INTRODUCTION
Jordan & Co International Ltd has to hold and use certain information on living individuals to carry out its work and also to carry out various administrative functions both statutory and work related. The holding of this personal data, whether held on computers, paper or other media, is governed by the Data Protection Act 1998. Air Business endorses and complies with the eight principles of the Act.
Data Protection Principles are the eight principles laid down in the Data Protection Act 1998 and it is required that personal data shall be:
a) Fairly and lawfully processed
b) Processed for limited purposes
c) Adequate, relevant and not excessive
d) Accurate and up to date
e) Not kept for longer than is necessary
f) Processed in line with your rights
g) Secure
h) Not transferred to other countries without adequate protection
Policy
The company will observe the eight Data Protection Principles and expect all those who work for it either as staff or suppliers to observe these principles in obtaining, handling, processing, transporting and storage of personal data.
The company will produce and maintain a data protection manual for staff incorporating instructions and guidance to ensure that they can comply with the Act. This manual will be available by the end of March 2008. Any failure to comply with the instructions in the manual will be regarded as a disciplinary issue and any breach of the Data Protection Act, whether deliberate or through negligence may lead to disciplinary action and possibly criminal prosecution.
The company has appointed a Data Protection Officer to ensure that the Data Protection Policy is adhered to. The Data Protection Officer is Andrew Parks, the Director of IT and Data Services.
The Data Protection Officer will carry out an annual audit in the first quarter of the year to ensure that the policy is being complied with. Other ad hoc audits may happen if any breach of the policy is discovered. Any breach of the policy will be reported immediately to the Managing Director for action.
The company will provide training on compliance with the Data Protection Policy to existing staff as soon as the manual is available and to new staff within one month of their joining the company.
The company will ensure that personal data is physically protected against loss or damage whether it is machine readable or on paper or other media.
Staff are responsible for ensuring that any personal data they hold is kept securely. They must also ensure that they do not disclose personal data either orally or in writing to any unauthorised third party. Staff are responsible for checking that any personal data that they provide to the company is up to date and for informing the company of any changes to information that they have provided eg change of address. They are also responsible for checking any information that the company may send out from time to time, giving details of information that is being kept and processed. If, as part of their job, staff collect information about other people then they must comply with the Data Protection Policy and also follow the Data Protection Manual.
Staff and others, on whom the company keep’s personal data, have the right to make a subject access request. This allows them to ascertain what personal data the company holds and also what is done with it. Anyone wishing to exercise this right must make an application to the Data Protection Officer in writing.
The company may charge the recommended administrative fee on each occasion that access to personal data is requested. The company will normally comply with a request for personal data as quickly as possible or within forty days of receipt of the request.
The person making the request must give/show the company proof that they are the subject of the request. The company does not need to comply with a request where it has received identical or similar requests from the same individual more than once within a thirty-day period
This policy is issued under the authority of Adam Sherman, the group Managing Director.