The purpose of this procedure is to ensure that staff adequately comply with the principle of data protection and to provide a managed outline for fulfilling our business needs, accountability and legal responsibility.
The policy applies to all Creseada Staff and to associated interested parties.
Each department with the organisation is responsible for the data that it holds. This responsibility extends to the data that is processed by third parties on behalf of Creseada.
The Audit and Compliance Manager manages and ensures adequate compliance with the data protection procedure.
IV. Principle on Data Protection
Creseada collects and use data in many ways. In doing, we shall ensure that all legal obligation under Data Protection Act 2018 are met. This includes personal data is:
a. Processed lawfully and fairly
b. Processed for specified, explicit and legitimate purposes and not to be further processed in any manner that is incompatible with that purpose.
c. Adequate, relevant and limited to what is necessary for the purposes for which it is being processed.
d. Accurate processing of persona and, where necessary, up to date.
e. Not kept longer than necessary for the purposes for which it is being processed.
f. Processed in a secure manner, by using appropriate technical and organisational means.
g. Processed in keeping with the rights of data subjects regarding their personal data.
V. Data Protection Procedure
a. Security of Personal Data
It is our dedication to take appropriate technical, physical and organisation measures to keep personal and sensitive data secure at all points of the processing in other to safeguard against unauthorised or unlawful processing or from accidental loss, destruction or damage.
We shall implement security measures which provide a level of security which is appropriate to the risks involved in the processing.
b. Manual held Personal Data
Each department within the organisation is responsible to ensures that record of personal and sensitive data is filed and stored adequately.
c. Processing of Manually held Data by Post, etc.
When confidential or sensitive personal data are sent via courier or post, the administrator checks before been distributed to the correct recipient.
d. Printing Personal Data
i. Staff are to collect all information sent to printer immediate and either store securely or dispose off appropriately.
ii. Personal data should not be left on the printers or photocopiers
e. Electronic Held Personal Data
IT department to coordinate and ensure that personal data or confidential data held on computers or its system (including any information held on back-up system) shall be adequately protected by the use of secure password, which are change frequently (90 days).
f. Sending Personal Data via Email
i. Staff sending customer, personal or confidential data via email must check the email address prior sending the information to ensure that it is being sent to the correct receipt.
ii. Staff sending confidential or sensitivity data shall ensure information is adequately secured i.e. password protecting the information
g. Use of Removable Media Devices
i. IT department to ensure adequate control of the use of removable media device i.e. CDs, USB memory sticks (flash drives) used for the purpose of conducting official business.
ii. Removable devices and associated equipment shall be installed by IT department.
iii. Non-Creseada media shall not be used to store any information for conduct official business.
iv. Removable media device shall not be used for archiving and storing records
h. Retention of Personal Data
Data shall not be kept for longer than is necessary for the purpose for which they were collected.
All data held by each department should be stored and filed in accordance with the departmental index of record or archive procedure C-QMS-PM-03 and destroyed in accordance with that required specification and in compliance with regulatory or statutory obligations.
i. Disposal of Personal Data
Data shall be disposed of when they are no longer needed for the effective
functioning of the business operations. The method of disposal shall be appropriate
to the sensitivity of the data. Shredding shall be use in the case of manual data and
reformatting, while deletion shall be use in the case of electronic data.
VI. Monitoring and Enforcement:
This procedure shall be reviewed annually to ensure it remains adequate and complies with the regulatory and statutory requirements. All staff who process personal information must ensure they not only understand but also act in line with this procedure.