This is a statement of the data protection policy adopted by DOG Rescue Cyprus. The policy is subject to regular review to reflect the changes to legislation. All DOG Rescue Cyprus volunteers and representatives are expected to apply the policy and seek advice when required.
DOG Rescue Cyprus needs to collect certain types of information about people with whom it deals in order to operate. This includes information relating to adopters, fosters and donators. All personal information must be dealt with according to the Data Protection Act 1998.
The Data Protection Act provides various safeguards relating to the management of individuals’ personal data. It places a number of obligations on DOG Rescue Cyprus to ensure that data is managed effectively and lawfully. DOG Rescue Cyprus fully endorses and adheres to the Principles of Data Protection, as set out in the Data Protection Act 1998.
The principles in the Data Protection Act instruct DOG Rescue Cyprus to ensure that personal and sensitive data is:
To comply with the Data Protection Act DOG Rescue Cyprus will:
To assist in achieving compliance DOG Rescue Cyprus will:
The scope of this policy is to outline the responsibilities of DOG Rescue Cyprus and DOG Rescue Cyprus representatives’ and provide practical guidance when processing and dealing with enquiries involving personal data.
A copy of the Data Protection Act can be found on the Information Commissions Office (ICO) website www.ico.org.uk.
Where personal data is not processed, stored, destroyed and/or disclosed in full compliance of the Data Protection Act the ICO has the power to set monetary fines of up to £500,000. As well as the costs involved there is a possibility of affecting the DOG Rescue Cyprus brand and reputation. It is also important to recognise that representatives and volunteers can be prosecuted for their failure to comply with the Data Protection Act. Therefore, it is imperative that all DOG Rescue Cyprus representatives and volunteers read this policy and are fully aware of the implications of disclosing or losing personal data, even by genuine error.
DOG Rescue Cyprus volunteer and representatives responsibilities
All DOG Rescue volunteers and representatives are responsible for following the eight principles of the Data Protection Act by:
Types of data
Personal data relates to a living individual who can be identified from that data or from that data in conjunction with other readily available data e.g. address contact details.
All printed personal data must be kept in a locked filing cabinet. If information is held electronically, files must be password protected.
To allow DOG Rescue Cyprus to process and hold personal information the individual must be advised of the reason for processing and storing such data and consent must be given. Authorisation is obtained on the following documents:
Once information is in the possession of DOG Rescue Cyprus, staff must process it in accordance with the data protection principles paying particular attention to security, accuracy, length of time held and the purpose for which it was originally obtained.
Situations where data can be processed without consent:
Sensitive data relates to an individual’s racial origin, political opinions, religious beliefs, trade union membership, physical or mental health matters, sexual orientation/life or actual criminal activity and criminal record.
Such data can only be collated with the express consent of the individual and must be processed with extreme care.
Circumstances that enable sensitive data to be processed lawfully:
Sensitive information must be protected with a higher level of security and must be kept separately in a locked drawer or filing cabinet, all electronic files must be password protected.
Subject Access Rights
Under the Data Protection Act each individual has the right to access personal data held about them although this does not give them the right to access information about anyone else (except a parent acting on behalf of a child). This right extends to data held both electronically and manually.
Any person may exercise the right to request personal data held about them by submitting a written request to the Data Protection Officer. To apply for a subject access request the individual must put their request in writing. This does not have to be a formal letter; e-mails and social media requests should also be accepted. In the event that the person requesting the Subject Access Request has difficulties to communicate in writing DOG Rescue Cyprus does have a legal duty to make reasonable adjustments; such as accepting a verbal request.
On receiving a subject access request, DOG Rescue Cyprus will carry out a full search of databases and forward copies of any documentation within one month of receipt.
The subject access request will be logged, the search carried out and checks undertaken to ensure all information is eligible with clear explanations of what the document is or refers to. All disclosable documents. A final response will be sent to the individual with a copy of document log and a full copy of documents saved for future reference.
Whilst responding to a subject access request there may be occasions whereby providing information may disclose information regarding a third party. Section 7(4) of the Data Protection Act (1998) states that if you cannot comply with the request without disclosing information relating to another individual who can be identified from that information you do not have to comply with the request unless the third party has consented to the disclosure and/or it is reasonable to do so in all circumstances. In such cases the individual requesting this information should be written to advising them that DOG rescue Cyprus is unable to process their request and the reasons why. It may be possible to edit the document by removing third party names.
Consideration must be given when requesting consent from the third party to ensure that by requesting consent DOG Rescue Cyprus is not disclosing personal information about the requesting individual. In all cases a record of the course of action taken must be recorded and the reasons for not obtaining consent. Should DOG Rescue Cyprus disclose information without consent the third party does have the right to complain to the Information Commissions Office; who will request a full explanation for disclosing such information.
Subject Access Requests can be requested by third parties i.e. solicitors. Written authorisation MUST be provided by the person whose data you are collating. Identity must also be provided i.e. passport to allow you to confirm that the request is authorised. Where third party requests are received it is recommended that you speak to the data subject (person whose data you are collecting) as further confirmation that they have authorised the request unless the third party has specifically stated not to do so.
Requests for information from government authorities investigating fraudulent or criminal activity may be exempt from the Data Protection Act and third party consent may not be required. On occasions the organisation requesting personal information may state that the individual must not be contacted for consent. Where such requests are received the following must be considered before disclosing information:
Where information is disclosed a log of the investigations to confirm validity of the request and reason for disclosing without third party consent must be made. DOG Rescue Cyprus does have the right not to comply with the request, however a full explanation to the requesting body is required. Should DOG Rescue Cyprus disclose information without consent the third party does have the right to complain to the Information Commissions Office; who will request a full explanation for disclosing such information.
Data may be amended and updated as part of a daily function. However, it is an offence under the Data Protection Act to delete or change a record following the receipt of a subject access request. Therefore it is extremely important to ensure that information held on a person is relevant, fair and accurate. Where information is no longer relevant it should be destroyed at the time it is no longer required.
Information provided with a subject access request may also include documents that are not considered personal i.e. information relating to a complaint but not mentioning the individual. It is not a requirement under the Data Protection Act to supply such information. However, it is recommended to allow the individual to make sense of other documentation that includes personal information regarding the same subject matter.
Letter to individual confirming receipt of Subject Access Request
RE: Subject Access Request
Further to your recent request to access your records under the terms of the Data protection Act 1998 I am writing to confirm receipt. DOG Rescue Cyprus will now conduct a full search of our electronic and manual records and will provide you with hard copies of all documentation related to you by <1 month from receipt of request>. If you would prefer to receive this documentation electronically please let us know.
Letter to individual requesting subject access request
RE: Subject Access Request
Thank you for your request for access to your records under the terms of the Data Protection Act 1998. Please find the information enclosed, these documents may include information that has been supplied on a discretionary basis, which we are not obliged to disclose under the Data Protection Act. You should be aware that the Data Protection Act provides for a number of exemptions to the disclosure of information. DOG Rescue Cyprus, like all registered Data Controllers under the Act, is entitled to apply those exemptions where permitted.
If you have any queries with the information provided, please do not hesitate to contact us.
Letter to individual requesting subject access request – no data held
RE: Subject Access Request
Thank you for your request for access to your records under the terms of the Data Protection Act 1998. DOG Rescue Cyprus has conducted a full search of our manual and electronic databases and has been unable to locate any personal records relating you.
You should be aware that the Data Protection Act provides for a number of exemptions to the disclosure of information. DOG Rescue Cyprus, like all registered Data Controllers under the Act, is entitled to apply those exemptions where permitted.
If you have change your name or have any further information that you feel may help DOG Rescue Cyprus conduct a further search please contact us.
Individuals can submit as many subject access requests they wish. In the event that repeated requests are made any information that was disclosed on a previous request does not need to be included in a new request if:
Where information is not provided due to previous subject access requests the individual should be informed.
Disclosure of Information
Whenever personal data is disclosed it is important that the information provided is accurate and relevant to the enquiry and does not disclose another individual’s personal data.
To the individual whose data is held
The identity of the individual that is requesting personal data must be verified prior to providing any personal data. Personal data can only be disclosed to the individual whose data is being requested, unless consent is provided by the individual whose data is being requested.
Example of verification:
Before disclosing any information the individual should confirm their name, address and date of birth.
If the caller has contacted DOG Rescue Cyprus on behalf of the individual, personal information must not be provided without written consent of the individual.
To a DOG Rescue Cyprus representative
DOG Rescue Cyprus representatives are likely to have access to data however this must be limited to information required to complete daily duties with regard to DOG Rescue Cyprus activities. When a request is received from a DOG Rescue Cyprus representative that discloses personal information, information may only be disclosed if it is relevant to their role in DOG Rescue Cyprus.
To a third party
Disclosing information to a third party without prior consent of the individual would result in non-compliance of the Data Protection Act. However, information can be disclosed if written authorisation from the individual is received and can be verified. Verifications should include a signature to allow DOG Rescue Cyprus to cross check the signature on previous documentation i.e. application form.
To prevent or detect a crime
The Data Protection Act does allow disclosure of information to prevent or detect a crime.
The following questions should be asked prior to releasing any information:
If DOG rescue Cyprus is not satisfied, the request for information can be denied. A court order may then be applied for by the requesting organisation. If the courts decide the information should be released, DOG rescue Cyprus is covered under the Data Protection Act.
On receipt of a request for information to prevent or detect a crime a record should be made of each decision made and filed in a secure cupboard.
Updating data protection information
Whenever personal data is collected a data protection statement should be available to disclose the purpose of collecting the data and who has access to the data. When processing the information collected the data protection preference selected by the individual must be recorded to ensure the data is processed correctly i.e. information is not used for marketing purposes.
Collection of data for marketing purposes
All information must be processed fairly. DOG Rescue Cyprus must always make sure that individuals are aware of the following:
Unless the use of the personal information is obvious it must be made clear to the individual before, or at the time the data is collected.
Personal information found on the internet
For full compliance of the Data Protection Act DOG Rescue Cyprus will not use any personal information held in the public domain. Only information collected by DOG Rescue Cyprus will be used for marketing purposes.
Publishing personal information on the DOG Rescue Cyprus website
DOG rescue Cyprus will not publish personal information on the website without the consent of the individual.
Transferring data to a third party
Where a third party organisation is contracted to process, handle or dispose personal data on behalf of DOG Rescue Cyprus confirmation must be obtained that they undertake to abide by the Data Protection Act.
A written contract is required setting out the following:
Information should only be sent to DOG Rescue Cyprus authorised third party agents where a contract is in force, to ensure full compliance of the Data Protection Act.
Transferring data outside the EEU
Data will not be transferred outside the EEU.
Data loss prevention – Storage and transferring of data
As well as processing data accurately DOG Rescue Cyprus is responsible for ensure all personal data is securely held and the necessary steps have been taken to reduce the risk of data loss.
Data security breach
The Information Commissioners Officer (ICO) enforces all breaches of the DPA. The ICO can impose
sanctions (including criminal) against companies found in breach. The ICO has the power to issue
monetary penalties for serious breaches of the Data Protection Act.
A data security breach can happen for reasons, such as:
It is DOG Rescue Cyprus responsibility to ensure that these risks are reduced and that measures are in place to deal with any security breaches.
In the event of a data security breach an internal investigation into the data breach would be undertaken and the Information’s Commission Office would be informed.
Further guidance regarding security breaches can be found on the ICO website www.ico.gov.uk.
Request to stop processing individual data
Individuals have the right to require DOG Rescue Cyprus to stop processing their information (section 10 of the Data Protection Act). It is DOG Rescue Cyprus responsibility to remove individual information from any processing of their data i.e. marketing activity. Where this request has been received it is DOG Rescue Cyprus responsibility to update the records.
This file must be checked before the processing of any data to remove the individual from the processing activity.
Definitions of terms
Data that relates to a living individual who can be identified from it in combination with other readily available information. This includes personal images and audio recordings as well as text. Legislation also covers data identified by reference numbers where a separate list can be used to match the reference numbers to named individuals.
Sensitive personal data
Personal data consisting of information as to (a) the racial or ethnic origin of the data subject,
(b) their political opinions, (c) their religious beliefs, (d) whether they are a member of a Trade
Union, (e) their physical or mental health, (f) their sexual life, (g) the commission or alleged commission by them of any offence and (h) any proceedings for any offence committed or alleged to have been committed with them.
Information which (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose or (b) is recorded as part of a relevant filing system.
The Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Any person who processes the data on behalf of the Data Controller. This can include any third party who processes data on behalf of DOG Rescue Cyprus.
An individual who is the subject of personal data (who the data refers to).
Obtaining, recording, holding the data, carrying out any operation on the data, including organising, adapting or alteration of the data; retrieval, consultation or use of the data; disclosure of the data, and alignment, combination, blocking, erasure or destruction of the data. If in doubt, assume that you are processing data.
Relevant filing system
Any set of information relating to individuals which is readily accessible. This includes information held electronically (including e-mails, photographs) and manual files, such as personnel files.
Generally, explicit consent means specific consent to carry out a specific action, particularly in relation to an individual’s personal information. An individual must be approached for specific consent for it to be considered ‘explicit’.