Data Protection Policy

Introduction

This document sets out how BGZ Consultants LLP (“BGZ”) implements the Data Protection Act 1998 to ensure personal data is protected.

The Data Protection Act 1998 regulates the processing of information relating to individuals, this includes the acquiring, retaining, using or disclosing of such information, and covers computerised records as well as manual filing systems and card indexes.

BGZ will hold the smallest amount of personal information necessary to allow it to perform its functions. All such information is confidential and will be treated with care, to comply with the law.

Our purpose for storing personal data and a general description of the categories of people and organisations to which we may disclose it are listed in the Data Protection Register. You may inspect the register or obtain a copy from the Information Commissioner's Office. We will not disclose information to any third party unless we believe it is lawful to do so.

Summary of Principles

Data users must comply with the Data Protection principles of good practice which underpin the Data Protection Act 1998 these state that personal data shall:

1. Be obtained and processed fairly and lawfully (that the subject of the data has consented to its collection and use.)

2. Be held only for specified purposes

3. Be adequate, relevant but not excessive

4. Be accurate and kept up to date.

5. Be held for no longer than necessary

6. Be accessible to data subjects, i.e. living individuals about whom we retain data.

7. Be subject to the appropriate security measures.

8. Data may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by use of a prescribed form of contract to govern the transmission of the data.

BGZ and all staff who process, or use personal data must ensure that they abide by these principles at all times. This policy has been developed to ensure this happens.

Data Protection Officer

BGZ is the Data Controller under the Data Protection Act 1998 and is ultimately responsible for the complying with the legislation. However day to day matters, the registration of systems and subject access requests will be dealt with by the Data Protection Officer.

It is the responsibility of the Data Protection Officer to:

• Assess the understanding of the obligations of BGZ under the Data Protection Act;

• Be aware of our current compliance status;

• Identify and monitor problem areas and risks and recommend solutions;

• Promote clear and effective procedures and offer guidance to staff on data protection issues. It is anticipated that this will include familiarisation with the Act beginning with new starter’s induction process, training programmes/seminars, annual appraisals and internet resources.

Requirements of the Act (Notification & Registration)

BGZ’s staff must notify the Data Protection Officer of any filing system or computer database that contains (or will contain) personal data (e.g. name and address) and complete the relevant notification forms to register the system. This notification will then be added to BGZ‘s registration that is held by the Information Commissioner for approval. BGZ will keep some forms of information longer than others in line with financial, legal or archival requirements.

Subject Consents

If data is sensitive, for example information on health, race or gender, the subject’s express consent to the processing of his data must be obtained. This data may be required to operate BGZ’s policies such as health and safety and equal opportunities.

Responsibilities of staff

It is NOT the responsibility of the Data Protection Officer to apply the provisions of the Data Protection Act. This is the responsibility of the individual collectors, keepers and users of personal data. Therefore staff members are required to be aware of the provisions of the Data Protection Act 1998, such as keeping records up to date and accurate, and its impact on the work they undertake on behalf of BGZ.

It is the responsibility of the Heads of Departments to ensure all computer and manual systems within their respective department areas that contain personal data are identified and the Data Protection Officer informed for notification purposes. Any breach of the Data Protection Policy, whether deliberate, or through negligence may lead to disciplinary action being taken or even a criminal prosecution.

Data Security

All staff members are responsible for ensuring that:

• Any personal data they hold, whether in electronic or paper format, is kept securely.

• Personal information is not disclosed deliberately or accidentally either orally or in writing to any unauthorised third party.

Subject Access Requests

Staff and members of the public have the right to access personal data that is being kept about them insofar as it falls within the scope of the 1998 Act. Any person wishing to exercise this right should make his request in writing, using BGZ’s ‘Subject Access Request Form’, which may be obtained by telephoning, emailing or writing to BGZ, returning the completed form to the Data Protection Officer. BGZ reserves the right to charge the recommended fee by the Information Commissioner on each occasion that access is requested. If the details are inaccurate you can ask us to amend them.

BGZ aims to comply with a request for access to personal information as quickly as possible, but BGZ must comply with a subject access request within forty days of receipt of the request, or if later, within forty days of the receipt of the identity information required, the completed subject access request form and the relevant fee.

BGZ does not need to comply with a request where it has received an identical or similar request from the same individual unless a reasonable interval has elapsed between compliance with the original request and the current request.