In a message dated 23/10/2001 13:13:06 GMT Daylight Time, [log in to unmask] writes: << I am putting together a short,sharp information sheet for staff now that paper records are no longer exempt. Has anyone done this yet and if so can we share our ideas? >> --------------- The following may be helpful as a base document which you could adapt for your own uses. We will allow Jiscmail Data Protection members to use/adapt/adopt the text below and we waive our copyright on the document for members who contact us with the name of the organisation who will be using it. This is for recording purposes so we know which companies/organisations are using it with our permission. An acknowledgement on the final version will suffice. Our unsolicited advert is at the bottom of this e-mail. Note that the definition of "relevant filing system" is now largely redundant for public bodies who will be subject to FOI. It now means that almost ANY data on a person will be available under subject access provisions. start of document-------- The Data Protection Act 1998 Basic Introduction for Public Sector Employees What is the Data Protection Act 1998? The Data Protection Act 1998 is a new law designed to protect the privacy of individuals, in particular with regards to the processing of their personal information. It should be seen as an extension of human rights legislation. The Act was introduced to meet the requirements of an EC Directive to ensure that all citizens of Europe could be certain that their personal information would be protected to the same level wherever they live or work in the EU. The 1998 Act replaces the Data Protection Act 1984 which was primarily aimed at protecting computerised data. The new Act covers most manual records (paper files, card index systems, microfilm, microfiche, audio/video tape, some notebooks and diaries, etc) as well as those held on computer. How does it affect the Organisation? The Data Protection Act 1998 gives individuals the right to see information held by companies and organisations, including this Organisation, and to have the information corrected or erased in certain circumstances. People can even apply for orders to stop the Organisation processing their information. It also means that if the Organisation causes them harm (physical or financial) or substantial distress as a result of any breach of the Data Protection Act 1998 they could claim compensation. Criminal action might also be taken. How does it affect me? Employees can also be prosecuted for unlawful action under the legislation. Fines of up to £5000 could result if you use or disclose information about other people without their consent or proper authorisation from the Organisation. You could even be committing an offence if you give information to another employee who does not need the details to carry out their legitimate duties. You should take particular care when using the Internet, e-mail and the internal network. Special care must be taken with sensitive data such as ethnic origins, religious/political beliefs, health data, disabilities, details of offences or alleged offences, sexual life or trade union membership. What are my responsibilities? You should follow all instructions very carefully, you will be told what you are allowed to do with the personal details of the Organisation's staff, clients, customers and suppliers. There are strict limits on what data (whether on computer, in filing cabinets or whatever) can be stored, used and disclosed. You must not undertake any work on that kind of information without proper authorisation from your line manager. If you are unsure about any work you are asked to do, or any disclosure you are asked to make, contact your Data Protection Officer/Representative .................................................................. on extension ................... Disclosures to outside organisations, including the police and other agencies, should only be undertaken by properly trained and authorised personnel. If you have not been instructed on how to undertake the appropriate checks, always pass on these requests to senior officers. Make a note in your diary of the request and who you passed it on to. The only exception to this rule is where information is required urgently to prevent an injury. If you are sure the disclosure will stop an injury from happening you should give the requester the data they are asking for. Again, make a note in your diary of the incident, including the name of the officer you gave the details to, the date and time of the event, and the nature of the information given. Disclosures to other staff, managers and others will depend upon a number of factors. You will be given specific instructions on what details you can give to whom. If the information requested seems excessive, or if you are not sure if you are allowed to supply the data, always ask your line manager and/or departmental Data Protection Officer. You will be informed of your specific role within the Organisation's security system but in general do not leave people's information on your desk when it is not in use, lock all filing cabinets, do not leave data displayed on screen, do not leave your computer logged on and unattended, do not give your password to anyone under any circumstances, do not choose a password that's easy to guess, never send anything by fax or e-mail that you wouldn't put on the back of a postcard. What are my rights? As an employee of the Organisation you have a right to see information we hold about you. If that information is incorrect or out of date, please let us know and we will correct it. Some changes may only be made to data when appropriate proof is supplied. -----------------end of document Ian Buckland MD Keep IT Legal Ltd Please Note: The information contained in this document does not replace or negate the need for proper legal advice and/or representation. It is essential that you do not rely upon any advice given without contacting your solicitor. If you need further explanation of any points raised please contact Keep I.T. Legal Ltd at the address below: 55 Curbar Curve Inkersall, Chesterfield Derbyshire S43 3HP (Reg 3822335) Tel: 01246 473999 Fax: 01246 470742 E-mail: [log in to unmask] Website: www.keepitlegal.co.uk Providers of quality and interesting Data Protection training courses for your staff, managers, directors, elected members, contractors, data processors, etc. We can help you put together your policies and procedures, check your compliance level and assist with compliance measures. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - www.jiscmail.ac.uk/user-manual/summary-user-commands.htm all commands go to [log in to unmask] not the list please! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^