Data Protection
Data Protection Policy Statement
The Risk Management Authority (“the RMA”) is a data controller in terms of the Data Protection Act 1998 (“DPA”). As a registered data controller, the RMA has a statutory duty to comply with the provisions of the DPA.
The DPA operates in two ways. Firstly, it provides that anyone handling personal information must comply with the eight data protection principles laid down in the DPA. Secondly, it provides individuals with rights in relation to information which relates to them and places duties on data controllers to uphold these rights.
This Policy Statement summarises the key concepts contained in the DPA and the responsibilities of the RMA as a data controller under the DPA. This Policy Statement is applicable to the Chief Executive, the Board Members and members of staff of the RMA. All such persons should comply with this Policy Statement in carrying out their functions for the RMA.
The DPA provides people with a right to know what information is held about them. It also provides the framework for ensuring that personal data are processed properly and in accordance with the principles laid down in the DPA.
Data controller
A data controller is defined in the DPA as a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are to be processed. However, where a person is processing data only for purposes required by or under an enactment, the person bearing the duty to process the data by that enactment is classified as the data controller.
Personal data
Personal data refers to data which relates to a living individual who can be identified from those data, or from those data and other information in the possession, or likely to come into the possession, of a data controller. This includes any expression of opinion about a living individual and any indication about the data controller’s intentions or any other person’s intentions in relation to that individual.
Some personal data falls within the definition of sensitive personal data in the DPA. Sensitive personal data means personal data consisting of information as to:
- the racial or ethnic origin of an individual;
- an individual’s political opinions, religious beliefs or other beliefs of a similar nature;
- membership of a trade union;
- physical or mental health or condition;
- sexual life; or
- the commission or alleged commission by an individual of any offence, or any proceedings for any offence committed, or alleged to have been committed, by an individual and the disposal of such proceedings or sentence of any court in such proceedings.
Data means:
- information processed, or recorded with the intention that it should be processed, by automated equipment, in response to instructions for that processing;
- information recorded as part of, or with the intention that it should be part of, a relevant filing system;
- information forming part of an accessible record, i.e. which a person has a right to access under other legislation; or
- any other information held in a recorded format by a public authority (i.e. in Scotland, being an authority listed in the Freedom of Information (Scotland) Act 2002).
A ‘relevant filing system’ refers to any set of information relating to individuals to the extent that, although it is not being processed automatically by equipment in accordance with any set of instructions given, the set is nonetheless structured by reference either to individuals or to criteria relating to individuals, and specific information relating to a particular individual is readily accessible.
Data processing
Processing in relation to information or data means obtaining, recording or holding the information or data, or carrying out any operation or set of operations, on the information or data, including:
- organisation, adaptation or alteration of the information or data;
- retrieval, consultation or use of the information or data;
- disclosure of the information or data by transmission, dissemination or otherwise making available; or
- alignment, combination, blocking, erasure or destruction of the information or data.
The Data Protection Principles
The DPA contains 8 data protection principles, which are set out below:
- Personal data shall be fairly and lawfully processed, and must not be processed unless certain conditions contained in the DPA are met, namely at least one of the conditions in Schedule 2 to the DPA. In the case of sensitive personal data, one of the conditions in Schedule 3 to the DPA must also be met.
- Personal data shall be obtained only for one or more specified and lawful purpose, and shall not be further processed in any manner which is incompatible with that purpose or those purposes.
- PersonaI data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data must be accurate and, where necessary, kept up to date
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the DPA.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
All persons should be aware that the RMA is a data controller under the DPA, should understand the key provisions of the DPA and the RMA’s responsibilities as a data controller, and should take responsibility for ensuring that their actions are in compliance with the DPA in their handling of personal information. As a data controller, the RMA will be processing sensitive personal data as part of its functions.
Details of the RMA’s registration with the UK Information Commissioner under the DPA are published on the Information Commissioner’s website and are also available from the RMA’s Data Protection Officer.
Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data, taking into account the nature of the data, the state of technological development and the cost of implementing such measures.
There are exemptions from certain of the data protection principles, for example, where disclosures are required by law or made in connection with legal proceedings. Guidance on the application of exemptions in any particular circumstances should be sought from the Data Protection Officer.
Any general queries about the duties of the RMA under the DPA should also be addressed in the first instance to the Data Protection Officer.
Subject access requests
The DPA gives individuals the right to make a request, in writing, for a copy of the personal data which the RMA holds about them. This is known as a ‘subject access request’.
Individuals also have a right to request a description of the information held, what the RMA is using that information for, who the RMA might pass it on to and any information the RMA has about the source of the personal information.
If any person at the RMA receives what appears to be a subject access request, the request should be passed in the first instance to the Data Protection Officer. The RMA has 40 calendar days from the date of receipt to respond to subject access requests under the DPA, so such requests should be date stamped upon receipt and passed on immediately to the Data Protection Officer.
In order to ensure compliance with all the data protection principles, requests for personal data should not be responded to by anyone other than the Data Protection Officer, as steps may need to be taken to verify the identity of the individual requesting the information and to consider which exemptions might apply to the request. This may include requiring documentary evidence to be produced in certain cases.
Where the RMA considers that it wishes to charge the statutory fee to meet the terms of the request, the individual requesting the information should be informed promptly and the 40 day period for response commences upon receipt of the fee.
If the RMA does not hold any personal information about an individual who has made a subject access request, the individual should be told this.
Some information requested by individuals may be exempt from the rights of subjects to access that information. The DPA contains a number of clearly defined exemptions, including personal data processed for the prevention and detection of crime or the apprehension of prosecution of offenders and information covered by legal professional privilege.
Right to prevent certain processing
Individuals have the right to prevent processing likely to cause unwarranted substantial damage or substantial distress. However, this does not apply to processing in any case where any of the conditions in paragraphs 1 to 4 of schedule 2 to the DPA is met, which includes processing necessary for compliance with any legal obligation to which the data controller is subject.
Individuals also have the right to prevent processing for the purposes of direct marketing and to prevent any signficant decisions being made about them solely on the basis of the automatic processing of personal data.
In respect of these types of processing, individuals are entitled, at any time, by notice in writing to the RMA as data controller, to require the RMA to cease, or not to begin, processing for these purposes or in this manner. Any such requests should be passed upon receipt to the Data Protection Officer, for reply.
Remedies for individuals
Individuals have a right to take action against the RMA for compensation if they suffer damage or distress as a result of any contravention of the DPA by the RMA . In proceedings brought against the RMA for compensation under the DPA, it is a defence for the RMA to prove that it had taken such care as, in all the circumstances, was reasonably required to comply with the requirement concerned.
Individuals also have a right, in some cases, to take action to seek to rectify, block, erase or destroy inaccurate personal data held about them by the RMA, as well as any other personal data about them which contains an expression of opinion which appears to be based on the inaccurate data.
If an individual is or believes himself to be directly affected by any processing of personal data, he may make a request to the UK Information Commissioner for an assessment as to whether it is likely or unlikely that the processing has or is being carried out in compliance with the DPA.
Personal data which is held by the RMA or any employee of the RMA which relates to others should be kept in accordance with an appropriate level of security, taking into account the nature of the information and the harm that might result from unauthorised disclosure.
All personal data should be accessible only to those who need to use it. A judgement should be formed based upon the sensitivity and value of the information in question. Any uncertainty about the sensitivity of data or about who should access it should be addressed in the first instance to the Data Protection Officer.
Personal data should not be retained by the RMA or persons carrying out functions on behalf of the RMA for longer than is required for the purposes for which it was collected.
The protection afforded by the DPA to persons who process personal data as a result of carrying out RMA functions lapses on the person leaving office.
The RMA will assist persons in enabling them to perform their functions and to comply with this Policy Statement.
There are a number of statutory offences created by the DPA. Where an offence under the DPA has been committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, any director, manager, secretary or similar officer of the body corporate (or any person who was purporting to act in any such capacity), that person, as well as the body corporate, shall be guilty of that offence and may be prosecuted.
The RMA is a body corporate. The following offences set out in the DPA attract both corporate culpability and individual personal culpability, where the data controller is a body corporate:
- Processing without registration
- Failure to notify the Information Commissioner of changes to the notification register entry
- Processing before expiry of assessable processing time limits or receipt of assessable processing notices within such time
- Failure to comply with written request for particulars
- Failure to comply with an enforcement notice/information notice/special information notice
- Knowingly or recklessly making a false statement in compliance with an information notice or special information notice
- Intentional obstruction of, or failure to give reasonable assistance in, execution of a warrant
- Unlawful selling of personal data
- Enforced subject access
The DPA also creates one offence which attracts individual personal culpability only. This is the offence set out in section 55(1) of the DPA, and relates to the unlawful obtaining, disclosing or procuring of personal data.
Should any individual wish to comment on the way the RMA deals with data protection issues, they should contact the Governance and Communications Administrator.
If an individual wishes to make a complaint about the RMA’s handling of their data or is not satisfied with the RMA’s handling of their request for information, they should be referred in the first instance to the Chief Executive.
Contact details for the Data Protection Officer and the Chief Executive are as follows:
The Risk Management Authority
St James House
25 St James Street
Paisley PA3 2HQ
Tel: 0141 567 3112
Fax: 0141 567 3111
Email: info@rmascotland.gsi.gov.uk
