Data Protection and Freedom of Information

• Personal data must be obtained and processed fairly and lawfully. (It is important that the data subject knows where the data came from, who has access to them, fully understands the purposes for which any data they supplied will be used. It also involves obtaining the subjects prior consent to use the data.)
• Personal data must be held only for specified and lawful purposes. (Data must not be processed unless the subject has been made aware of the purpose for which they are used and the use has been registered.)
• Personal data must be relevant, adequate and not excessive. (Data which are not relevant to the registered purpose must not be held, in other words personal data should not be held solely because 'they might be useful' in the future and it must be made clear providing them is entirely optional.)
• Personal data must be accurate and kept up-to-date. (The data subject has the right to insist that his/her personal data are amended if they are not correct. Opinions are also considered as personal data for the purposes of this Act.)
• Personal data must not be kept longer than is necessary for the purpose. (Data must not be kept for any longer than is necessary unless a specific need can be justified e.g. audit trails or legal requirements.)
• Personal data must be processed in accordance with the individual’s rights under the Act. (This gives rights to access, not only to the data themselves but also to the origins, uses, how they are processed, with the right to recourse direct to the Courts in the event of infringement.)
• Personal data must be kept secure - from unauthorised access, alteration, disclosure, loss or destruction
• Personal data should not be transferred outside the European Economic Area unless there is an adequate level of protection. (This would currently exclude data transfer to the USA for example.).

Freedom of Information

The Freedom of Information Act (FOIA) 2000 was designed for members of the public to request information from Government Departments about information they hold. It was not to be applicable to commercial organisations like Dbi Consulting Limited. However, as Dbi Consulting Limited undertakes work on behalf of Government Departments and Agencies; the work done by Dbi Consulting Limited staff could be the subject of a request for information under the FOIA.

The process for dealing with any request under the FOIA is as follows:

• The Data Protection Officer is to be informed immediately
  
• The DPO will determine if the request applies to Dbi Consulting Limited only information or the work done by Dbi Consulting Limited staff on behalf of a Government Department or Agency. If the former, (Dbi Consulting Limited only data) the requester will be informed that the FOIA does not apply in this case (with an explanation of why it does not apply) and as we are not required to supply the information we will not be complying with the request. If the request is for information produced as a result of work for a Government client. The following actions will be taken:
  
  The requester will be informed that we have forwarded their request for the information to the government client we undertook the work for
  
  The Government Department/Agency FOIA officers will be contacted and details of the request with our actions will be forwarded to them
  
  If requested by the Government Department/Agency we will supply them with the necessary information. However we will not communicate directly with the data requester but through the Government Department/Agency requester.

All requests for information will be logged in the Security Log by the DPO.