Appendix 5: Sample data protection policies
The National Portrait Gallery Data Protection Policy
1 Introduction
The National Portrait Gallery needs to keep certain personal data, for example about staff, visitors, sitters and artists, in order to fulfil its purpose. Under the provisions of the Data Protection Act 1998, which came into force on 1 March 2000, the Gallery has a legal duty to ensure that this personal information is collected and used fairly, stored safely and not disclosed to any other person or organisation unlawfully. The purpose of the Act is ‘to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy’ and in doing so it also provides data subjects (i.e. individuals about whom personal information is processed) increased protection through express new rights. The policy can be found on the staff network at xxxxxxxxxx
2 Scope
The aim of this policy is both to ensure that all staff are aware of their particular responsibilities in relation to the Data Protection Act and its associated Codes of Practice; and to inform members of the public how the Gallery complies with the legislation. It is also to minimise the risk of the Gallery breaching the Act; thereby potentially damaging valued relationships with staff; customers; and other audiences as well as its reputation.
This policy covers all personal data held in electronic format or in relevant manual filing systems, that is processed by the National Portrait Gallery. (For definitions: see below.)
It applies to all individuals working for the National Portrait Gallery in whatever role. This includes permanent and contracted Gallery staff, as well as temporary employees; volunteers; interns etc.
3 Definitions
Personal data means information about a living person who can be identified from that information.
Data subject means the individual about whom the personal data is held.
Processing means obtaining, holding, organising, retrieving, altering etc. In fact virtually any activity concerned with the data.
Electronic format means data held as Word documents; e-mails; in databases etc.
Relevant manual filing systems means a filing system in which information about individuals is readily available. For example: files ordered alphabetically by name (exhibition lenders files; staff files; icon notes); or by which there is another point of access (reference number system etc.). It does not apply to incidental references to individuals in files structured by reference to topics not relating to those individuals.
5 Statement of principles
The National Portrait Gallery is committed to the eight Data Protection Principles contained in the Data Protection Act 1998. These represent the minimum standards of practice for any organisation with respect to personal data and state that it must be:
1. processed fairly and lawfully;
2. obtained only for the purposes specified and shall only be processed for those purposes;
3. adequate, relevant and not excessive for the purpose for which they are processed;
4. accurate and kept up to date;
5. kept for no longer than is necessary;
6. processed in accordance with the rights of data subjects under the 1998 Data Protection Act;
7. protected against unauthorised processing of personal data and against accidental loss or destruction to personal data;
8. not transferred outside the European Economic Area without adequate protection.
Any individual data subject, including staff, has the right to ask what information the National Portrait Gallery holds about them and why this is being held.
If any such information is held, an individual data subject also has the right, on request:
a) to see any personal data that is being kept about them on computer, and also to have access to paper based data held in relevant manual filing systems
b) to be informed as to how to get the information updated or amended
c) to be informed as to any regular or possible recipients of the information.
Any person who wishes to exercise this right should make the request in writing to the Data Protection Officer. If an access request is received by any other members of staff it should be forwarded to the Data Protection Officer.
The National Portrait Gallery will comply with requests for access to personal information as quickly as possible. In compliance with the law, this will always be within 40 calendar days of receipt of a request.
As well as right of subject access, individual data subjects have the right to object to direct marketing, including marketing of the National Portrait Gallery’s products and services. Where an individual decides to exercise this right, this fact should be accurately recorded.
As well as a right of subject access, individual data subjects may, in certain circumstances, have other rights under the Act, including the right to have inaccurate information corrected. The Data Protection Officer should be informed if a request to exercise this right is received.
6 Responsibilities
The Board of Trustees of the National Portrait Gallery is the Data Controller – the Data Controller is the legal entity who must comply with the Act and ensure that its provisions are upheld in all processing across the Gallery.
The Head of Administration is the Gallery’s Data Protection Officer. The Data Protection Officer is accountable and responsible for overseeing all Data Protection activities and promoting compliance throughout the Gallery. Under the terms of the Act, the National Portrait Gallery is obliged to prepare an annual notification to the Information Commissioner providing details of the types of data it processes and for what purpose. The Data Protection Officer is the individual responsible for ensuring that the Gallery’s entry is complete and up to date (assistance will be provided by the Records Manager). The current register entry can be found through the Information Commissioner’s website.
The Records Manager will act as the first point of contact for Data Protection queries throughout the Gallery; make suggestions for best practice; and identify areas of risk. The Records Manager will work with identified liaison staff and Heads of Department to promote compliance within departments but it is the responsibility of Heads of Department to address any risks identified and to ensure that the provisions of the Act are upheld (see below). The Records Manager has specific responsibility for determining retention periods for records and ensuring that the Gallery’s Register of Records caught by the Act is accurate and up to date.
Heads of Departments will be accountable for Data Protection compliance in their departments. It is their responsibility to ensure that all processing within their area complies with the Act, in particular that all points of personal data collection include Data Protection statements; that any contracts or agreements with external contractors processing personal data on the Gallery’s behalf (e.g. distribution or mailing services; data converters etc.) include a relevant Data Protection clause; that risks are identified and managed appropriately; that staff receive adequate training; and that legal advice is sought where necessary. Their responsibilities also include following Best Practice documents where applicable; as well as supporting the work of the identified liaison staff in their area.
Identified liaison staff will be responsible for overseeing the practical application of the Data Protection Act in their department/area. It is their responsibility to communicate basic information about the Act to their department; and raise any concerns about how the department collects and manages personal data with their Head of Department. They must also ensure that the Records Manager is informed of any changes to data processing in their areas, so that the Gallery’s Register of Records caught by the Act can be amended accordingly. Their role is to provide the first point of contact between the Records Manager and the department and as such they must ensure they have a basic understanding of the Act - this includes attending Data Protection training sessions or liaison group meetings as and when required.
The Personnel Department, in conjunction with the Records Manager, will ensure that appropriate guidance and training on compliance with the Data Protection Act 1998 is made available to all staff engaged in the processing of personal data.
All Gallery staff who process personal information in the course of their work will be responsible for ensuring compliance with the legislation and this policy document. The Gallery will ensure that staff are given appropriate training to fulfil this responsibility
All external data processors processing personal data on behalf of the National Portrait Gallery (i.e. third parties) are contractually required to comply with the Data Protection Act 1998 and any associated Codes of Practice. Heads of Department are responsible for ensuring that this is upheld (see above).
7 Procedures
The Gallery will organise an annual training session for liaison staff.
Additional best practice procedure will be available on the staff network drive.
A set of model Data Protection statements (approved by the Gallery’s external legal advisers) can found in Appendix 1.
Museum of London Data Protection Policy
1 Introduction
This document sets out the Museum of London’s policy regarding the handling of personal data, as defined by the Data Protection Act 1998. It specifies the framework which the Museum uses to manage compliance with the requirements of the Act. It outlines the steps that are taken to ensure this compliance and identifies the responsibilities of staff at the various levels of the organisation.
2 Scope
This policy applies to all personal data held by the Museum, whether in manual or electronic systems, which provides access to information relating to a specific individual. This includes information in the form of CCTV footage.
The policy applies to the Museum and the Archaeological Services and all references to the Museum include these services.
3 Purpose
To ensure the security and proper handling of personal data as defined by the Act;
To uphold the rights of data subjects;
To ensure the application of the 8 Data Protection Principles (see Appendix 1);
To ensure that notification to the Information Commissioner is kept up to date, and that it continues to reflect the Museum’s data protection policies and procedures;
To ensure all staff are aware of the Museum’s obligations under the Act and their role in supporting this;
To define what personal data the Museum holds and how this will be safeguarded.
4 Definition of terms
4.1 Data Controller – A person or named organisation, who determines the purpose for which and the manner in which any personal data are, or will be, processed. (The Museum of London is the Data Controller for the purposes of notification.)
4.2 Data Subject – An individual about whom personal data is held.
4.3 Notification – The process by which a data controller’s details are added to the register (maintained by the Information Commissioner).
4.4 Personal Data – Information from which a living person can be identified.
5 Responsibilities
5.1 Directorate
The Director will appoint a Data Protection Officer to oversee compliance with the Act.
5.2 Data Protection Officer
The Head of Information Resources (IRS) is the Data Protection Officer for the Museum and is responsible for overseeing compliance with the Act by the following measures:
a) Ensuring that the Museum’s registration with the Information Commissioner is kept up to date
b) Advising Senior Management, departments and staff about Data Protection issues
c) Writing any guidelines, procedures and related documentation for compliance with the Act, including this policy
d) Coordinating the Museum’s response to requests from members of the public and museum staff for access to records relating to them, correction of such data, etc.
e) Investigating any apparent breach of data security and informing the Executive Committee.
3.3 Records Manager
The Records Manager is responsible for the practical implementation of the above compliance measures with the exception of (e), which is the sole responsibility of the Data Protection Officer.
3.4 Managers
Individual managers are responsible for ensuring that their staff comply with this policy and the related procedures. If local procedures are required, managers are to draw up and issue written procedures in consultation with the Data Protection Officer. Managers are also responsible for notifying the Data Protection Officer of any new personal data they (or their staff) intend to collect if it is different from the purposes listed in Appendix 2.
5.4 Employees
Compliance with the Act is a requirement for all employees, and all staff must ensure that they read and then follow the Museum policy (this document) and the procedures and guidelines. Additionally, all staff are responsible for ensuring that any personal information they hold about other people is kept securely and is not disclosed in any form to any unauthorised third party.
6 Policy
6.1 The Museum will comply with the data protection principles as set out in the Act.
6.2 The Museum will monitor compliance with the Data Protection Act by auditing its notification every three years, starting in August 2008. The Museum’s notification will be amended to take account of any changes identified by this audit.
6.3 The Museum will ensure that its procedures relating to the holding, use and disclosure of personal data are in accordance with the notification.
6.4 The Museum will ensure the notification is kept up to date, so that it continues to reflect the Museum’s data protection policies and procedures.
6.5 The Museum observes the rights of data subjects to have access to their personal data held and processed by the Museum (subject to the qualifications provided for in the Act).
6.6 The Museum will ensure all such data is accurate and not processed unnecessarily.
6.7 Written requests for information will receive a response within 40 calendar days. The Museum reserves the right to charge a fee of £10 for fulfilling such requests.
6.8 The Museum will investigate any identified breach of data security and take appropriate action.
6.9 The Museum will take appropriate steps to protect personal data from loss and unauthorised access and will review arrangements regularly.
6.10 Data will be collected and processed only for specified purposes listed in the Notification (Appendix 2) and will only be viewed by those who need to see it.
6.11 Where someone is required to provide personal information to the Museum they will be informed of the reason(s) for its collection, and given the opportunity to agree to its use for other purposes, such as news of future events arranged by the Museum.
7 Guidance on supporting procedures, related policies and the regulatory environment
7.1 This policy is related to the Freedom of Information Policy and Interim Records Management policy.
8 Queries
8.1 If you have any questions about this policy, please contact the Head of Information Resources.
Appendix 1 Principles
The 8 data protection principles set out in the Act require that data be:
processed for limited purposes
adequate, relevant and not excessive in relation to the purpose for which it is held
not kept longer than necessary for the purpose for which it was originally processed
processed in accordance with the data subjects’ rights
secure against unauthorised or unlawful processing, loss, destruction or damage
not transferred to countries outside the European Economic Area without adequate protection.
Appendix 2 Purposes
The Museum holds personal information in central and local computer systems and manual systems. The Museum has identified the ‘purposes’ (reasons why) for which it holds personal data, the sources of this data and the use made of the data.
Administration of membership records
Advertising, marketing and public relations
Advertising, marketing and public relations for others (e.g. London Museums Hub)
Consultancy and advisory services
Crime prevention and prosecution of offenders
Information and databank administration
Records selected as archives, for historic and other research
Notes:
Personal information and historical research/collections management
Records which are processed only for historical research purposes and the operation of certain collections management procedures (such as acquisition) may be kept indefinitely and therefore are exempt from the fifth data protection principle.