This sample data management policy framework gives a suggested approach as to how to address personal data management and comply with data protection regulations…
Data Management Policy Framework
This sets out that [organisation] is gathering and using certain information about individuals and lists who they are and the purpose
For example: [organisation] needs to do this so that it can build better relationships and build deeper engagement which will give a 360° view of everyone connected to the organisation.
The Data Governance Policy should be a practical guide to the use of personal data and describe how the data will be collected, handled, stored, to comply with the law.
Why this policy exists
This Data Governance Policy ensures the [organisation]:
- Complies with data protection law and follows good practice.
- Protects the rights of staff, customers and partners.
- Is open about how it stores and processes individuals’ data.
- Protects itself from the risks of a data breach.
This policy outlines:
- what data the [organisation] is collecting;
- how data might be used;
- how to achieve compliance and what is required in setting up a data audit trail;
- who will be able to access and amend information;
- With whom the [organisation] will share data; and
- how the [organisation] will notify customers of a data breach or changes to the policy.
Data protection law
The Data Protection Act 1998 and Privacy and Electronic Communication Regulations 2003 has been superseded by a new General Data Protection Regulation (GDPR) in May 2018.
The GDPR is underpinned by seven general principles which say that personal data must:
- Be processes lawfully, fairly and transparently
- Be obtained for specific explicit and legitimate purposes
- Be adequate, relevant and necessary
- Be accurate and kept up to date
- Not be stored or held for any longer than necessary for the purpose obtained
- Be held securely with appropriate technical measures n place that ensures integrity and confidentiality
- Display full accountability where the ‘data controller’ can demonstrate compliance with all of the above principles
There are also additional expanded individual rights
- Right to be informed – to provide ‘fair processing information’, typically through a privacy notice and to be transparent over how personal data is used.
- Right of access – the right to access their personal data and supplementary information, and confirmation that their data is being processed.
- Right to rectification – Individuals have the right to have personal data rectified if it is inaccurate or incomplete
- Right to erasure – the right to be forgotten. Enables the deletion or personal data if there is no compelling reason for retention.
- Right to restrict processing of data – the right to ‘block’ processing of personal data. You are permitted to store the personal data but not process it further.
- Right to data portability – applies to personal data provided by an individual where processing is based on consent or the performance of a contract, and when processing is carried out automatically.
- Right to object – to direct marketing (including profiling); processing for purpose of scientific/historical research and statistics; processing based on legitimate interests of a task in the public interest.
People, Risks and Responsibilities
This section sets out who the policy applies to and for which areas of information they are responsible for also what training is required and how policy and procedure information is disseminated around the organisation
For example the policy might apply to:
- The [organisation], all premises of the [organisation] and any occasion or place where the [organisation] promotes events for which it sells the tickets.
- All staff and volunteers of the [organisation]
- All contractors, suppliers, visiting companies and other people working on behalf of the [organisation]
and to all data that the [organisation] holds relating to identifiable individuals, even if that information technically falls outside of the GDPR 2018. This can include:
- Names of individuals.
- Postal addresses.
- Email addresses.
- Telephone numbers.
- Any other information relating to individuals (eg age, gender, ethnicity).
Data protection risks
This policy helps to protect [organisation] from data security risks including:
- Breaches of confidentiality such as information being given out inappropriately.
- Failing to offer choice. All individuals should be free to choose how the [organisation] uses data relating to them.
- Reputational damage.
Everyone who works for or with [organisation] has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled in line with this policy and the data protection principles. Serious breaches of this policy will be considered a disciplinary matter.
Whilst the organisation is the data controller and data processor some people may have key areas of responsibility:
The Board of Directors and Chief Executive Officer ensuring that [organisation] meets its legal obligations.
The Data Protection Officer is responsible for:
- Keeping the Chief Executive Officer and Board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from staff and anyone else covered by this policy.
- Dealing with subject access requests from individuals to see the data the [organisation] holds about them.
- Checking and approving any contracts or agreements with visiting companies that may handle the [organisation]s data.
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third party services the [organisation] is using to store or process data. For example, cloud computing services.
General staff guidelines might include:
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally. When access to confidential information is required, [organisation] staff can request it from their managers.
- The [organisation] will provide training to all employees to help them understand their responsibilities when handling data.
- Employees should keep all data secure, by taking sensible precautions and following the guidelines listed in this policy.
- Strong passwords must be used and they should never be shared.
- Personal data should not be disclosed to unauthorised people, either within the [organisation] or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted or destroyed.
- Employees should request help from either their manager or the Data Protection Officer if they are unsure about any aspect of data protection.
Outline where data should be sorted – IT system / paper – and why and what the procedures are for keeping that data secure.
Data that is stored electronically must be protected from unauthorised access and accidental deletion:
- [organisation] staff should ensure that they have set up strong passwords that are changed regularly and never shared between other staff members.
- Data should never be stored on removable media like CD or DVD.
- Servers should be sited in a secure location.
- Data should be backed up frequently.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones (that includes personal laptops or other mobile devices).
- All servers and computers containing data should be protected by approved security software and a firewall.
Data use and security
Personal data is of no value to the [organisation] unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
- When working with personal data, staff should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
- Personal data should never be transferred outside of the European Economic Area.
- Employees should not save copies of personal data to their own computers. Always access and update the principal copy of any data.
Describe the measures that are in place to protect the personal information that is stored from breach.
The [organisation] is only obliged to report a data breach to ICO where it is likely to result in a risk to the rights and freedoms of individuals. Such a breach must be reported to the ICO within 72 hours.
If unaddressed such a breach is likely to have a significant detrimental effect on an individual which, for example, might result in discrimination, financial loss, damage to reputation, loss of confidentiality.
For example the ICO will be notified about loss of customer details where the breach leaves individuals open to identify theft but the loss or inappropriate alteration of a staff telephone list would not constitute a significant breach. Lesser data breaches will not require the [organisation] to notify the ICO but will necessarily require communication and apology to the individuals concerned.
Describe the measures in place to ensure reporting of any breaches within the ICO required timescales.
The law requires the [organisation] to take reasonable steps to ensure data is kept accurate and up to date.
It is the responsibility of all staff who work with data to take reasonable steps to ensure it is kept as accurate and up to data as possible.
Details should be listed here of any/all Third Party organisations that [organisation] intends to share personal information with.
Where consent is the basis for sharing, describe how [organisation] has obtained and recorded the necessary specific, clear, granular permissions for sharing data with NAMED third parties, for specifically defined uses, and in specified communications channels. Where other lawful conditions for processing are relied upon for data sharing, these should also be described.
Subject access requests
All individuals who are the subject of personal data held by the [organisation] are entitled to:
- Ask what information the company holds about them and why
- Ask how to gain access to it.
- Be informed how to keep it up to date
- Be informed how the company is meeting its data protection obligations
If an individual contacts the company requesting this information, this is called a ‘subject access request’. The Data Protection Officer can supply a standard request form, although individuals do not have to use this and may wish to verify the identity of anyone making a subject access request before handing over any information.
Details should be provided of whether there is a charge for information requested and the timescale for when data will be provided to the individual.
The [organisation] should aim to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used.
- How to exercise their rights.