Data Protection Policy
1. The Northern Ireland Assembly Commission is fully committed to complying
with the Data Protection Act 1998 which came into force on 1 March 2000.
2. We will follow procedures to ensure that all employees, contractors, agents,
consultants and other parties who have access to any personal information
held by or on behalf of us are fully aware of and abide by their duties and
responsibilities under the Act.
Statement of Policy
3. We need to collect and use information about people with whom we work in
order to carry out our business and provide our services. These may include
Members, members of the public, current, past and prospective employees,
clients, customers and suppliers. In addition, we may be required by law to
collect and use information. All personal information must be handled and
dealt with properly, however it is collected, recorded and used, and whether it
is on paper, in computer records or recorded by any other means.
Data Protection Principles
4. We fully support and comply with the eight principles of the Act. In summary,
this means personal information must be:
i. Processed fairly and lawfully;
ii. Processed for limited purposes and in an appropriate way;
iii. Relevant and sufficient for the purpose;
v. Kept for as long as is necessary and no longer;
vi. Processed in line with individuals' rights;
viii. Only transferred to other countries that have suitable data protection controls.
Registration with the Information Commissioner's Office (ICO)
5. Our purpose for holding personal information and a general description of the
categories of people and organisations to which we may disclose it are listed
in the Information Commissioner's Data Protection Register.
The Northern Ireland Assembly Commission ensures its entry in the ICO register is reviewed quarterly to ensure it remains accurate and appropriate at all times.
• Designated FoI Officers will be contacted by the Governance Services on a quarterly basis, asking them to review the current registration and to bring any required changes or amendments to the register, including adding an additional purpose to the notification or altering or removing a notification entry, to the immediate attention to the Information Standards Officer.
• Designated FoI Officers are responsible for ensuring any potential
changes to the notification, for example adding an additional purpose to
the notification or altering or removing a notification entry, are brought
to the attention of the Information Standards Officer as soon as
practicable and in advance of the required 28 day timeframe so that
updates to the registration can then be communicated to the ICO
accordingly. An email will issue quarterly to Designated FoI Officers
advising of this requirement.
Disclosure of Personal Information
6. Strict conditions apply to the passing of personal information both internally
and externally. We will not disclose personal information to any third party
unless we believe it is lawful to do so. Respect to confidentiality will be given,
where appropriate. In certain circumstances, information relating to staff
acting in a business capacity may be made available provided:
• we have the statutory power or are required by law to do so; or
• the information is clearly not intrusive in nature; or
• the member of staff has consented to the disclosure; or
• the information is in a form that does not identify individual employees.
Concerns about providing information should be referred to the Information
Standards Officer for advice, for example, if the information includes personal
data about a third party. In all cases, the Information Standards Officer should
be advised that a request has been received and details for the request
Handling of Personal Information
7. All secretariat staff will, through appropriate training and responsible
i. Fully observe conditions regarding the fair collection and use of personal information;
ii. Meet our legal obligations to specify the purposes for which personal
information is used;
iii. Collect and process appropriate personal information only to the extent
that it is needed to fulfill operational needs or to comply with any legal
iv. Ensure the quality of personal information used;
v. apply strict checks to determine the length of time personal information is held;
vi. Ensure that the rights of people about whom information is held can be
fully exercised under the Act;
vii. Take appropriate technical and organisational security measures to safeguard personal information;
viii. Ensure personal data is secured to prevent access by unauthorised individuals and that all information is kept in adequate storage in line with the information assurance policy;
ix. Ensure personal information is not transferred abroad without adequate safeguards.
8. We will ensure that:
i. There is someone with specific responsibility for data protection in
ii. All staff receive annual awareness of the Data Protection Act;
iii. Everyone managing and handling personal information understands that they are directly and personally responsible for following good data
iv. Only staff who need access to personal information as part of their duties are authorised to do so;
v. Everyone managing and handling personal information is appropriately
trained to do so;
vi. Everyone managing and handling personal information is appropriately
vii. Anyone wanting to make enquiries about handling personal information
knows what to do;
viii. Queries about handling personal information are promptly and courteously dealt with;
ix. Methods of handling personal information are clearly described;
x. An audit of personal information is conducted on an annual basis. This will include an assessment and evaluation to ensure that all personal information held is accurate and up to date and that adequate controls are in place to ensure information is managed and stored appropriately.
9. To assist in achieving compliance, we have:
i. Appointed the Information Standards Officer as the officer with overall responsibility for data protection within the organisation;
ii. Created a Data Protection Staff Handbook, providing detailed guidance on the Northern Ireland Assembly's data protection procedures;
iii. Appointed dedicated Information Asset Owners to ensure staff compliance with the data protection principles and adherence to the business area procedures;
iv. Monitoring procedures in place to ensure business area adherence
with the Information Assurance Policy (bi-annually);
v. Registered the Northern Ireland Assembly Commission's purpose for holding personal information, with the Information Commissioner, and provided a general description of the categories of people and organisations to which we may disclose it; and
vi. Implemented a procedure to ensure that personal data remains complete, accurate and up to date. This information will be reviewed on an annual basis.
10. All staff have a responsibility to protect the personal information held by the
Northern Ireland Assembly Commission. They will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and in particular will ensure that:
i. They participate in training regarding the handling of personal information;
ii. Paper files and other records or documents containing personal / sensitive data are kept in a secure environment;
iii. Personal data held on computers and computer systems is protected by the use of secure passwords which, where possible, have forced
iv. Individual passwords are not easily compromised;
v. all personal data which staff provide to the NI Assembly Commission is accurate and up to date and the Assembly Commission is informed of any errors, corrections or changes.
11. If and when, as part of their responsibilities, staff collect information about
other people, they must comply with the policy and business area
procedures. No one should disclose personal information outside this
guidance or use personal data held on others for their own purposes.
Third Party Users of Personal Information
12. Any third parties who are users of personal information supplied by the
Northern Ireland Assembly Commission will be required to confirm and
demonstrate that they will abide by the requirements of the Act. Audits will be
carried out by the Northern Ireland Assembly on a regular basis to ensure
13. A copy of this policy statement will be given to all new members of staff and
relevant third parties. Existing staff and any relevant third parties will be
advised of the policy which will be posted on out Internet and intranet sites,
as will any subsequent revisions. All staff and relevant third parties are to be
familiar with and comply with this policy at all times.