations’ Notifications are published on the Information Commissioner's website. Anyone who is, or intends, processing data for purposes not included in the Associations’ Notifications is required to seek advice from the Data Protection Officer.
Data Subject Rights
All data subjects have the following rights regarding data processing, and the data that are recorded about them:
- The right to be informed that processing is being undertaken;
- The right to make subject access requests regarding the nature of information held and to whom it has been disclosed within the statutory 40 days;
- The right to prevent processing likely to cause damage or distress;
- The right to prevent processing for purposes of direct marketing;
- The right to be informed about mechanics of any automated decision-taking process that will significantly affect them;
- The right not to have significant decisions that will affect them taken solely by automated process;
- The right to sue for compensation if they suffer damage by any contravention of the Act;
- The right to take action to rectify, block, erase or destroy inaccurate data; and
- The right to request the Commissioner to assess whether any provision of the Act has been contravened.
Rights of Access to Data
All individuals held on Unicorn’s databases have the right to access any personal data which is held by Unicorn in electronic format and manual records which form part of a relevant filing system.
Any individual who wishes to exercise this right should apply in writing to the Data Protection Officer (DPO). The Association reserves the right to charge a fee for data subject access requests (currently £10).
Disclosure of Data
Unicorn will ensure that personal data is not disclosed to unauthorised third parties which may include colleagues, government bodies, and other organisations and in certain circumstances, the police. We advise staff to exercise caution when asked to disclose personal data held on another individual to a third party. The important thing to bear in mind is whether or not disclosure of the information is relevant to, and necessary for, the conduct of business. Best practice, however, would be to take the contact details of the person making the enquiry and pass them onto the relevant individual concerned.
This policy determines that personal data may be legitimately disclosed where one of the following conditions apply:
- the individual has given their consent (e.g. an individual has agreed to have their details passed to a third party through completion of the relevant data protection forms);
- where the disclosure is in the legitimate interests of the institution (e.g. disclosure to staff - personal information can be disclosed to other Unicorn employees if it’s clear that those members of staff require the information to enable them to perform their jobs);
- where the institution is legally obliged to disclose the data (e.g. ethnic minority and disability monitoring); and
- where disclosure of data is required for the performance of a contract.
The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:
- to safeguard national security*;
- prevention or detection of crime including the apprehension or prosecution of offenders*;
- assessment or collection of tax duty*;
- discharge of regulatory functions (includes health, safety and welfare of persons at work)*;
- to prevent serious harm to a third party; and
- to protect the vital interests of the individual, this refers to life and death situations.
*Requests must be supported by appropriate paperwork.
Right to prevent processing likely to cause damage or distress to the individual
An individual is entitled to require Unicorn to cease (or not to begin) processing of the individual's personal data on the grounds that:
- the processing is causing or likely to cause substantial damage or distress to the individual or to another; and
- the damage or distress is or would be unwarranted.
Unicorn would not be required to comply with a request to cease processing in the circumstances where:
- the data subject has consented to the processing, or;
- the processing is necessary for entering into or for the performance of a contract with the data subject, or;
- the processing is necessary for compliance of a legal obligation; or
- the processing is necessary to protect the vital interests of the data subject.
Within 21 days of receiving a request to prevent processing, Unicorn must provide the individual with a written notice:
- stating whether Unicorn has complied or intends to comply, or;
- stating the reasons for regarding the request to be unjustified and the extent (if any) to which Unicorn has complied or intends to comply.
Complaints by Data Subjects
The Data Protection Officer (DPO) is responsible for responding to a data subject's complaints about the processing of personal data relating to the individual, by Unicorn. A response outlining the actions that will be taken by Unicorn will be made within 21 days of the receipt of a written notice. Staff are required to immediately pass to the DPO any subject access request or complaint received.
New Uses of Personal Data
Before any collection or processing of data commences, staff are required to inform the DPO of:
- any proposed new uses of personal data;
- changes to the current uses of data;
- holding personal data about a new class of data subject;
- holding a new class of data;
- disclosing data to a new class of recipient; and
- using a 'processor' to process the data on behalf of Unicorn Training.
Disposal of Computer Equipment
All computer equipment and accessories which are disposed of are wiped clean of any data by Unicorn’s IT department. Sending data outside the EEA Before transferring personal data to countries outside of the EEA (including verbal disclosure by telephone, or disclosure over the Internet), the data subject's agreement must be sought.