Cymraeg
Message from the Chair
Board Members
Board Minutes
Publications
Performance
Community Payback
OASys Assessment
Offender Management
Interventions
Partnerships
CJA 2003
Finance
Recruitment
Freedom of Information
Data Protection
Welsh Language Scheme

 

 

 

 

 

 

 

 

 

 

 


 

 

 

 

 

 

 

 

 

 

 

 


 

Data Protection

Introduction

The Data Protection Act 1998 came into force on 1st March 2000 repealing the old Data Protection Act 1984. However, it seeks to retain familiar concepts and to build on the system that the old Act established. It strengthens the rights of individuals and sets out rules for the way personal information about them is processed. It also places more obligations on everyone who records and uses information relating to individuals, applying to some paper records as well as those held on computer. The Act imposes considerable penalties for breaching those
obligations.

The Dyfed-Powys Probation Trust is committed to the lawful and appropriate treatment of personal information as set out in the Data Protection Act 1998, and the powers to disclose information under Section 115 of the Crime and Disorder Act 1998.

The general rule is that any organisation or individual which processes personal data must comply with the 1998 Act and therefore, all staff working on behalf of the Dyfed-Powys Probation Area come within the scope of this policy and must comply with it. This includes Board members, permanent and fixed contract employees, agency staff, contractors, consultants and staff from partner organisations.

For full details of the Act, information is available from the office of the Data Protection Officer, Dyfed-Powys Probation Board, Headquarters, Llangunnor Road, Carmarthen, SA31 2PD.

Terminology

Data Controller. Any individual or organisation, such as the Dyfed-Powys Probation Board, which controls personal data.

Personal Data. Information held on relevant filing system, accessible record or computerised record (as well as digital audio or video equipment), which identifies living individuals.

Sensitive Personal Data. Personal data relating to an individuals race or ethnic
origin, political opinions, religious beliefs, physical/mental health, trade union membership, sexual life and criminal activities.

Relevant Filing System. Also known as manual records i.e. a set of records which are organised by reference to the individual/their criteria and are structured in such a
way as to make specific information readily accessible e.g. personnel records, microfiches.

Data Subject. An individual, such as an employee or an offender who is the subject of personal data.

Processing. Obtaining, recording or holding data or carrying out any operation on the data including organising, adapting, altering, retrieving, consulting, using, disclosing, disseminating, aligning, blocking, erasing or
destroying the data.

Accessible Records. Any records which are kept by Probation as part of a statutory duty e.g. CRAMS records, PSR reports, third party information, including health, social services and education records.

Data Processor. Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Recipient. Recipient, in relation to personal data, means any person to whom the data is disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of
the data processor) to whom they are disclosed in the
course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.

Third Party Third party, in relation to personal data, means any
person other than: -
• the data subject,
• the data controller, or
• any data processor or other person authorised to process data for the data controller or processor


Notification

The prime responsibility for compliance with the Act lies with the Dyfed-Powys Probation Board, however, where registration has taken place and data protection policies have been notified to members of staff, any breach of the Act (e.g. unauthorised publication of data) could result in the individual being personally liable.

The Dyfed-Powys Probation Area Board is required to notify the Commissioner each year, in broad terms, of the purposes of their processing, the personal data processed, the recipients of the personal data
processed and any places overseas to which the data may be transferred.
The Commissioner then makes this information publicly available in a register. Notification is not linked to enforcement. Under the 1998 Act all controllers must comply with the data protection principles, even if they are exempt from the requirement to notify. Data controllers have a single register entry. Notifications are renewable annually. The Data Protection Officer in Dyfed-Powys Probation Area is the Assistant Chief Officer at Headquarters.


THE DATA PROTECTION PRINCIPLES

The Act encourages good practices amongst data controllers by establishing a set of eight Data Protection Principles that set out rules for the fair and secure handling of personal data. It is a breach of the principles rather than the Act itself that usually provokes a complaint to the Commissioner.


The eight principles will now be discussed in detail:

1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -
(a) at least one of the conditions in schedule 2(i) is met, and
(b) in the case of sensitive personal data, at least one of the conditions in schedule 3 is also met.
This principle places an obligation on the data controllers to ensure that data is being processed fairly and lawfully. It requires them to examine the legal basis upon which they are processing, what information they are giving to data subjects at the point of collection, whether they are misleading them with regard to the way they will use the data etc.

Paragraph (a) requires that each activity involving processing of data must be justified by reference to the criteria in schedule 2. These include having the subject's written consent, to comply with legal obligation and to carry out a public function e.g: sharing information with a Partnership organisation who have signed up to our protocol.

Paragraph (b) means that where sensitive personal data is involved it will have to be further justified by reference to one of the criteria in schedule 3. These include explicit consent, to fulfil legal obligations as an employer and to carry out equal opportunities monitoring.


2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

This prohibits use of the personal data for purposes outside that for which the data user is registered or which the data subject was told at the time of collection. It is therefore important for all employees who process personal data to know what the Dyfed-Powys registration allows them to do, generally:

  • to provide information to courts and other institutions
  • to supervise offenders in the community and protect the public
  • to monitor the performance and operation of the service
  • to manage the Services' staff

However, the fact that we are registered to do something with personal data does not necessarily mean that we can do it as it may still be in breach of principle 1.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

This principle requires the data controller to look at policies and procedures for gathering, storing and weeding information. The Data Controller must ensure that review periods are built into documents so that personal data is only kept as long as is needed. Furthermore the data controller needs to look at the amount of information asked for and consider whether it is really necessary.

For example, keeping information on unsuccessful job applicants for longer than is reasonable could involve a breach of this principle.

To assist in conforming with this principal all case files should conform to the 'CRAMS' format for data content.

4 Personal data shall be accurate and, where necessary, kept up to date.

The data controller is required to regularly review the information being held. It may be necessary to go back to the individual to check on the accuracy especially where inaccurate information could involve a loss to the individual e.g. pension or salary details. Some information will need to be reviewed more regularly than others because the consequences of processing inaccurate information will be more serious. Any subsequent changes will be entered immediately they are known and where information is found to be inaccurate it will be amended.

Where data sharing has taken place, it should be logged in the case file, and if data is amended for accuracy it is the responsibility of the supervising officer to ensure these amendments are transmitted to the relevant agencies.


5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

This is similar to principle 3. In order to be within this principle, the data controller is advised to keep the minimum amount of information about an individual to fulfil their registered purpose. The information will be reviewed regularly to see if it is still needed and if not it will be destroyed.


6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

Under the 1998 Act the rights of individuals in relation to their personal data have been significantly extended. These are discussed below.


7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
This principle requires the data controller to ensure that it has security measures in place to avoid loss, damage or destruction to data. A security statement must be included when making a notification to the commissioner. Also the Act sets out specific considerations for ensuring security. The data controller must take reasonable steps to ensure the reliability of any employees who have access to personal data. This means that employees must be told about data protection and where necessary offered training. Furthermore, if the data controller is using a third party to process its data then a contract must be in place which provides for appropriate security measures to be put in place.


8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Personal data cannot be transferred to a country outside the European Economic Area unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Back to top of page