The data protection principles

There are eight data protection principles that are central to the Act. The Company and all its employees must comply with these principles at all times in its information-handling practices. In brief, the principles say that personal data must be:

1. Processed fairly and lawfully and must not be processed unless certain conditions are met in relation to personal data and additional conditions are met in relation to sensitive personal data. The conditions are either that the employee has given consent to the processing, or the processing is necessary for the various purposes set out in the Act. Sensitive personal data may only be processed with the explicit consent of the employee and consists of information relating to:

race or ethnic origin

political opinions and trade union membership

religious or other beliefs

physical or mental health or condition

sexual life

criminal offences, both committed and alleged.

2. Obtained only for one or more specified and lawful purposes, and not processed in a manner incompatible with those purposes.

3. Adequate, relevant and not excessive. The Company will review personnel files on an annual basis to ensure they do not contain a backlog of out-of-date information and to check there is sound business reason requiring information to continue to be held.

4. Accurate and kept up-to-date. If your personal information changes, for example you change address, you must inform your line manager as soon as practicable so that the Company’s records can be updated. The Company cannot be held responsible for any errors unless you have notified the Company of the relevant change.

5. Not kept for longer than is necessary. The Company will keep personnel files for no longer than six years after termination of employment. Different categories of data will be retained for different time periods, depending on legal, operational and financial requirements. Any data which the Company decides it does not need to hold for a period of time will be destroyed after six months. Data relating to unsuccessful job applicants will only be retained for a period of six months.

6. Processed in accordance with the rights of employees under the Act.

7. Secure, technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, data. Personnel files are confidential and are stored in locked filing cabinets. Only authorised staff have access to these files. Files will not be removed from their normal place of storage without good reason. Data stored on diskettes or other removable media will be kept in locked filing cabinets. Data held on computer will be stored confidentially by means of password protection, encryption or coding and again only authorised employees have access to that data. The Company has network backup procedures to ensure that data on computer cannot be accidentally lost or destroyed.

8. Not transferred to a country or territory outside the European Economic Area unless that country ensures an adequate level of protection for the processing of personal data.

Information about employees within a business should be kept for 3 years after termination of employment, after this period has elapsed then all information should be disposed of immediately and correctly. Here, all information is locked away in filing cabinets in a spare office where nobody ever uses, this is just one way in which we file in the business, this is a manual type of filing and one of the most popular which we use; however, we also do use filing in the computer system which only the office staff can access and is saved into a master hard drive which means that all data can be retrieved if accidentally deleted or lost. This hard drive is locked away in a cupboard which only the office manager has access too. The computers have passwords on them which means that only you can log onto your computer and nobody else can do so.