Data Protection and Security Policy
This policy was approved by the MCofS Board on 27 August 2009
1.0 Introduction
MCofS is required to maintain certain personal data about living individuals for the purposes of satisfying operational obligations. MCofS recognises the importance of the correct and lawful treatment of personal data; doing so maintains confidence in the organisation and provides for successful operations.
The types of personal data that MCofS may require include information about: current, past and prospective employees; members; suppliers and others with whom it communicates. This personal data, whether it is held on paper, on computer or other media, will be subject to the appropriate legal safeguards as specified in the Data Protection Act 1998.
MCofS fully endorses and adheres to the eight principles of the Data Protection Act. These principles specify the legal conditions that must be satisfied in relation to obtaining, handling, processing, transportation, storage and disposal of personal data. Employees and any others who obtain, handle, process, transport and store personal data for MCofS must adhere to these principles.
2.0 Principles
The 8 data protection principles of good practice require that personal data shall:
a) Be processed fairly and lawfully and shall not be processed unless certain conditions are met;
b) Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
c) Be adequate, relevant and not excessive for those purposes;
d) Be accurate and, where necessary, kept up to date;
e) Not be kept for longer than is necessary for that purpose;
f) Be processed in accordance with the data subject’s rights;
g) Be kept secure from unauthorised or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organisational measures;
h) Not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
3.0 Satisfaction of principles
In order to meet the requirements of the principles, MCofS will:
a) Observe fully the conditions regarding the fair collection and use of personal data;
b) Meet its obligations to specify the purposes for which personal data is used;
c) Collect and process appropriate personal data only to the extent that it is needed to fulfil operational requirements;
d) Ensure the quality of personal data used;
e) Apply strict checks to determine the length of time personal data is held;
f) Ensure that the rights of individuals about whom the personal data is held, can be fully exercised under the Act;
g) Take the appropriate technical and organisational security measures to safeguard personal data;
h) Ensure that personal data is not transferred abroad without suitable safeguards.
4.0 MCofS Designated Data Controller
MCofS is registered with the Information Commissioner’s Officer and its registration number is Z9081994.
The Chief Officer is responsible for ensuring compliance with the Data Protection Act 1998 and implementation of this policy on behalf of the Board. The Chief Officer may be contacted at:
The Chief Officer, MCofS, The Old Granary, West Mill Street, Perth, PH1 5QP
Telephone 01738-493942 or email davidg@mcofs.org.uk
Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the Chief Officer.
5.0 Status of the Policy
This policy has been approved by the Board and any breach will be taken seriously and may result in formal action.
Any employee who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with the Chief Officer.
6.0 Subject Access
All individuals who are the subject of personal data held by MCofS are entitled to:
· Ask what information MCofS holds about them and why.
· Ask how to gain access to it.
· Be informed how to keep it up to date.
· Be informed what MCofS is doing to comply with its obligations under the 1998 Data Protection Act.
7.0 Employee Responsibilities
In respect of information about themselves, all employees are responsible for:
· Checking that any personal data that they provide to MCofS is accurate and up to date.
· Informing the Chief Officer of any changes to information which they have provided, e.g. changes of address.
If, as part of their responsibilities, employees collect information about members or other third parties, they must comply with this Policy, including Data Security arrangements.
8.0 Data Security
The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff are responsible for ensuring that:
· Any personal data relating to themselves, members or third parties which they hold is kept securely in a locked cabinet or password-protected computer file.
· Personal information relating to themselves, members or third parties is not disclosed either orally or in writing or otherwise to any unauthorised third party.
· Credit and debit card information provided by members or purchasers of products is destroyed immediately by shredding following a transaction.
· Bank information retained for Direct Debit purposes is kept in a filing cabinet which is locked at all times.
The Chief Officer is responsible for ensuring that data security arrangements are reviewed on a minimum annual basis on the anniversary of issue to ensure that they continue to meet the requirements of this policy and take account of any changes in the environment.
9.0 Rights to Access Information
Employees and other subjects of personal data (i.e. members) held by MCofS have the right to access any personal data that is being kept about them on computer and also have access to paper-based data held in manual filing systems.
Any person who wishes to exercise this right may make the request in writing to the Chief Officer.
MCofS aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 14 days of receipt of a written request unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.
10.0 Publication of MCofS Information
Information that is already in the public domain is exempt from the 1998 Act. This would include, for example, information on staff contained within externally circulated publications. Any individual who has good reason for wishing details in such publications to remain confidential should contact the Chief Officer.
11.0 Subject Consent
The need to process data for normal purposes has been communicated to all data subjects. In some cases, if the data is sensitive, for example information about health, race or gender, express consent to process the data must be obtained.
Processing may be necessary to operate MCofS policies, such as health and safety and equity.
12.0 Retention of Data
MCofS will keep some forms of information for longer than others as specified in the Data Retention Procedure. All staff are responsible for ensuring that information is not kept for longer than necessary.
13.0 Supporting material
MCofS has produced a Data Retention Procedure (see 14.0) to support this policy.
14.0 Data Retention Procedure
|
14.1 Statutory Records | ||
|
Record |
Statutory retention period |
Statutory authority |
|
Accident books, accident records/reports |
3 years after the date of the last entry |
The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) |
|
Accounting records |
3 years - private companies |
Section 221 of the Companies Act 1985 |
|
Income tax and NI returns, income tax records, including correspondence with sportscotland payroll and the Inland Revenue |
Not less than 3 years after the end of the financial year to which they relate |
The Income Tax (Employments) Regulations 1993 |
|
Records relating to events notifiable under the Retirement Benefits Schemes (Information Powers) Regulations 1995, records concerning decisions to allow retirement due to incapacity, pension accounts and associated documents |
6 years from the end of the scheme year in which the event took place, or the date upon which the accounts/reports were signed/completed. |
The Retirement Benefits Schemes (Information Powers) Regulations 1995 |
|
Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence |
3 years after the end of the tax year in which the maternity period ends |
The Statutory Maternity Pay (General) Regulations 1986 |
|
Statutory Sick Pay records, calculations, certificates, self-certificates |
3 years after the end of the tax year to which they relate |
The Statutory Sick Pay (General) Regulations 1982 |
|
Wage/salary records (also overtime, bonuses, expenses) |
6 years. In practice these are retained by sportscotland payroll |
Taxes Management Act 1970 |
|
Employer’s Liability Insurance certificates (ELI) |
40 years |
Employer’s Liability (Compulsory Insurance) Regulations 1998 |
|
14.2 Non-statutory Records | ||
|
Record / Data |
Retention policy |
Disposal |
|
Employees | ||
|
Personnel records |
6 years following cessation of employment |
Secure disposal |
|
Prospective employee correspondence |
6 months following appointment of successful candidate |
Secure disposal |
|
Members | ||
|
Members– Individual and Associate |
3 years following current / final year of membership |
Secure disposal of hard copy files. Delete from database |
|
Membership – Club |
Constitution – retained permanently on file Membership records – 3 years following current / final year of membership |
Not applicable Secure disposal of hard copy files. Delete from database |
|
Members – Honorary |
Retained permanently on file |
Not applicable |
|
Bank and Credit Card Information |
6 years – for audit purposed |
Secure disposal by shredding |
|
The Company and Its Interests | ||
|
Board Members and Senior Management |
Retained permanently on file |
Not applicable |
|
AGM/EGM/SGM/Board and Executive meeting minutes |
Retained permanently on file |
Not applicable |
|
Annual Reports |
Retained permanently on file |
Not applicable |
|
Company Manual |
Retained permanently on file |
Not applicable |
|
Other meeting minutes |
2 years |
|
|
Strategic Plans |
Retained permanently on file |
Not applicable |
|
Deeds – trusts, office lease |
Retained permanently on file |
Not applicable |
|
Consultancy Contracts |
Retained permanently on file |
Not applicable |
|
Insurance Certificates and Policy Documents (except ELI) |
3 years |
Not applicable |
|
Stakeholder Agreements
|
3 years |
Not applicable |
|
Events
|
3 years |
Not applicable |
Version 1.0
Published on the MCofS website 24 August 2011
