tl tr
SI logo
head1
head2
bl br
menu home about finance member ambassador game links foundation customer
heading

Introduction

Shared Interest Society Ltd needs to keep certain personal data, for example about its customers, members and staff, to fulfil its purpose and to meet its legal obligations. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. Shared Interest must comply with the Data Protection Principles, which are set out in the Data Protection Act 1998.

Principles
Personal data shall:

  • Be obtained and processed fairly and lawfully.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Not be kept for longer than is necessary for that purpose.
  • Be processed in accordance with the data subject's rights.
  • Be kept secure from un-authorised access, accidental loss or destruction.
  • Not be transferred to another country without due security procedures to prevent unauthorised access of the data.


Shared Interest, all its staff, officers and representatives, who process or use personal information must ensure that they follow these principles at all times.

Status of the Policy
This policy was approved by Shared Interest's Board on 9 May 2001. Any breach will be taken seriously and may result in formal action being taken.

Any customer, member, or member of staff who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with Shared Interest's Data Controller in the first instance.

Notification of Data Held and Processed
All customers, members, staff and other users are entitled, on request to:

  • Know what information Shared Interest holds about them and why.
  • Know how to have access to it.
  • Be informed how to keep it up to date.
  • Be informed what Shared Interest is doing to comply with its obligations under the 1998 Data Protection Act.


Transfer of Personal Data Overseas
Shared Interest is a global organisation operating in a number of countries worldwide. To fulfil its customer service obligations it is necessary for Shared Interest to transfer and process some personal data outside the country in which the personal data is collected. Prior to making any such transfer Shared Interest will put in place security procedures and firewalls designed to prevent unauthorised use of or access to personal data.

Data Security and Protection
Shared Interest takes customer and member confidentiality and security very seriously. Shared Interest has implemented appropriate internal security procedures that restrict access to and disclosure of personal data within Shared Interest. These procedures will be reviewed from time to time to determine whether they are being complied with and are effective. All staff and representatives, are responsible for ensuring that:

  • Any personal data, which they hold, is kept securely.
  • Personal information is not disclosed either orally or in writing or otherwise to any unauthorised third party.


Detailed advice on data security is contained in the Data Protection Guidance Notes.

Shared Interest will also actively investigate and cooperate with law enforcement agencies over any allegations of abuse or violation of system or network security.

Disclosure of Personal Data
Shared Interest passes personal data within its internal departments in order to fulfil customer support obligations, carry out sales and promotional activities, as well as maintain its records of account. Shared Interest does not disclose personal data to unaffiliated third parties except where customer consent has been obtained, where Shared Interest is under an obligation by law to disclose personal data, or where Shared Interest has contracted with third parties to assist in providing services to Shared Interest members or customers such as for delivery of support services (for example use of a mailing house). In the latter instance an appropriate protocol is put in place for each instance of use of data files.

Rights to Access Information
Customers, members, members of staff, and other associates of Shared Interest have the right to view any personal data that is being kept about them on computer and, with effect from 24 October 2001, to paper-based data held in manual filing systems. Any person who wishes to exercise this right should make the request in writing to Shared Interest's Data Controller. Shared Interest may make a charge on each occasion that access is requested, to reflect administration costs (the minimum charge is £25). Release of information resulting from such a request is authorised by the Managing Director. Shared Interest aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days of receipt of a completed request. Where there is an unavoidable delay the reason will be explained in writing to the individual making the request.

Publication of Shared Interest Information
Information that is already in the public domain is exempt from the 1998 Act. This would include, for example, information on staff contained within externally circulated publications, or our web site. Any individual who has good reason for wishing details in such publications to remain confidential should contact Shared Interest's Data Controller.

Subject Consent
The need to process data for normal purposes has been communicated to all customers, members and staff. In some cases, if the data is sensitive, for example information about health, express consent to process the data must be obtained. Processing may be necessary to operate Shared Interest policies, such as health and safety and equal opportunities.

Retention of Data
Shared Interest will keep some forms of information for longer than others. Shared Interest has a Records Retention Schedule.

The Shared Interest's Designated Data Controller
Shared Interest Society Ltd is the data controller under the Act and is therefore ultimately responsible for implementation. However, day to day matters will be dealt with by Shared Interest's Data Controller, Dawn Askew [email protected]. Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the Data Controller.

DATA PROTECTION POLICY - GUIDANCE NOTES


The purpose of these guidance notes is to underpin Shared Interest's Data Protection Policy and to provide a guide to best practice in Data Protection.

Data Protection Acts 1984 and 1998
The Data Protection Act, 1984, introduced basic principles of data protection, which set standards that all registered users were required to observe. It was designed to protect individuals from any disadvantage which might result from their personal details being held on computer, for example if the information became out of date, was lost, or was made available to people or used for purposes other than those it was collected for. The Act also set up the framework for compulsory registration of data users, and established the Data Protection Registrar to organise this process and to ensure compliance.

The Data Protection Act, 1998, replaces the 1984 Act, and builds upon and expands the controls on personal data under the 1984 Act. Under the 1998 Act, the data protection principles have been extended and 'personal data' includes information held in manual filing systems. Individuals are given enhanced rights to receive details of data held about them and why it is being held, and to prevent its use. The processing of data will only be fair if certain conditions have been met, and some information is classed as 'sensitive data' and there are particular restrictions on the use of it. There are also restrictions on the transfer of data to countries outside the European Economic Area. The 1998 Act replaces the office of the Data Protection Registrar with that of the Data Protection Commissioner, and the registration of data users is replaced by notification.

Although the new Act came into force on 1st March 2000, some of the provisions will not be effective until October 2001, and others will not be fully effective until 23 October 2007. In particular, paper or manual records which are kept in an organised filing system which existed before 23 October 1998 will not be covered by the new regulations until the end of the first transitional period, i.e. 23 October 2001. Records in new filing systems created after October 1998 will be covered immediately by the 1998 Act.

Notification
Shared Interest Society Ltd is registered under the 1984 Act as a data user, details of the Shared Interest's current registration can be accessed on the Data Protection Registrar's web site at http://www.open.gov.uk/dpr/register.htm.

Shared Interest's registration is reviewed and updated from time to time. If a new project involving personal data is being set up, or data already held are to be made available to different categories of people or used for a different purpose than the original, the person responsible must inform the Data Controller.

Any formal requests under the Act from data subjects regarding information held on them must be referred to the Managing Director, no matter which office or department is processing the information.

Staff Guidelines for Data Protection
Shared Interest staff process data on a day to day basis, as required. They have a duty to make sure that they comply with the data protection principles, which are set out in Shared Interest's Data Protection Policy, and follow the Acceptable Use Policy for Internet access. In particular, staff must ensure that records are:

  • Accurate
  • Up-to-date
  • Kept and disposed of safely and in accordance with Shared Interest's Records Retention and Disposal Policy


Data Security
The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff should ensure that:

  • Any personal data which they hold is kept securely.
  • Personal information is not disclosed either orally or in writing accidentally or otherwise to any unauthorised third party.
  • All personal information in the form of manual records is, kept in a locked filing cabinet, or kept in a locked drawer.
  • Computerised, information is password protected, with passwords being regularly changed, so that only authorised people can view or alter confidential data, or
  • only on a disk which is itself kept securely in a desk or cabinet to avoid physical loss or damage.
  • Avoid unauthorised disclosure, care must be taken to site computer terminals so that they are not visible except to authorised people. Screens should not be left unattended when personal data is being processed. Similarly, care must be taken to ensure that manual records, e.g. printout containing personal data, are not left where others can access them. When manual records, or printout containing personal data, are no longer required, they should be shredded, bagged and disposed of securely.


Particular care must be taken of any data taken away from Shared Interest's offices, for example manual records to be used at home, or computerised data to use on portable computers or home machines. Ensure that all work is kept confidential and, in the case of computerised information, that files are not exposed to risk from virus infection.

Further Information
Further information and advice can be obtained from Shared Interest's Data Controller, Dawn Askew. Email to: [email protected]

tl tr

QUICK LINKS
bl br



Shared Interest Society Limited is registered under the Industrial and Provident Societies Act 1965, 27093R.
Shared Interest Foundation is a company limited by guarantee, registered in England,
Company Number 4833073 and is a Charity, Registered Number 1102375.