Policy Title: Data Protection Policy Status & Version No.: In force v1.0 If in force, date from: 11/10/06 Approved by and date: Management Forum 11/10/06 Author: Jacquie Wakeford Contact for additional guidance: Jacquie Wakeford, Martin Sissons, Ian Hunt Next Review Date: October 2008 SCOPE Action for Blind People (‘Action’) recognises its legal obligation to comply with the 1998 Data Protection Act and is registered as a data controller under the Act (references Z5069961 and Z5739244). Action has adopted this Data Protection Policy to establish good data protection practices and to reflect its desire to protect the privacy of individuals on whom it holds personal information. RESPONSIBILITY All staff at Action are responsible for complying with the 1998 Data Protection Act. Managers are responsible for supervising their staff and overseeing compliance with the Act. Action’s Data Protection Officers are responsible for Action’s data protection strategy and advice on best practice. POLICY Action needs to collect and use certain types of information about people with whom it deals in order to operate. These include clients and their families, current, past and prospective employees, suppliers, volunteers and others with whom it communicates. This personal information must be dealt with properly however it is collected and used – whether on paper, in a computer, or recorded on other material. Action regards the lawful and correct treatment of personal information as very important to successful operations and to maintaining the confidence of those with whom it deals. Action has data protection policies and procedures in place to ensure that its staff treat personal information lawfully and correctly. To this end Action fully endorses and adheres to the Principles of data protection, as defined in the 1998 Data Protection Act. Action has taken steps to ensure that its employees who manage and handle personal information are appropriately trained to do so and supervised. Action regularly reviews and audits its data handling processes and procedures for data protection compliance. PRINCIPLES & PROCEDURES The 1998 Data Protection Act sets out eight data protection principles. Action is committed to complying with these principles and all other aspects of the Act and in particular will seek to ensure that all personal data held by it is:- (i) processed fairly and lawfully • wherever necessary and appropriate we will seek individuals’ consent to our processing of their personal data (ii) obtained for specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes • we will seek to ensure that individuals whose data we hold know what we intend to do with their personal information • we will update and renew our notification with the Information Commissioner’s Office as appropriate (iii) adequate, relevant and not excessive in relation to the purposes for which it is held • we will only store and use individuals’ personal data for our reasonable and legitimate activities (iv) accurate and up to date • we will always try to ensure the quality of our information • we welcome and encourage individuals to inform us if they believe any of our information is inaccurate so that we can update our records accordingly (v) not kept for longer than necessary for the purposes for which it is held • we will operate a retention policy to ensure that old or surplus personal data is removed from our records after a reasonable time (vi) processed in accordance with the rights of the individual concerned • we will seek to comply with individual requests and notices • we will provide data subject access to personal information in accordance with the Act • we will prevent processing in certain circumstances, if requested • we will correct, rectify, block or erase information which is regarded as wrong information, when notified (vii) kept securely to avoid accidental loss, destruction or damage to personal data • we will operate appropriate organisational and technical security arrangements in relation to all personal data we hold (viii) not transferred out of the European Economic Area (“EEA”) without appropriate safeguards • we recognise that personal data needs to be treated with particular care in countries which do not have reciprocal data protection laws • we will not transfer personal data outside the EEA without the individual’s consent or suitable safeguards Please contact Action’s data protection officers on 0207 635 4800, if you have any questions or comments in respect of this Data Protection Policy.