Data Protection Policy

D.O.G Rescue Cyprus

This is a statement of the data protection policy adopted by DOG Rescue Cyprus. The policy is subject to regular review to reflect the changes to legislation. All DOG Rescue Cyprus volunteers and representatives are expected to apply the policy and seek advice when required.

 

DOG Rescue Cyprus needs to collect certain types of information about people with whom it deals in order to operate. This includes information relating to adopters, fosters and donators. All personal information must be dealt with according to the Data Protection Act 1998.

 

The Data Protection Act provides various safeguards relating to the management of individuals’ personal data. It places a number of obligations on DOG Rescue Cyprus to ensure that data is managed effectively and lawfully. DOG Rescue Cyprus fully endorses and adheres to the Principles of Data Protection, as set out in the Data Protection Act 1998.

 

The principles in the Data Protection Act instruct DOG Rescue Cyprus to ensure that personal and sensitive data is:

 

  • processed fairly and lawfully;
  • obtained for a specific and lawful purpose and not processed in any manner incompatible with
  • the purpose;
  • adequate, relevant and not excessive for the purpose;
  • accurate and up to date;
  • not kept for longer than necessary;
  • processed in accordance with the data subject’s rights;
  • kept safe from unauthorised processing, or accidental loss, damage or destruction;
  • not transferred to a country or territory outside the European Economic Area (EEA1) unless that country has equivalent levels of protection for personal data.

 

To comply with the Data Protection Act DOG Rescue Cyprus will:

 

  • ensure fair collection and use of information;
  • meet its legal obligation to specify the purposes for which information is used;
  • collect and process appropriate information needed to fulfil operational need or comply with
  • legal requirements;
  • ensure the quality of information used;
  • ensure that information is held for no longer than necessary;
  • ensure that the rights of an individual are fully exercised under the Act;
  • take appropriate technical and organisational security measures to safeguard personal
  • information;
  • ensure that personal information is not transferred to a country outside the EEA without suitable safeguard.

 

To assist in achieving compliance DOG Rescue Cyprus will:

 

  • ensure that there is someone with specific responsibility for data protection in the organisation;
  • ensure that all volunteers and representatives managing and handling personal information understand that they are contractually responsible for following good data protection practice;
  • deal with queries about handling personal information promptly and courteously;
  • regularly review our internal records register to ensure information is not held for longer than necessary;
  • provide data protection training to volunteers and representatives and update them if legislation or the guidance supporting the Act changes.

 

 

Scope

The scope of this policy is to outline the responsibilities of DOG Rescue Cyprus and DOG Rescue Cyprus representatives’ and provide practical guidance when processing and dealing with enquiries involving personal data.

 

A copy of the Data Protection Act can be found on the Information Commissions Office (ICO) website www.ico.org.uk.

 

Where personal data is not processed, stored, destroyed and/or disclosed in full compliance of the Data Protection Act the ICO has the power to set monetary fines of up to £500,000. As well as the costs involved there is a possibility of affecting the DOG Rescue Cyprus brand and reputation.   It is also important to recognise that representatives and volunteers can be prosecuted for their failure to comply with the Data Protection Act.   Therefore, it is imperative that all DOG Rescue Cyprus representatives and volunteers read this policy and are fully aware of the implications of disclosing or losing personal data, even by genuine error.

 

 

DOG Rescue Cyprus volunteer and representatives responsibilities

All DOG Rescue volunteers and representatives are responsible for following the eight principles of the Data Protection Act by:

 

  • ensuring data is processed accurately and in conjunction with the Data Accuracy Policy;
  • ensuring all personal data that is collated is distributed in full compliance of the Data

 

Protection Act:

  • retaining only relevant information;
  • securely disposing of all personal information that is no longer relevant;
  • ensuring that they only provide personal information to the individual whose data is held;
  • checking that any information that they provide to DOG Rescue Cyprus, in connection with their role, is accurate and up to date;
  • complying with the guidelines set out in this policy;
  • seeking advice where they are unable to confirm an individual’s identity before the disclosure of any information.

 

 

Types of data

Personal data relates to a living individual who can be identified from that data or from that data in conjunction with other readily available data e.g. address contact details.

 

All printed personal data must be kept in a locked filing cabinet. If information is held electronically, files must be password protected.

 

To allow DOG Rescue Cyprus to process and hold personal information the individual must be advised of the reason for processing and storing such data and consent must be given. Authorisation is obtained on the following documents:

  • Adoption Application Form
  • Foster Application Form
  • Homecheck Form
  • Gift Aid Form
  • Microchip Registration Form

 

Once information is in the possession of DOG Rescue Cyprus, staff must process it in accordance with the data protection principles paying particular attention to security, accuracy, length of time held and the purpose for which it was originally obtained.

 

Situations where data can be processed without consent:

  • for the performance of a contract;
  • for compliance with any legal obligation to which HAO is subject, other than an obligation imposed by contract;
  • to protect the vital interests of the data subject;
  • for the administration of justice;
  • to exercise any functions brought about by other legislation;
  • to exercise any functions of the Crown, a Minister of the Crown or a Government Department;
  • to exercise any functions of a public nature exercised in the public interest by any person;
  • for the purposes of legitimate interests pursued by DOG Rescue Cyprus or by a third party requesting data (except where the processing may prejudice the rights and freedoms or legitimate interests of the data subject).

 

Sensitive data relates to an individual’s racial origin, political opinions, religious beliefs, trade union membership, physical or mental health matters, sexual orientation/life or actual criminal activity and criminal record.

 

Such data can only be collated with the express consent of the individual and must be processed with extreme care.

 

Circumstances that enable sensitive data to be processed lawfully:

  • to protect the vital interests of an individual where consent cannot be given (such as a medical emergency);
  • where DOG Rescue Cyprus cannot reasonably be expected to obtain consent;
  • to protect the vital interests of an individual where consent has been unreasonably withheld;
  • legitimate activities carried out by DOG Rescue Cyprus;
  • where the data had already been made public by the data subject;
  • for legal proceedings (including prospective legal proceedings);
  • to exercise any functions brought about by other legislation;
  • to exercise any functions of the Crown, a Minister of the Crown or a Government Department;
  • to exercise any functions of a public nature exercised in the public interest by any person;
  • for medical purposes undertaken by a health professional, or equivalent.
  • for equal opportunity purposes.

 

Sensitive information must be protected with a higher level of security and must be kept separately in a locked drawer or filing cabinet, all electronic files must be password protected.

 

 

Subject Access Rights

Under the Data Protection Act each individual has the right to access personal data held about them although this does not give them the right to access information about anyone else (except a parent acting on behalf of a child). This right extends to data held both electronically and manually.

 

 

Any person may exercise the right to request personal data held about them by submitting a written request to the Data Protection Officer. To apply for a subject access request the individual must put their request in writing. This does not have to be a formal letter; e-mails and social media requests should also be accepted. In the event that the person requesting the Subject Access Request has difficulties to communicate in writing DOG Rescue Cyprus does have a legal duty to make reasonable adjustments; such as accepting a verbal request.

 

 

On receiving a subject access request, DOG Rescue Cyprus will carry out a full search of databases and forward copies of any documentation within one month of receipt.

 

 

The subject access request will be logged, the search carried out and checks undertaken to ensure all information is eligible with clear explanations of what the document is or refers to. All disclosable documents. A final response will be sent to the individual with a copy of document log and a full copy of documents saved for future reference.

 

 

Whilst responding to a subject access request there may be occasions whereby providing information may disclose information regarding a third party. Section 7(4) of the Data Protection Act (1998) states that if you cannot comply with the request without disclosing information relating to another individual who can be identified from that information you do not have to comply with the request unless the third party has consented to the disclosure and/or it is reasonable to do so in all circumstances. In such cases the individual requesting this information should be written to advising them that DOG rescue Cyprus is unable to process their request and the reasons why. It may be possible to edit the document by removing third party names.

 

Consideration must be given when requesting consent from the third party to ensure that by requesting consent DOG Rescue Cyprus is not disclosing personal information about the requesting individual. In all cases a record of the course of action taken must be recorded and the reasons for not obtaining consent. Should DOG Rescue Cyprus disclose information without consent the third party does have the right to complain to the Information Commissions Office; who will request a full explanation for disclosing such information.

 

 

Subject Access Requests can be requested by third parties i.e. solicitors. Written authorisation MUST be provided by the person whose data you are collating. Identity must also be provided i.e. passport to allow you to confirm that the request is authorised. Where third party requests are received it is recommended that you speak to the data subject (person whose data you are collecting) as further confirmation that they have authorised the request unless the third party has specifically stated not to do so.

 

 

Requests for information from government authorities investigating fraudulent or criminal activity may be exempt from the Data Protection Act and third party consent may not be required. On occasions the organisation requesting personal information may state that the individual must not be contacted for consent. Where such requests are received the following must be considered before disclosing information:

  • Is the request valid?
  • What is it required for?
  • Is consent required from the third party?
  • What affect would it have on the third party if the information is disclosed?

 

Where information is disclosed a log of the investigations to confirm validity of the request and reason for disclosing without third party consent must be made. DOG Rescue Cyprus does have the right not to comply with the request, however a full explanation to the requesting body is required. Should DOG Rescue Cyprus disclose information without consent the third party does have the right to complain to the Information Commissions Office; who will request a full explanation for disclosing such information.

 

 

Data may be amended and updated as part of a daily function. However, it is an offence under the Data Protection Act to delete or change a record following the receipt of a subject access request. Therefore it is extremely important to ensure that information held on a person is relevant, fair and accurate. Where information is no longer relevant it should be destroyed at the time it is no longer required.

 

 

Information provided with a subject access request may also include documents that are not considered personal i.e. information relating to a complaint but not mentioning the individual. It is not a requirement under the Data Protection Act to supply such information. However, it is recommended to allow the individual to make sense of other documentation that includes personal information regarding the same subject matter.

 

 

Letter to individual confirming receipt of Subject Access Request

RE: Subject Access Request

Further to your recent request to access your records under the terms of the Data protection Act 1998 I am writing to confirm receipt. DOG Rescue Cyprus will now conduct a full search of our electronic and manual records and will provide you with hard copies of all documentation related to you by <1 month from receipt of request>. If you would prefer to receive this documentation electronically please let us know.

 

 

Letter to individual requesting subject access request

RE: Subject Access Request

Thank you for your request for access to your records under the terms of the Data Protection Act 1998. Please find the information enclosed, these documents may include information that has been supplied on a discretionary basis, which we are not obliged to disclose under the Data Protection Act. You should be aware that the Data Protection Act provides for a number of exemptions to the disclosure of information. DOG Rescue Cyprus, like all registered Data Controllers under the Act, is entitled to apply those exemptions where permitted.

 

If you have any queries with the information provided, please do not hesitate to contact us.

 

 

Letter to individual requesting subject access request – no data held

RE: Subject Access Request

Thank you for your request for access to your records under the terms of the Data Protection Act 1998. DOG Rescue Cyprus has conducted a full search of our manual and electronic databases and has been unable to locate any personal records relating you.

You should be aware that the Data Protection Act provides for a number of exemptions to the disclosure of information. DOG Rescue Cyprus, like all registered Data Controllers under the Act, is entitled to apply those exemptions where permitted.

If you have change your name or have any further information that you feel may help DOG Rescue Cyprus conduct a further search please contact us.

Individuals can submit as many subject access requests they wish. In the event that repeated requests are made any information that was disclosed on a previous request does not need to be included in a new request if:

  • the data has not changed
  • if the information has been disclosed within a reasonable time period.

Where information is not provided due to previous subject access requests the individual should be informed.

 

 

Disclosure of Information

Whenever personal data is disclosed it is important that the information provided is accurate and relevant to the enquiry and does not disclose another individual’s personal data.

 

 

To the individual whose data is held

The identity of the individual that is requesting personal data must be verified prior to providing any personal data. Personal data can only be disclosed to the individual whose data is being requested, unless consent is provided by the individual whose data is being requested.

 

 

Example of verification:

Before disclosing any information the individual should confirm their name, address and date of birth.

If the caller has contacted DOG Rescue Cyprus on behalf of the individual, personal information must not be provided without written consent of the individual.

 

 

To a DOG Rescue Cyprus representative

DOG Rescue Cyprus representatives are likely to have access to data however this must be limited to information required to complete daily duties with regard to DOG Rescue Cyprus activities. When a request is received from a DOG Rescue Cyprus representative that discloses personal information, information may only be disclosed if it is relevant to their role in DOG Rescue Cyprus.

 

 

To a third party

Disclosing information to a third party without prior consent of the individual would result in non-compliance of the Data Protection Act. However, information can be disclosed if written authorisation from the individual is received and can be verified. Verifications should include a signature to allow DOG Rescue Cyprus to cross check the signature on previous documentation i.e. application form.

 

 

To prevent or detect a crime

The Data Protection Act does allow disclosure of information to prevent or detect a crime.

The following questions should be asked prior to releasing any information:

  • Am I sure the requester is who they say they are? (where possible requests should be made in writing and signed by someone of sufficient authority. Police will provide a section 29 request);
  • Is the person asking for this information to prevent or detect a crime?
  • If DOG rescue Cyprus does not release this information will it harm any attempt by the police to prevent a crime or catch a suspect?
  • If DOG rescue Cyprus does release the information what is the minimum set of information DOG Rescue Cyprus should release?
  • How will this information assist the attempts to prevent or catch a suspect?

If DOG rescue Cyprus is not satisfied, the request for information can be denied. A court order may then be applied for by the requesting organisation. If the courts decide the information should be released, DOG rescue Cyprus is covered under the Data Protection Act.

On receipt of a request for information to prevent or detect a crime a record should be made of each decision made and filed in a secure cupboard.

 

 

Updating data protection information

Whenever personal data is collected a data protection statement should be available to disclose the purpose of collecting the data and who has access to the data. When processing the information collected the data protection preference selected by the individual must be recorded to ensure the data is processed correctly i.e. information is not used for marketing purposes.

 

 

Collection of data for marketing purposes

All information must be processed fairly. DOG Rescue Cyprus must always make sure that individuals are aware of the following:

  • the identity of the person or organisation responsible for operating the website and of anyone else who collects personal information through the site;
  • how and for which purposes their information will be used;
  • any other information needed to make sure the processing is fair to individuals, taking into
  • account the circumstances of the processing. This includes telling individuals if DOG Rescue Cyprus will disclose any information to third parties.

Unless the use of the personal information is obvious it must be made clear to the individual before, or at the time the data is collected.

 

 

Personal information found on the internet

For full compliance of the Data Protection Act DOG Rescue Cyprus will not use any personal information held in the public domain. Only information collected by DOG Rescue Cyprus will be used for marketing purposes.

 

 

Publishing personal information on the DOG Rescue Cyprus website

DOG rescue Cyprus will not publish personal information on the website without the consent of the individual.

 

 

Transferring data to a third party

Where a third party organisation is contracted to process, handle or dispose personal data on behalf of DOG Rescue Cyprus confirmation must be obtained that they undertake to abide by the Data Protection Act.

A written contract is required setting out the following:

  • third party can only act on instructions from DOG Rescue Cyprus;
  • appropriate security measures are taken against loss, damage and unauthorised use of personal data;
  • include a provision in the contract that DOG Rescue Cyprus is able to inspect and monitor their compliance where necessary;
  • agreed timescale for holding data to ensure only relevant data is held at the third party;
  • confirm secure disposal of personal data once no longer relevant for the purposes of the contract.

Information should only be sent to DOG Rescue Cyprus authorised third party agents where a contract is in force, to ensure full compliance of the Data Protection Act.

 

 

Transferring data outside the EEU

Data will not be transferred outside the EEU.

 

 

Data loss prevention – Storage and transferring of data

As well as processing data accurately DOG Rescue Cyprus is responsible for ensure all personal data is securely held and the necessary steps have been taken to reduce the risk of data loss.

 

 

Data security breach

The Information Commissioners Officer (ICO) enforces all breaches of the DPA. The ICO can impose

sanctions (including criminal) against companies found in breach. The ICO has the power to issue

monetary penalties for serious breaches of the Data Protection Act.

A data security breach can happen for reasons, such as:

  • loss or theft of data or equipment on which data is stored;
  • inappropriate access controls;
  • equipment failure;
  • human error;
  • fire or flood;
  • hacking attack;
  • blagging offence where information is obtained by deceiving the organisation who holds it.

It is DOG Rescue Cyprus responsibility to ensure that these risks are reduced and that measures are in place to deal with any security breaches.

In the event of a data security breach an internal investigation into the data breach would be undertaken and the Information’s Commission Office would be informed.

Further guidance regarding security breaches can be found on the ICO website www.ico.gov.uk.

 

 

Request to stop processing individual data

Individuals have the right to require DOG Rescue Cyprus to stop processing their information (section 10 of the Data Protection Act). It is DOG Rescue Cyprus responsibility to remove individual information from any processing of their data i.e. marketing activity. Where this request has been received it is DOG Rescue Cyprus responsibility to update the records.

This file must be checked before the processing of any data to remove the individual from the processing activity.

 

 

Definitions of terms

Personal data

Data that relates to a living individual who can be identified from it in combination with other readily available information. This includes personal images and audio recordings as well as text. Legislation also covers data identified by reference numbers where a separate list can be used to match the reference numbers to named individuals.

 

 

Sensitive personal data

Personal data consisting of information as to (a) the racial or ethnic origin of the data subject,

(b) their political opinions, (c) their religious beliefs, (d) whether they are a member of a Trade

Union, (e) their physical or mental health, (f) their sexual life, (g) the commission or alleged commission by them of any offence and (h) any proceedings for any offence committed or alleged to have been committed with them.

 

 

Data

Information which (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose or (b) is recorded as part of a relevant filing system.

 

 

Data controller

The Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

 

 

Data processor

Any person who processes the data on behalf of the Data Controller. This can include any third party who processes data on behalf of DOG Rescue Cyprus.

 

 

Data subject

An individual who is the subject of personal data (who the data refers to).

 

 

Processing

Obtaining, recording, holding the data, carrying out any operation on the data, including organising, adapting or alteration of the data; retrieval, consultation or use of the data; disclosure of the data, and alignment, combination, blocking, erasure or destruction of the data. If in doubt, assume that you are processing data.

 

 

Relevant filing system

Any set of information relating to individuals which is readily accessible. This includes information held electronically (including e-mails, photographs) and manual files, such as personnel files.

 

 

Explicit consent

Generally, explicit consent means specific consent to carry out a specific action, particularly in relation to an individual’s personal information. An individual must be approached for specific consent for it to be considered ‘explicit’.

Start typing and press Enter to search