Etiquette TRAINING U.K. Data Protection Policy
Download and print a copy of this policy – click here
1. Policy Context
Etiquette Training U.K. is required to obtain, store and process personal information relating to many individuals, notably students, prospective students and staff. Etiquette Training U.K. has a statutory duty to ensure that personal information is processed with due regard to the privacy of the individuals concerned. A high level of privacy and confidentiality is afforded by the Data Protection Act 1998 and other legislation such as the Criminal Records Bureau regulations: by working to comply with this legislation Etiquette Training U.K. is therefore able to ensure that a suitable standard of care is maintained.
This policy has the purpose of:
(i) Ensuring that personal information with which we are entrusted is handled in the best interests of data subjects and in accordance with the Data Protection Act and other similar legislative obligations.
(ii) Specifying the responsibilities of data users, including students as well as staff.
See Appendix C for relevant definitions. Note that the definition of Data User in this policy includes students who may have need to process personal data associated with their studies.
Information which is in the public domain is not covered by this policy (see 6.1.4 below). Specifically, this policy addresses the processing of all personal information relating to living individuals held by Etiquette Training U.K, whether in computerised and manual records, or in active and in archive form. This will therefore include, but is not limited to, central records, departmental records, and records held by individual members of staff. Email messages and similar communications that contain personal data are also included.
Note that the policy does not address legislative changes to the handling of non-personal information which will arise in relation to the Freedom of Information Act 2000.
The policy will be reviewed annually to ensure consistency with current legislation.
5. The Data Protection Act 1998
The Data Protection Act provides the guiding principles for our Data Protection policy and places some specific obligations upon us. In the first instance Etiquette Training U.K. is obliged to register its need to process personal information with the Government agency responsible for overseeing the implementation of the Act (the Office of the Information Commissioner – previously known as the Data Protection Registrar). The nature of the information registered is as follows.
5.1. Data Controller
In our case the Data Controller, as defined by the Data Protection Act 1998, is Mr B Churchill, Centre Contact, Etiquette Training U.K.
5.2. Notification of uses of personal data
As a Data Controller Etiquette Training U.K. is required to provide an official notification (or ‘registration’) of its use of personal data to the Information Commissioner. This notification must be reviewed, revised and resubmitted annually to the Information Commissioner by the nominated Institute Data Protection Officer. The notification is publicly accessible in the Information Commissioner’s register on http://www.dataprotection.gov.uk/. The notification lists the types of personal data which are collected by Etiquette Training U.K, the purposes of Etiquette Training U.K. in processing that information and the types of organisation to whom we disclose personal information.
5.3. Data Protection Officer
Etiquette Training U.K. officer nominated to oversee the operation of the Data Protection Policy is known as the Data Protection Officer. The position of Data Protection Officer is not recognised in the Data Protection Act but is accepted as good practice for organisations implementing Data Protection measures.
6. Maintaining Data Protection
6.1. Preserving the rights of Data Subjects
Anyone whose personal information is processed by Etiquette Training U.K. is entitled to know:
- What information Etiquette Training U.K. holds and processes about them and why;
- How they can gain access to it;
- How they can ensure it is kept up to date;
- What Etiquette Training U.K. is doing to comply with its obligations under the 1998 Act.
In order to preserve these rights, and in order to ensure that processing complies with the Act Etiquette Training U.K. will observe the following.
6.1.1. Data Protection Principles
As a minimum under this policy, Data Subjects will be given the same rights as those available under the Data Protection Act. In particular, it is our policy to process personal data according to the set of Data Protection Act Principles summarised in Appendix A. This is a comprehensive set of principles which provides a framework within which all processing of personal data must take place: by ensuring that these principles are adopted we can give Data Subjects confidence that their personal data are properly maintained.
6.1.2. Data Subject Access
All individuals about whom Etiquette Training U.K. stores information have a general right of access to copies of that information. There are some exemptions to this right, as identified in Schedule 2 of the Data Protection Act 1998, which may cause us to withhold certain information, and in addition Etiquette Training U.K. may decide that retrieving certain data requires disproportionate effort; however, wherever possible Etiquette Training U.K. will actively support the principle of providing access for Data Subjects to the information held about them. The policy and procedures governing a Data Subject Access Request are the described in the document entitled “Data Protection: Data Subject Access Request – Policy and Procedures”. Anyone wishing to obtain copies of the information held about them (ie to make a Data Subject Access Request) should contact the Data Protection Officer.
Etiquette Training U.K. will levy the maximum charge permissible under the Data Protection Act for fulfilling a Data Subject Access Request. In making its response to a Data Subject Access Request Etiquette Training U.K. will consider in each case using its right to obtain guidance from the Data Subject to focus the range of information searched, in order to avoid disproportionate effort.
6.1.3. Sharing Personal Data
We will ensure that any third party organisation that processes data on our behalf has adequate Data Protection measures in place and provides us with written guarantees to this effect.
6.1.4. Information in the Public Domain
Information that is in the public domain is not covered by this policy. This mostly involves staff information and would include:
- the personal details of individuals as published in academic or other professional publications by Etiquette Training U.K;
- the details provided in the staff directory placed on the Internet (name, title, phone number, job title, room number, post point and email address);
- personal information which staff and students have allowed to be published in web pages on the public Institute web site;
Any member of staff or student who has good reason for his or her personal information not to be published in this way must contact the Data Protection Officer.
6.1.5. Keeping information accurate
Etiquette Training U.K. will take steps to ensure that personal data that it processes is correct. Data Subjects are entitled to inform any department regarding information about them which is identified as incorrect. If a Data Subject is not satisfied that certain information has been corrected then the Data Protection Officer should be informed. This also applies to data that is identified as unnecessary and is therefore required to be erased.
6.2. Responsibilities of Staff
The first responsibility of staff is to ensure that the Data Protection Principles are observed. Staff who process personal data will be given training in the application of these principles.
6.2.1. The Data Protection principles (Appendix A)
The implications of applying the Data Protection Principles will be different for each instance of processing. In cases where there is uncertainty or ambiguity regarding the application of the principles then the Data Protection Officer should be consulted. In applying the principles particular care must be given to:
- instances of disclosure of personal data to third parties, an activity which must be considered with extreme care and with full regard to the provisions of the Act;
- the processing of data which are described in the Act as ‘sensitive’ and which require additional safeguards (see Appendix B);
- the maintenance of security to protect unauthorised and unnecessary access to personal data;
- ensuring that the necessary consent has been obtained from data subjects to process data for a specified purpose;
- the removal of personal data from records that are no longer required.
The penalties resulting from a successful prosecution for failing to observe the principles of the Act include fines of up to £5000 in a magistrate’s court and unlimited fines in the Crown Court. Prosecution can take place against not only against Etiquette Training U.K. but also against individuals.
6.2.2. New Processing
Any new processing of personal data must be consistent with Etiquette Training U.K. Data Protection Notification (or “Registration”). This means that any manual or computerised system which is developed must be for purposes identified in Etiquette Training U.K. entry in the official notification register and must employ data types which are already identified in the notification. If the new processing is not consistent with the existing notification then the Data Protection Officer must be informed in order that Etiquette Training U.K. notification can be amended.
6.2.3. Other Policies
In order to comply with Etiquette Training U.K. Data Protection Policy, staff must ensure that they comply with other policies. This includes:
- Data Protection: Data Disposal – Policy and Procedures
- Data Protection: Data Subject Access Request – Policy and Procedures
- any policies developed regarding records management (retention, organisation etc).
7. Communication, Staff Development and Further Information
In order to operate this policy Etiquette Training U.K. will identify members of staff within all departments who will provide local points of expertise and who will liaise with the Data Protection Officer on behalf of each department. Staff in departments who are responsible for processing personal data will be required to attend staff development sessions and ensure with the local experts that their activities are compliant with the Data Protection Policy.
Further help for staff in applying the Data Protection Policy may be obtained directly from the departmental representative in the first instance and from the Data Protection Officer for more detailed enquiries.
The Data Protection Principles
By following the Data Protection Principles we will be adhering to the main points of data protection law. These principles are summarised as follows.
Information held by Etiquette Training U.K. must:
- be processed fairly and lawfully and shall not be processed unless certain specified conditions are met (eg that the Data Subject has given his or her consent to processing).
- be obtained for specified and lawful purposes and shall not be processed in any manner incompatible with those purposes.
- be adequate, relevant and not excessive for those purposes.
- be accurate and kept up to date.
- not be kept for longer than is necessary for those purposes.
- be processed in accordance with the Data Subject’s rights under the 1998 Act.
- be the subject of appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss or destruction.
- not be transferred to a country outside the European Economic Area, unless that country or territory has equivalent levels of protection for personal data. (Note that the EEA comprises of the following countries: Austria, Belgium. Denmark, Finland, France, Germany, Greece, Holland, Iceland, Ireland, Italy, Liechtenstein, Luxembourg, Norway, Portugal, Spain, Sweden, United Kingdom)
In the Act “sensitive” personal data means personal data consisting of information as to-
- the racial or ethnic origin of the Data Subject,
- his political opinions,
- his religious beliefs or other beliefs of a similar nature,
- whether he is a member of a trade union,
- his physical or mental health or condition,
- his sexual life,
- the commission or alleged commission by him of any offence, or
- any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Terms used in the Data Protection Act 1998 are identified as (DPA) although the wording used is our own.
Data Processing (DPA)
“Processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
- organisation, adaptation or alteration of the information or data,
- retrieval, consultation or use of the information or data,
- disclosure of the information or data by transmission, dissemination or otherwise making available, or
- alignment, combination, blocking, erasure or destruction of the information or data.
Data Subject (DPA)
Any identifiable living individual about whom we are processing information.
Data Controller (DPA)
The legal entity undertaking processing of personal data (in this case the North East Wales Institute of Higher Education).
Data Protection Notification (aka Registration) (DPA)
A formal registration of Etiquette Training U.K’s uses of personal data with the Information Commissioner. Access to the register is provided through http://www.dataprotection.gov.uk/. Registration is now technically known as Notification.
Data User (DPA)
Any member of staff or student of Etiquette Training U.K. who processes personal data in any form.
- The need for Data Protection policies.
- The principles embodied in the Data Protection Act 1998.
- The obligations on staff of Etiquette Training U.K. to observe the Data Protection policy.
- Special provisions and common questions relating to HE:
- Examination results
- Parental requests for information
- Person references
- Sensitive data
- Automatic processing
- Requests from authorities such as the Police or Magistrates including the use of Section 29(3) disclosure procedure.
The Data Protection Act is accessible on: http://www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm
The web site for the Office of the Information Commissioner is at: