 |
|
|
|
|
|||||||
 |
|||||||||||
|
|||||||||||
|
|||||||||||
|
|
|
 |
||
|
Data Protection and Security Policy for Contents
The Royal London Hospital League of Nurses is open to nurses who have trained or worked at The Royal London Hospital – as stated in the constitution. The League keeps records of its members in both computer form and on paper. It is intended that the processing of these data will eventually take place electronically. The data stored are:-
In addition, records are kept of letters from members. The purpose of processing the personal data of members is for the organisation and management of the League and its activities for members, including the management of Benevolent and Educational funds. 3. Notification under the Data Protection Act 1998 Under the Data Protection (Notification and Notification Fees) Regulations 2000 Statutory Instrument No 188, Section 5 of Schedule 3 lists a notification exemption for Non-Profit Making Organisations where "The processing- (a) is carried out by a data controller which is a body or association which is not established or conducted for profit; (b) is for the purposes of establishing or maintaining membership of or support for the body or association, or providing or administering activities for individuals who are either members of the body or association or have regular contact with it; (c) is of personal data in respect of which the data subject is- (i) a past, existing or prospective member of the body or organisation; (ii) any person who has regular contact with the body or organisation in connection with the exempt purposes; or (iii) any person the processing of whose personal data is necessary for the exempt purposes; (d) is of personal data consisting of the name, address and other identifiers of the data subject or information as to- (i) eligibility for membership of the body or association; or (ii) other matters the processing of which is necessary for the exempt purposes; (e) does not involve disclosure of the personal data to any third party other than- (i) with the consent of the data subject; or (ii) where it is necessary to make such disclosure for the exempt purposes; and (f) does not involve keeping the personal data after the relationship between the data controller and data subject ends, unless and for so long as it is necessary to do so for the exempt purposes." This exemption appears to cover the requirements of the League provided that the constraints on disclosure and data holding are observed. It is noted that personal health data is made available to the League by way of letters from members to officers and in particular the President. These letters often provide personal health data and financial information. The former are sensitive personal data within the meaning of the Act and the latter are treated in a similar fashion by the League. These letters would be exempt from the requirements of the Data Protection Act 1998 if they were written simply from person to another person but they are written to officers of the League and are frequently used to influence financial payments made from the Benevolent and Educational Funds and hence they appear to come within the jurisdiction of the Act. 4. Disclosure of Personal Data The League publishes a list of members but this list is only available to members and is not released for outside use for direct marketing or otherwise than the purposes of The League. Information contained in letters to officers from members relating to their state of health or financial situation is not disclosed, even, to other members of the League without the consent of the authors. 5. The Eight Data Protection Principles The processing undertaken by the League complies with the Eight Data Protection Principles, outlined briefly below:- 1. Personal Data shall be processed fairly and lawfully and, in particular shall not be processed unless the requirements of Schedule 2 are met and, in addition, the extra requirements of Schedule 3 are met for sensitive personal data 2. Personal Data shall be obtained only for specified and lawful purposes and shall not be further processed incompatibly 3. Personal Data shall be adequate, relevant and not excessive 4. Personal Data shall be accurate and, where necessary, kept up to date 5. Personal Data shall not be kept for longer than is necessary 6. Personal Data shall be processed in accordance with the rights of data subjects under this Act, in particular to access and if appropriate correct their data 7. Appropriate technical and organisational security measures shall be taken 8. Personal Data shall not be transferred outside the EEA unless that country or territory ensures adequate protection for the data 6. Processing of the League's Personal Data The personal data collected and processed by the League shall not be used for any other purpose without the consent of the Data Subject. All League members and those working for the League are advised that the above requirements apply to them as well as to the League's officers. This advice is specifically included in the Members' List. The League will endeavour to ensure that accurate personal data is collected initially and that opportunities will be offered to enable their records to be updated by the members, including convenient times such as when subscriptions are requested and at League meetings. 8. Destruction of Personal Data When members leave the League or die, their Personal Data shall be deleted unless the records are of legal, financial or historical interest. 9. Handling Subject Access and requests for Correction of Personal Data It is the policy of the League that members shall be provided with copies of their personal data within the 40 days allowed by law but at no cost to the member. Correction of personal data shall be dealt with expeditiously. (a) Manual Records The manual membership information shall be kept in a locked cabinet or drawer under the control of one or more League officers and League's letters containing sensitive personal data shall be kept separately and securely by the relevant officer. (b) Computerised Records The membership list shall be kept securely on a computer system secured by an access control package requiring password access to the personal data - which shall be managed securely. There shall be appropriate virus protection on the system and the virus definitions shall be regularly updated. Where the system is connected to a network and email facilities are used, care must be exercised in the use of the system as the personal data included in the system is covered by the automatic processing requirements of the Act. The personal data of members and others must be backed-up regularly and consistently and plans should be developed to cover the League's processing requirements in the event of a disaster over-taking the computer system. (c) Unauthorised Software League members and those working for the League shall not use unauthorised or illegal software or copy software outside the terms of their software licence. (d) Security Incidents Any apparent breach of security in respect of the League's personal data or breach of this Data Protection and Security Policy shall be reported to the President for examination and appropriate action required by the Data Protection Act 1998 or otherwise. 11. Data Transferred outside the EEA League members, both current and future, should be advised that it is the practice of the League to send its published Members' List to all members whether or not they are living outside the European Economic Area [EEA]. Members should be asked to consent to this continued practice while asking those living outside the EEA, to ensure that the Members' List is kept securely and only used for the purposes of the League. February 2002 Data Protection information is available from the Information Commissioner's website. Page last updated by DEB on 7/8/02 |
||