Data Protection and Privacy Policy

1. Policy Statement

In order to provide a professional service, Broadbent & Co. needs to collect, process and store certain personal and sensitive data (information) from a range of data subjects (individuals), including clients, agencies, past, present and prospective team members, and suppliers. Broadbent & Co. is committed to fulfilling its legal obligations under the Data Protection Act 1998, and will ensure that such information is collected and used fairly, stored securely and appropriately, and not disclosed to any other person without the consent of the relevant individual.

2. Principles

In line with the principles of the Data Protection Act 1998, we will ensure that information is:

1. Fairly and lawfully processed - we will inform all individuals of the reason for collecting information from them
2. Processed for limited purposes we will only collect information for a specified and lawful purpose and will only process the information in a manner compatible with that purpose
3. Adequate, relevant and not excessive we will only request information that we need in order to provide services directly related to our business
4. Accurate we will strive to ensure the accuracy of such records
5. Not kept for longer than is necessary information will only be kept for as long as they are needed in order to offer clients a quality service or in line with audit requirements
6. Processed in line with individuals rights in particular, individuals have the rights to:
   1. be informed upon request of all the information held about them by Broadbent & Co;
   2. prevent the processing of their information for the purposes of direct marketing;
   3. compensation if they can show that they have been caused damage by any contravention of the Act;
   4. the removal or correction of any inaccurate information that we hold about them.
7. Secure information will be held securely
8. Not transferred overseas without adequate protection

3. Sensitive Information

Definitions and Advice from the Information Commissioner

The Act defines eight categories of sensitive personal data. These are:

1. The racial or ethnic origin of data subjects
2. Their political opinions
3. Their religious beliefs or other beliefs of a similar nature
4. Whether they are a member of a trade union
5. Their physical or mental health or condition
6. Their sexual life
7. The commission or alleged commission by them of any offence, or
8. Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings

If you hold personal data falling into these categories it is likely that you will need the explicit consent of the individual concerned. You will also need to ensure that your security is adequate for the protection of sensitive data.

4. Rights to Access Information

In line with Principle 6, all clients, team members, and other users are entitled to request details of the information that we hold about them. Requests for such details should be made in writing, enclosing the relevant fee.

Individuals have the right to view any personal or sensitive information that is being held about them on computer and, with effect from 24 October 2001, to paper-based data held in manual filing systems. Any individual wishing to exercise this right should make the request in writing to Broadbent & Co. We are entitled to make a charge on each occasion that access is requested to reflect administration costs (the charge is currently £10). Release of information resulting from such a request is authorised by the Managing Director. We aim to comply with requests for access to this information as quickly as possible, but will ensure that it is provided within 40 days of receipt of a completed request and the relevant fee. Where there is an unavoidable delay, the reason will be explained in writing to the individual making the request. Individuals are made aware of this right, including their entitlement to view this policy, via relevant documentation issued at the time of collecting the information.

5. Transfer of Information Overseas

Broadbent & Co. currently conducts all of its business within the United Kingdom. However, should the need to transfer personal or sensitive information overseas arise in the future, we will put in place security procedures and firewalls designed to prevent unauthorised use of, or access to, personal or sensitive information, and update our register entry accordingly.

6. Security and Protection of Information

Broadbent & Co. takes confidentiality and security very seriously. We have implemented appropriate internal security procedures that restrict access to and disclosure of personal & sensitive information records. To ensure that information is kept securely, precautions must be taken against physical loss or damage, and both access and disclosure must also be restricted. All team members and representatives are responsible for ensuring that:

1. 1. Any personal or sensitive information that they hold is kept securely
   1. Manual records must be kept in a locked compartment, e.g. cupboard, filing cabinet, drawer or building
   2. Electronic records must be password protected so that only those authorised can view or alter information
2. Personal or sensitive information is not disclosed, either verbally or in writing, to any unauthorised third party
3. Accidental disclosure is avoided
   1. Care must be taken to site computer terminals so that they are not visible to unauthorised people
   2. Screens should not be left unattended when personal data is being processed
   3. Care must be taken to ensure that manual records, e.g. printouts containing personal or sensitive information, are not left where others can access them
   4. When manual records or printouts containing personal data are no longer required, they must be shredded, bagged and disposed of securely

All team members must take particular care of any information carried outside our offices, for example, when transporting records for off-site assessments or when working from home.

7. Disclosure of Information

Information will be passed within our organisation in order to satisfy client support obligations and to maintain its records. Additionally, in order to fulfil its contractual duties, Broadbent & Co. will pass the findings of completed assessments to funding bodies. If the client requests that personal and sensitive information is not disclosed to funding bodies, such information, with the exception of the client name, will be deleted from the assessment report before it is passed to the funding body. We do not disclose information to unaffiliated third parties except where consent of the individual has been obtained, or where we are required to do so by law.

8. Data Monitoring and Statistical Analysis

Collected information may be used for monitoring and/or research purposes. Such activities will be undertaken in the pursuit of service improvement. Any information used for these purposes will be carefully coded in order to ensure that any individual cannot be identified. Individuals are made aware that we may use their information in this way in the Confidentiality & Disclosure of Information Statement, issued to them at the time of collection.

9. Notification

Broadbent Assist Ltd. trading as Broadbent & Co. is registered under the 1998 Act as a data user this registration is reviewed and updated on an annual basis. Broadbent Assist Ltd. is named as the designated Data Controller under the Act and is therefore ultimately responsible for implementation through the Board of Directors. However, the Office Manager will deal with routine, operational matters. Requests for disclosure of information held by Broadbent & Co. will be passed, in the first instance, to the Board of Directors.

10. Archiving, Review and Disposal of Information

We must retain certain records for operational and administrative purposes, and to demonstrate compliance with the law.

We will keep some forms of information for longer than others, in line with the following schedule:

Client Information

Assessments (electronic records)	review after 6 years
Assessments (manual records)	review after 6 years
Survey data	review after 3 years

Personnel Information

Personnel records	review after 5 years
Job advertisements	review after 5 years
Job applications	destroy after 6 months
Recruitment records	review after 1 year

Organisational Information

Committee Agendas and Minutes	permanent
Policies, Statements and Codes of Practice	permanent
Legal Agreements	review after 6 years
Correspondence	review after 5 years
Financial	review after 7 years
Buildings	permanent
Insurance Policies	permanent

The Office Manager is responsible for supervising the retention, review and disposal of all records. Records disposed of under this policy will be shredded, bagged and disposed of securely. This schedule will be reviewed, and updated, as needed.

11. Operational Guidelines -- additional information

Team members request, collect and process data on a day-to-day basis, as required. They have a duty to comply with the contents of the whole of this policy document; in particular, team members must ensure that records are:

1. Accurate
2. Up-to-date
3. Kept and disposed of safely and in accordance with our Archiving and Disposal of Information procedures

Checklist for Handling Information

When handling any personal or sensitive information, make sure that you consider the following points:

1. Do you really need to record this information?
2. Do you have the individual's express consent?
3. Have you issued the individual with all relevant paperwork relating to our Confidentiality & Disclosure of Information statement and their associated rights?
4. Has the individual been told that this information will be processed?
5. Are you authorised to collect/store/process the information?
6. Have you checked with the individual that the information is accurate?
7. Are you sure that the information will be secure?

12. Compliance

All business must be conducted under the terms of this policy. All team members will be provided with training and guidance to ensure their understanding of their responsibilities under this policy. Allegations of any breach of this policy will be taken seriously and thoroughly investigated by the Board of Directors.

13. Dealing With Subject Access Requests

Important advice from the Information Commissioner

Every day the Information commissioner receives complaints from members of the public about the processing of data by data controllers. Compliance with the data protection principles can help to prevent complaints about you. It is important that you should be aware of the rights conferred on individuals by the Act. These include the right to see any personal data of which they are the subject (the right to subject access), and the right not to have their data processed for direct marketing purposes.

If you receive a written subject access request, you must deal with it promptly, and in any case within 40 days from the date of receipt. It may be that you need further information from the person making the request to help you to locate the data. You may also require further information in order to satisfy yourself as to the identity of the person making the request. In these cases the 40 days will begin when you receive this further information. You are entitled, if you wish, to ask for a fee of not more than £10 and the 40 days does not begin until this is received. In response to a subject access request individuals are entitled to a copy of the information held about them, both on computer and as part of a relevant filing system. They also have the right to receive a description of why their information is processed, anyone it may be disclosed to, and any information available to you about the source of the data. You may send the information as a computer printout, in a letter, or on a form. However, it should be easy to understand and any codes should be explained.

It is important that your staff know how to recognise a subject access request and realise that it must be dealt with urgently. The letter may not mention the Data Protection Act 1998 it may just say something as simple as I want to see what you hold about me. (Extract from IC website, 2003)

14. Data Protection Acts 1984 and 1998 Guidance Notes

The Data Protection Act, 1984, introduced basic principles of data protection, which set standards that all registered users were required to observe. It was designed to protect individuals from any disadvantage which might result from their personal details being held on computer, for example if the information became out of date, was lost, or was made available to people or used for purposes other than those it was collected for. The Act also set up the framework for compulsory registration of data users, and established the Data Protection Registrar to organise this process and to ensure compliance.

The Data Protection Act, 1998, replaced the 1984 Act, and builds upon and expands the controls on personal data under the 1984 Act. Under the 1998 Act, the data protection principles have been extended and 'personal data' includes information held in manual filing systems. Individuals are given enhanced rights to receive details of data held about them and why it is being held, and to prevent its use. The processing of data will only be fair if certain conditions have been met. The 1998 Act replaces the office of the Data Protection Registrar with that of the Information Commissioner, and the registration of data users is replaced by notification.

Although the new Act came into force on 1st March 2000, some of the provisions were not effective until October 2001, and others were not fully effective until 23 October 2007. In particular, paper or manual records which are kept in an organised filing system which existed before 23 October 1998 were not covered by the new regulations until the end of the first transitional period, i.e. October 2001. Records in new filing systems created after October 1998 are immediately covered by the 1998 Act.

15. Monitoring

The Board of Directors will monitor the success of this policy. The committee is responsible for co-ordinating, monitoring, and revising our organisations policies, and provides a forum for receiving feedback from all team members in relation to such policies.

As part of his annual report, the Office Manager will provide a report detailing activity and queries raised relating to this policy.

This policy will be reviewed, and revised if needed, on an annual basis.