Data Protection Policy

Download a PDF version of the Data Protection Policy (12 pages, 280KB)

Revised May 2022

Contents

1. Introduction
2. Statement of Policy
3. Management and Responsibilities
4. Principles relating to processing of personal data
5. Registration with the Information Commissioner’s Office
6. Data Processors
7. Individuals’ Rights
8. Disclosure of Personal Data
9. Handling of Personal Data
10. Compliance
11. Staff Responsibilities
12. Third Party Users of Personal Data
13. Policy Awareness

1. Introduction

1.1 The Northern Ireland Assembly Commission (the Assembly Commission) is fully committed to complying with all relevant Data Protection legislation[1]. This includes the adoption of the EU General Data Protection Regulations (EU GDPR) into law as the UK General Data Protection Regulation (UK GDPR) following the United Kingdoms (UK) withdrawal from the European Union, effective from 1 January 2021.

1.2 We will follow procedures to ensure that all employees, contractors, agents, consultants and other parties who have access to any personal data held by, or on behalf of, the Assembly Commission are fully aware of, and abide by, their duties and responsibilities.

2. Statement of Policy

2.1 We may need to collect and use information about people with whom we work in order to carry out our business and provide our services. These people may include Members of the Assembly, members of the public, current, past and prospective employees, clients, customers and suppliers. In addition, we may be required by law to collect and process information. All personal data must be handled and dealt with properly, however it is collected, recorded and used, and whether it is on paper, in computer records or recorded by any other means.

2.2 This policy should be read in conjunction with the following Assembly Commission policies and procedures:

1. Assembly Commission Information Assurance Policy.
2. Policy for the use of IT Resources by Secretariat Staff.
3. Flexible Working Policy.
4. Records Management Policy and Guidance.
5. Retention and Disposal Schedule.
6. Social Media Policy.
7. Data Breach Management Plan.
8. IS Password Policy.
9. Fraud Prevention and Anti-Bribery Policy.
10. Alcohol, Drugs and Substance Abuse Policy.
11. Parliament Buildings CCTV Policy.
12. Standards of Conduct Policy.
13. Discipline Policy.
14. Standards of Conduct Policy.
15. Fraud Prevention and Anti-bribery Policy.
16. Policy for Managing and Processing of Images.

3. Management and Responsibilities

3.1 The Assembly Commission has overall responsibility for compliance with the Data Protection legislation and UK GDPR within the organisation. Key to the implementation of, and compliance with, this policy are the Data Protection and Governance Officer (DPGO), and Information Asset Owners (IAOs). The Director of Legal, Governance and Research Services is designated as the Senior Information Risk Owner (SIRO) for the organisation for the purposes of the Data Breach Management Plan.

3.2 The DPGO is responsible for ensuring this policy is communicated to all staff. IAOs are responsible for ensuring this policy is further communicated and implemented within their area of responsibility. They are responsible for the quality, security and management of personal data in use within their business area. Advice or assistance regarding this policy or the UK GDPR is available from the DPGO and the Information Standards Office.

3.3 Subject Access Requests for personal data are dealt with by the DPGO and business areas will be consulted accordingly.

3.4 Information sharing agreements, in line with the Information Commissioner’s Office (ICO) code of practice, will be signed on behalf of the Assembly Commission by the Head of Business, or as delegated by the Head of Business within each business area.

3.5 All Data Protection and related incidents must be reported and properly investigated according to the Assembly Commission Data Breach Management Plan.

3.6 All correspondence with the ICO on Data Protection matters will be approved by the DPGO.

3.7 This policy will be reviewed biennially, and when appropriate, consider changes to legislation that may occur, and / or guidance from the Information Commissioner. Appendices outlining the Assembly Commission’s policy on specific Data Protection-related projects and issues will be added when required.

4. Principles relating to processing of personal data

4.1 The Assembly Commission fully supports and complies with the principles relating to processing of personal data set out at Article 5 of the UK GDPR which require that personal data is:

1. processed lawfully, fairly and in a transparent manner in relation to individuals;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals; and
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

5. Registration with the Information Commissioner’s Office

5.1 Data Protection legislation requires every data controller which is processing personal data to register with the ICO, unless they are exempt. The Assembly Commission is registered with the ICO and renews this annually as required. The current registration can be found here.

5.2 The Assembly Commission has conducted an audit of the personal data processed throughout the organisation and produced a register of the processing carried out. IAOs will be required to review the Data Protection register every six months to ensure it remains accurate and appropriate at all times. This review will include an update of any required changes or amendments, or altering or removing information as necessary, on a quarterly basis.

5.4 The Assembly Commission record of processing activities under its responsibility, as set out at Article 30 of the UK GDPR, will replace the previous notification with the ICO.

6. Data Processors

6.1 Where the Assembly Commission uses a contractor to process personal data on its behalf, the contractor must sign a data processing agreement, which ensures that they are taking adequate steps to comply with the Data Protection legislation and act only on the instruction of the Assembly Commission as agreed. The Assembly Commission and the data processor are responsible for their actions in processing personal data.

7. Individuals’ Rights

7.1 Under the Data Protection legislation, individuals have the following rights:

1. The right to be informed.
2. The right of access.
3. The right to rectification.
4. The right to erasure.
5. The right to restrict processing.
6. The right to data portability.
7. The right to object.
8. Rights in relation to automated decision making and profiling.

7.2 All requests to facilitate the exercise of data subject rights, under Articles 15-22 of the UK GDPR, will be facilitated through the DPGO. Further guidance and instruction will be available on AssISt.

8. Disclosure of Personal Data

8.1 Strict conditions apply to the passing of personal data both internally and
externally. The Assembly Commission will not disclose personal data to any third party unless we believe it is lawful to do so. In certain circumstances, information relating to staff acting in a business capacity may be shared provided that:

1. we have the statutory power to do so or are required by law to do so; or
2. the information is clearly not intrusive in nature; or
3. the member of staff has consented to the disclosure; or
4. the information is in a form that does not identify individual employees.

8.2 Concerns about sharing information should be referred to the DPGO for advice (for example, if the information includes personal data about a third party). In all cases, the DPGO should be advised that a request for personal data has been received and details for the request recorded.

8.3 Disclosure of data must be recorded by each business area in the data protection audit register (noted at 5.2 of this policy).

8.4 All disclosures of personal data externally must be recorded in the ‘data sharing decision’ template forms which are retained by each business area. The two main types of disclosure as follows:

i. Systematic, routine disclosure

• This is where the same data sets are shared between the same external organisations for an established purpose. For example, routine sharing with HMRC where there is a legal requirement to send national insurance and PAYE details to HMRC.
• This takes place in a pre-planned and routine way. As such, it should be governed by established rules and procedures and may be documented in contracts or other forms of agreement such as service level agreements, memorandums of understanding or data sharing agreements.
• Systematic sharing will generally involve routine disclosure of data sets between external organisations for an agreed purpose. This planned sharing of certain categories of information will require only one template to be completed noting the type of sharing that will take place on a regular basis.
• Details of all routine disclosure procedures, including justifications and approval procedures are available in the data sharing tool kit. The tool kit also contains full guidance details including exemptions available.

ii. Exceptional, non-routine or one-off data-sharing

• The exemptions in the Data Protection Act 2018 (DPA) can provide a basis for ad hoc sharing to take place legally in certain circumstances. The template forms for exceptional, non-routine or one-off data sharing should be marked “Assembly Restricted” and restricted to the Head of Business.
• An exceptional non-routine or one-off data sharing disclosure may arise where we decide, or are asked, to share data in situations, which are not covered by any routine agreement.
• Acting appropriately in situations like this depends primarily on the exercise of professional judgement. However, disclosures of personal data in situations like this are still subject to the DPA.
• For example, personal information might be sought in the course of a criminal investigation. An exemption in the DPA (the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of a tax or duty) could apply to such information. The effect of the exemption, if it applied, would be to disapply certain rights under the DPA and UK GDPR, and to modify the application of the data protection principles.
• Non-routine requests will be considered on a case-by-case basis in light of the procedure set out below.
• Non-routine sharing will require the “Assembly Restricted” template, restricted to the Head of Business, to be updated for individual cases. Each request for disclosure will be treated on a case-by-case basis. Procedures for approval of non-routine data sharing are set out as follows:

. 

9. Handling of Personal Data

9.1 All Assembly Commission staff will, through appropriate training and responsible management:

1. fully observe conditions regarding the fair collection and use of personal data;
2. meet our legal obligations to specify the purposes for which personal information is used;
3. collect and process appropriate personal data only to the extent that it is needed to fulfill operational needs or to comply with any legal requirements;
4. ensure the quality of personal data used;
5. apply strict checks to determine the length of time personal data is held;
6. ensure that the rights of people about whom information is held can be fully exercised under the Data Protection legislation;
7. take appropriate technical and organisational security measures to safeguard personal data;
8. ensure personal data is secured to prevent access by unauthorised individuals and that all information is kept in adequate storage in line with the information assurance policy;
9. ensure personal data is not transferred outside the United Kingdom without adequate safeguards;
10. ensure Privacy by Design is considered and implemented as necessary in all new policies, procedures, systems, projects, etc.;
11. ensure Data Protection Impact Assessments (DPIAs) are carried out where data processing is likely to result in high risk to individuals, for example:
    1. where a new technology is being deployed;
    2. where a profiling operation is likely to significantly affect individuals; or
    3. where there is processing on a large scale of the special categories of data; and
12. inform the DPGO where a DPIA indicates that the data processing is high risk and the risk cannot be sufficiently addressed. The DPGO will therefore be required to consult the ICO to seek its opinion as to whether the processing operation complies with the UK GDPR.

10. Compliance

10.1 The Assembly Commission will ensure that:

1. there is someone with specific responsibility for Data Protection in the Assembly Commission;
2. all staff receive annual awareness of Data Protection legislation;
3. everyone managing and handling personal data understands that they are directly and personally responsible for following good Data Protection practice;
4. only staff who need access to personal data as part of their duties are authorised to do so;
5. everyone managing and handling personal data is appropriately trained to do so;
6. everyone managing and handling personal data is appropriately supervised;
7. anyone wanting to make enquiries about handling personal data knows what to do;
8. queries about handling personal data are promptly and courteously dealt with;
9. methods of processing personal data are clearly described. This is usually done through a privacy notice. The privacy notice will also detail the purpose of processing the personal data; the legal basis for processing; data retention periods; individuals’ rights, including the rights to complain to the ICO if they think there is a problem with the way their data is being handled;
10. an information audit of personal data held across the Assembly Commission is conducted on an annual basis. his documents what personal data is held, where it came from and who it is shared with. This will include an assessment and evaluation to ensure that all personal data held is accurate and up to date, and that adequate controls are in place to ensure information is managed and stored appropriately. This will help the Assembly Commission to comply with the Data Protection legislation and demonstrate accountability;
11. ‘Data Protection by design’ is implemented as necessary in all new policies, procedures, systems, projects etc.;
12. DPIAs are carried out as necessary; and
13. if a DPIA indicates that the data processing is high risk, and the risk cannot be sufficiently addressed, the ICO will be consulted to seek its opinion as to whether the processing operation complies with the UK GDPR.

10.2 To assist in achieving compliance, we have:

1. appointed a DPGO who has overall responsibility for Data Protection within the Assembly Commission;
2. created guidance on the Assembly’s Commission’s Data Protection procedures in accordance with the Data Protection legislation;
3. appointed dedicated IAOs to ensure staff compliance with the Data Protection principles and adherence to the business area procedures;
4. created monitoring procedures to ensure business area compliance with the Information Assurance Policy (bi-annually);
5. created a register of the personal data processed throughout the Assembly Commission; and
6. created policies and procedures to ensure personal data remains complete, accurate and up to date and managed in line with the Principles.

11. Staff Responsibilities

11.1 All staff have a responsibility to protect the personal data held by the Assembly Commission. Staff must follow policy and procedures to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:

1. staff participate in training regarding the handling of personal data;
2. paper files and other records or documents containing personal / sensitive data are kept in a secure environment in accordance with the Information Assurance Policy;
3. personal data held on computers and computer systems is stored securely in the shared drive or relevant database, as required; and access control is managed in accordance with the Information Assurance Policy;
4. individual passwords are not easily compromised and are in accordance with the IS Office Password Policy; and
5. all personal data which staff provide to the Assembly Commission is accurate and up to date and the Assembly Commission is informed of any errors, corrections or changes.

11.2 If and when, as part of their responsibilities, staff collect information about other people, they must comply with the policy and business area procedures. No one should process personal data outside this guidance or use personal data held on others for their own purposes.

12. Third Party Users of Personal Data

12.1 Any third parties who are users of personal data supplied by the Assembly Commission will be required to confirm and demonstrate that they will abide by the requirements of the Data Protection legislation. Audits may be carried out, as necessary, by the Assembly Commission to ensure compliance.

13. Policy Awareness

13.1 A copy of this policy statement will be given to all new members of Assembly Commission staff and relevant third parties, such as agency staff and secondees. Existing Assembly Commission staff and any relevant third parties will be advised of the policy which will be posted on the Assembly Commission website and AssISt, as will any subsequent revisions. All staff and relevant third parties are to be familiar with and comply with this policy at all times.

13.2 Training

The Assembly Commission has a mandatory training programme, which includes maintaining awareness of managing information effectively, information assurance and Data Protection issues in accordance with Data Protection legislation. This is carried out by biennial training sessions covering the following subjects:

1. Personal responsibilities
2. Handling of information in line with the Information Assurance Policy.
3. Compliance with the Data Protection Principles.
4. Upholding Individual rights.
5. Adherence to the Records Management Policy and Guidance.
6. General good practice guidelines covering security and information assurance.

13.4 Induction

All new starts will receive information governance training as part of the Assembly Commission induction process. Extra training in these areas will be given to those who require it due to the nature of their job. A register will be maintained of all Assembly Commission staff attendance at training sessions.

13.5 Contracts of Employment

All contracts of employment include a Data Protection clause. Agency and contract staff are subject to the same rules.

Footnotes

[1] Data Protection legislation means the UK GDPR, the Data Protection Act 2018 (DPA) and regulations relating thereto.