Introduction and Purpose

·         This policy document sets out principles and practices of Active Support Service in compliance with the General Data Protection Regulation in May 2018.

Policy Context - General Data protection Regulation in May 2018.
The General Data Protection Regulation in May 2018 regulates the use and processing of personal data held on computer and paper records.

Data protection law applies whenever a data controller processes personal data

Data protection law exists to strike a balance between individuals to privacy and the ability of organisations to use data for the purpose of their business.

As a service provider in the private sector health and social care organisations Active Support Service processes personal data relating to employees, customers and business contacts in order for it to fulfil its business requirements.

According to the Act, managers determine the purpose for which and the manner in which any personal data are, or to be processed.

Managers are obligated by the Act to ensure it complies with the requirements of the Act.

To comply with the act we will ensure the following

·         It has mechanisms in place to sure its compliance with the eight data protection principles. The eight principles advocate fairness, transparency and openness in the processing of personal information by data controllers.

·         The data protection leads are responsible for ensuring staff awareness of the principles and for the reviewing compliance across the organisation.

·         It has mechanisms in place to ensure the compliance with the upholding of individual rights.

·         Managers are responsible for ensuring staff awareness of individual rights and for the reviewing compliance in upholding these rights across the organisation.

Scope and application of the policy
This policy covers all aspects of personal data processed including;

Customer information

Staff information

This policy covers all types of information including;

·         Structured record systems : paper and electronic

·         Unstructured information : paper and electronic

·         Transmission of information: email, post, telephone

This policy applied to all employees who provide or have access to personal data.

Policy statement
It is policy that the processing of personal data by, or on behalf of any of its customers shall be in accordance with the requirements of the Data Protection Act 1998.

Data Protection Framework

The management team is ultimately responsible for compliance with the Act with each manager performing the lead role within the respective area of the business and all senior manager and administration team have the responsibility for ensuring that systems and processes within their work areas comply with the Act requirements.

Data protection Assurance

Observe fully the conditions regarding the fair collection and use of information

Meet obligations to specify the purposes for which the information is used

Collect and process appropriate information, and only to the extent that is needed to fulfil operational needs or to comply with any legal requirements

Ensure the quality of information used

Apply strict checks to determine the length of time information is held

Ensure the rights of the of people about whom information is held are able to be fully exercised under the Act

Take appropriate technical and organisational security measures to safeguard personal information

Ensure that personal informational is not transferred abroad without suitable safe guards

Ensure everyone managing and handling personal information is made aware that they are contractually responsible for following good data protection practice

Ensure everyone managing and handling personal information is appropriately trained to do so

Ensure everyone managing and handling personal information is appropriately supervised

Ensure everyone wanting to make enquires about handling of information knows what to do

Ensure queries about handling information are promptly and courteously dealt with

Ensure methods of handling personal information is clearly described

Ensure a regular review and audit is made of the way personal information is managed

Ensure methods of handling personal information is regularly assessed and evaluated.

Policy motoring arrangements
This policy will be monitored and will be the subject to a regular review which will take place within six months from the original date of issue for this policy and at twelve monthly intervals thereafter.

Data retention schedule
Before any disposal of documents, management must double check legal requirements in case of legal changes.

Documents	How Long they are Stored
Business Contract Agreements	Length of contract + Six (6) Years
Pension	Minimum of Six (6) Years
Workplace Injuries	Minimum of Three (3) years the maximum depends on general restrictions
HMRC	Minimum of Six (6) Years
Pre-Employment Checks	During employment +Three (3) Years
Termination of employment due to health or stress	Three (3) Years
Personnel File	Six (6) Years from end of employment