Data Protection Policy
MediWales collects, stores and uses information about people with whom it communicates. This personal information must be dealt with properly and securely however it is collected, recorded and used – whether on paper, in a computer, or recorded on other material – and there are safeguards to ensure this in the Data Protection Act 1998.
MediWales regards the lawful and correct treatment of information as very important to the successful and efficient performance of its functions, and to maintain confidence between those with whom it deals.
To this end MediWales fully endorses and adheres to the Principles of Data Protection, as set out in the Data Protection Act 1998.
Eight Data Protection Principles
Whenever collecting information about people MediWales applies the Eight Data Protection Principles:
- Personal data should be processed fairly and lawfully
- Personal data should be obtained only for the purpose specified
- Data should be adequate, relevant and not excessive for the purposes required
- Accurate and kept up-to-date
- Data should not be kept for longer than is necessary for purpose
- Data processed in accordance with the rights of data subjects under this act
- Security: appropriate technical and organizational measures should be taken unauthorized or unlawful processing of personal data and against accidental loss or destruction or damage to personal data
- Personal data shall not be transferred outside the EEA unless that country or territory ensures an adequate level of data protection
Working from home
- Home computers should have records removed once project/work records no longer needed at home
- Staff agree to try to keep work taken home relatively secure, to return all work related material upon the completion /termination of their contract; and organization should be informed if information have got into wrong hands
Security Statement
MediWales has taken measures to guard against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage.
This includes:
- Adopting an information security policy (this document is our policy)
- Taking steps to control physical security (projects and staff records are all kept in a locked filing cabinet)
- Putting in place controls on access to information (password protection on files and server access)
- Establishing a business continuity/disaster recovery plan (MediWales takes regular back-ups of its computer data files and this is stored away from the office at a safe location)
- Training all staff on security systems and procedures
Compliance
Compliance with the Act is the responsibility of all staff, paid or unpaid.
MediWales will regard any unlawful breach of any provision of the Act by any staff, paid or unpaid, as a serious matter which will result in disciplinary action.
Any employee who breaches this policy statement will be dealt with under the disciplinary procedure which may result in dismissal for gross misconduct. Any such breach could also lead to criminal prosecution.
Any questions or concerns about the interpretation or operation of this policy statement should in the first instance be referred to the line manager.
Retention of Data
No documents will be stored for longer than is necessary.
All documents containing personal data will be disposed of securely in accordance with the Data Protection principles.