Policy in Relation to Data Protection
This is the policy of Leeds, York and North Yorkshire Chamber of Commerce in relation to the Data Protection Act. Mar2005, Issue1, Int.PO5.
This policy applies to the processing of data on all Leeds, York and North Yorkshire Chamber IT systems, and on external IT systems and records held or managed by Leeds, York and North Yorkshire Chamber.
The objective of this policy is to ensure that Leeds, York and North Yorkshire Chamber complies with the Act and adheres to the Data Protection Principles.
Leeds, York and North Yorkshire Chamber of Commerce will endeavour to:
- Keep records in relation to the Act.
- Ensure that the IT Security statements of all Leeds, York and North Yorkshire Chamber IT system take account of the Act.
- Perform regular compliance reviews.
- Deal with routine enquires and facilitate the handling of subject access requests.
- Promote awareness of the Act, the Data Protection Principles and this Policy within Leeds, York and North Yorkshire Chamber
This overall privacy statement discloses the privacy practices for this entire web site
www.leedschamber.co.uk. Our aim is to be open about how we collect personal information and what we do with it. The purpose of the site is to provide an information and advice service to businesses.
This statement describes:
- What information the site gathers about you
- What we do with the information we gather.
- With whom we share the information we gather.
We take the privacy of our customers very seriously, and are open about how we will treat your personal data when you use this site. If this policy changes, then we will let you know via our homepage, but we assure you that we only use your data as so specified and for our legitimate business reasons.
When do we collect data?
We can collect personal information on you from a variety of different sources:
1. When you register to become a member of the Chamber;
2. When you speak to our advisers and administrative staff;
3. Via explicit data capture measures e.g. by completing surveys;
4. Via implicit data capture measures, such as studying which pages you read the most.
In any of the above contexts, the data we collect could be personal data.
What do we do with your personal information?
When you download information via the site, we may need to collect information about you to record your interest and provide you with the services you expect. This information may include, but is not limited to, details such as your name, your address and your e-mail address.
Unless we have your express consent, we will only disclose personal data to third parties if this is required for the purpose of completing your request to us and for reporting website use to our partners and funders, Yorkshire Forward and Business Link for West Yorkshire. This is subject to the provison that we may disclose your data to certain permitted third parties, such as members of our own group, our own professional advisers who are bound by confidentiality codes, and when we are legally obliged to disclose your data.
Leeds, York and North Yorkshire Chamber retains and uses your personal information to provide you with a personalised service and to include appropriate information about other services that may be of interest to you. We may also use the information to process internal administration and analysis.
We do not sell, rent or trade your personal information to third parties for marketing purposes.
In the UK we operate and are registered in accordance with applicable data protection legislation.
Our newsletter subscribers have the option to opt-out of receiving further information from us. This can be done by emailing your wish to unsubscribe to:
By keeping your details and interests up to date, you will help us to keep you informed of news and initiatives that may be of interest to you. You can update your own details on our website or you can send an e-mail with your correct details to:
Leeds, York and North Yorkshire Chamber of Commerce
White Rose House
28a York Place
GUIDANCE FOR STAFF ON COMPLIANCE WITH THE DATA PROTECTION ACT 1998
The way in which Leeds, York and North Yorkshire Chamber of Commerce & Industry (the "Company") uses personal data is regulated by the Data Protection Act 1998 (the "Act").
Please read this guidance note carefully as it will make you aware of your responsibilities under the Act.
If you fail to comply with the requirements of this guidance note, this may amount to misconduct, which is a disciplinary matter, and could ultimately lead to your dismissal.
You should be aware that breach of the Act may expose to the Company to enforcement action by the Information Commissioner. Furthermore, certain breaches of the Act can give rise to a personal criminal liability for you and for the Company. At the very least, a breach of the Act could damage our reputation and affect our ability to use personal data which would have serious consequences for our business.
WHAT IS PERSONAL DATA?
Personal data means information which relates to a living, identifiable individual ("data subject"), such as names, addresses and business details. Data Subjects can include sole traders, partnerships and employees and officers of limited companies but not limited companies themselves. Images caught on CCTV cameras and recorded telephone conversations are also personal data.
Personal data refers to the total volume of information held by the Company in respect of any data subject. For example, it does not matter that your department merely holds a business or trading name for a data subject if another department has the individual's name and address with which that data subject can be identified.
The Company processes personal data about data subjects who are our employees, members, business contacts and suppliers. This data may be processed by computer, held on our database or held in manual filing systems. Please refer to the Compliance Manager if you are unsure as to whether or not the manual files which you hold are caught by the Act. The test is whether the manual files are internally and externally structured so that you can find specific information about a particular individual easily.
WHAT MUST YOU DO TO COMPLY WITH THE ACT?
1. You must begin by complying with the eight data protection principles that are contained in the Act. These are described in more detail in the next section.
2. You must make sure that you do not obtain or disclose personal data without clear authority from the Company to do so. For example, you must not disclose details of a Member to anyone other than the Member themselves and you must follow company procedure to verify that the enquirer is who he or she claims to be. Where someone other than the member requests information, you must check with the Compliance Manager as to whether this is authorised, or whether the Member has agreed to this disclosure.
3. The obligation is not to disclose personal data without clear authority from the Company even if requests are received from the Police, the Inland Revenue or any other government body. There are only limited circumstances in which we can disclose personal data to these organisations and each request must be considered carefully.
THE DATA PROTECTION PRINCIPLES
You must comply with each of the following data protection principles. There are eight in total and these determine the way in which the Company may process personal data. The Act contains a very wide definition of processing which covers everything that you could possibly think of doing with the personal data, from collection to destruction.
1. Personal data must be processed fairly and lawfully, and must not be processed without legal justification.
The Company must be able to justify any processing activity which it carries out. All decisions about what data will be processed must be taken by your Manager. It is particularly important to ensure we have such justification whenever we process information about an individual's racial or ethnic origin, religious or political opinions and beliefs, sexuality, trade union membership, physical or mental health or condition, nor criminal record or alleged criminal activity. In most cases, we should not be processing these categories of personal data unless we have obtained the data subject's explicit consent beforehand.
If part of your job requires you to obtain personal data from a data subject, you must ensure that you give a data protection notice to the individual whose data you obtain.
The Compliance Manager can supply you with copies of these notices and instructions on when and how to give them to data subjects. If the Company fails to give a data protection notice at the appropriate time, we may be severely restricted as to what we can do with the data. It is therefore very important that you follow these instructions precisely.
2. Personal data may only be processed for specific and lawful purposes and may not be used for any other purpose.
The data protection notices which the Company uses state our specified lawful purposes for collecting the information. The Compliance Manager will be aware of these notices and can provide you with copies. You must make sure that your activities stay within the purposes stated in the notices.
3. Personal data must be adequate, relevant and not excessive.
You are advised to resist any temptation to start collecting any personal data which you are not already authorised to collect even if you think this may assist the Company. You should check with your Manager before you start collecting any additional personal data.
4. Personal data must be accurate and up to date.
You should attempt to avoid using guesswork to decipher any documents which you cannot read clearly as this could result in the Company holding inaccurate information.
5. Personal data must not be kept for longer than is necessary.
The Compliance Manager will be able to tell you when to archive or destroy data.
6. Personal data must be processed in accordance with the rights of the data subject.
Please see the next section which sets out these rights in more detail.
7. Personal data must be kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The Company may issue from time to time an internet security and e-mail communications policy which you must follow. You may also receive a leaflet detailing physical security procedures for our building. Failure to comply with any such policies which have been put in place by the Company may give rise to disciplinary action.
8. Personal data must not be transferred to a country outside the European Economic Area unless the country provides an adequate level of protection for those personal data.
The Compliance Manager will inform you when you are able to transfer personal data outside the EEA (which comprises the 15 member states plus Norway, Iceland and Liechtenstein). You must not make such transfers unless authorised to do so.
THE RIGHTS OF DATA SUBJECTS
1. The right of access
Data subjects have the right to apply for a copy of any personal data which the Company holds about them. If you receive anything that looks like a request, either by letter, telephone, face to face interview, fax, e-mail etc, you must pass this request immediately to the Compliance Manager. The Company is under a very strict time limit to meet this request and any wasted time may harm our business.
2. Right to prevent processing
Data subjects now have the right to object to processing which they think might cause them substantial damage or distress which is unwarranted. If you receive anything that looks like a request to prevent such processing, pass it to the Compliance Manager immediately. Once again, the Company is under very strict time limits for dealing with such requests.
3. Right to prevent processing for marketing purposes
The data subject has an absolute right to prevent processing for direct marketing purposes. If you receive an objection to marketing, you should promptly follow any procedures in place with your department for recording such objections precisely. If there is no such procedure in place, you should pass the objection to your Manager immediately.
4. Right to object to automated decision making
If an automated decision is made about an individual and this decision significantly affects the individual and has been taken solely on the basis of automated processing, the data subject now has the right to object to such processing. This refers to matters such as credit scoring and if you receive anything that looks like an objection to an automated decision, you must pass this to your Manager immediately.
5. Right to compensation
The Act has also given individuals the right to claim compensation if they believe that the Company has committed a breach of the Act and they have suffered damage or damage and distress as a result. Once again, if you receive such a claim, you should pass it to the Compliance Manager immediately.
Both the Company and you have responsibilities under the Act. If you follow the procedures set out above, then you can be sure that your activities in respect of personal data will comply both with the Act and this guidance. You will have protected the Company and yourself from any criminal liability.
FURTHER INFORMATION AND CONTACT DETAILS
If you have any questions regarding your responsibilities, please seek advice from your Line Manager.
Leeds, York and North Yorkshire Chamber of Commerce & Industry.