BBSRC POLICY ON PERSONAL DATA PROTECTION

Transcription

1 Nt Prtectively Marked BBSRC POLICY ON PERSONAL DATA PROTECTION CONTENTS Plicy Statement..... Plicy Scpe... Plicy Objectives... Plicy Principles... Fair Cllectin and Prcessing... Security... Data Sharing... Privacy Impact Assessments... Access... Links with the Freedm f Infrmatin Plicy Respnsibilities... Plicy Cmmunicatin... Plicy Benefits..... Appendices: 1: Relevant Authritative Bdies and Related Dcuments... 2: Dcument and Versin Cntrl... 3: Data Prtectin Definitins and Terms... 4: Schedule 2 (Data Prtectin Act) Cnditins fr Prcessing Persnal Data.. 5: Schedule 3 (Data Prtectin Act) Cnditins fr Prcessing Sensitive Data.. 6: Rights f Data Subjects... 7: Qualified Eurpean Ecnmic Areas Authr: BBSRC Infrmatin Team Date: April 2016 Page 1

2 Nt Prtectively Marked Plicy Statement 1.0 BBSRC fully understands its bligatins t ensure that persnal infrmatin is treated fairly, lawfully and crrectly, and is cmmitted t achieving cmpliance with the laws f the Data Prtectin Act (DPA) The DPA sets ut the rules fr hw rganisatins must prcess persnal data and sensitive persnal data abut living individuals. It gives individuals the right t find ut what persnal data is held abut them by rganisatins (electrnically, and/r within a manual filing system) and t see and crrect any persnal data held. 3.0 BBSRC needs t cllect and prcess persnal data abut peple, including staff and individuals with whm it deals with, in rder t perate its daily business and fr the rganisatin t perate effectively. 4.0 BBSRC is cmmitted t ensuring that staff are apprpriately trained and supprted t achieve cmpliance with the DPA. This is regarded by BBSRC as being very imprtant in maintaining the cnfidence between them and with thse whse persnal data they hld. 5.0 BBSRC fully endrses and adheres t the Data Prtectin Principles stated belw. The Eight Principles f the Data Prtectin Act P1: Persnal data must be fairly and lawfully prcessed, and in particular, shall nt be prcessed unless specific cnditins 2 under Schedule 2 and Schedule 3 f the Act are met. P2: Persnal data shall be btained and used fr ne r mre specified and lawful purpses, and shall nt be prcessed in any manner incmpatible with that purpse r purpses. P3: Persnal data shall be adequate, relevant and nt excessive in relatin t the purpse r purpses fr which they are prcessed. P4: Persnal data shall be accurate and kept up t date. P5: Persnal data shall nt be kept fr lnger than is necessary fr the purpse r purpses it was cllected fr. P6: Persnal data shall be prcessed in line with the individuals rights (see Appendix 6). 1 The Data Prtectin Act 1988 and subsequent amendment can be fund at: 2 Specific cnditins under Schedules 2 f the DPA must be met t prcess persnal data (see Appendix 4). Specific cnditins under Schedule 3 f the Act must be met t prcess sensitive persnal data. (see Appendix 5) Authr: BBSRC Infrmatin Team Date: April 2016 Page 2

3 Nt Prtectively Marked P7: Apprpriate technical and rganisatinal measures shall be taken against unauthrised r unlawful prcessing f persnal data and against accidental lss r destructin f, r damage t, persnal data. P8: Persnal data shall nt be transferred t a cuntry r territry utside the Eurpean Ecnmic Area (see Appendix 7) unless that cuntry r territry ensures an adequate level f prtectin fr the rights and freedms f data subjects in relatin t the prcessing f their persnal data. Plicy Scpe 6.0 This plicy has been written within the guidelines f relevant authritative bdies and related dcumentatin listed at Appendix Definitins and terms used thrughut this plicy are defined at Appendix This plicy applies t all persnal data and sensitive persnal data cllected and prcessed by BBSRC in the cnduct f its business, in electrnic frmat in any medium and within structured paper filing systems. 9.0 This plicy applies t all BBSRC Swindn Office emplyees, whether permanent, temprary, cntractrs, cnsultants r secndees (hereafter referred t as staff ) This plicy applies t all BBSRC staff, including thse in BBSRC supprted jint units (Jint Business Operatins Services, Jint Superannuatin Services and Audit and Assurance Services Grup), and thse in BBSRC hsted units (United Kingdm Research Office, UKCDS) Disciplinary actin may be taken against staff failing t cmply with this plicy. Failing t cmply with the terms f the data prtectin act may result in legal actin being taken against the individual and/r the rganisatin BBSRC is the Data Cntrller f, and registered with the Infrmatin Cmmissiner s Office (ICO) fr cllecting and using persnal data abut: individuals wh have applied fr, r been awarded, funding fr research r related scientific activities including events, seminars and wrkshps members f BBSRC cuncils, bards, cmmittees and peer review bards past, current and prspective emplyees suppliers, cnsultants, external business partners and ther third parties with whm BBSRC cmmunicates ther persns as required by law 13.0 BBSRC places a duty f respnsibility n members f the BBSRC research cmmunity, such as cmmittee members and reviewers, t respect the requirement fr cnfidentiality n receipt f cnfidential papers r crrespndence cntaining BBSRC persnal data. Members are prvided with Authr: BBSRC Infrmatin Team Date: April 2016 Page 3

4 Nt Prtectively Marked terms and cnditins in cmpliance with this plicy, relative t their fficial capacity with BBSRC membership UK Shared Business Services (UKSBS) Ltd (frmerly RCUK Shared Services Centre Ltd) prcess persnal data n behalf f BBSRC fr the purpses f staff and grant funding administratin. BBSRC therefre have a respnsibility t ensure UKSBS Ltd prcess the data in cmpliance with this plicy and the 8 principles f the Data Prtectin Act A Master Services Agreement and standard perating prcedures are embedded between the tw parties which details these requirements BBSRC requires that all staff ensure that a frmal cntract is in place (signed Data Sharing agreement), between BBSRC and all third parties befre data can be shared with ther rganisatins r persns fr prcessing purpses BBSRC is registered with the ICO t prcess persnal data fr the fllwing specified purpses: Staff Administratin Advertising, Marketing and Public Relatins Accunts and Recrds Benefits, Grants and Lans Administratin Cnsultancy and Advisry Services Crime Preventin and Prsecutin f Offenders Jurnalism and Media Prperty Management Research 17.0 A further descriptin f each purpse can be fund n the ICO Website by quting the Registratin Number Z A list f relevant legislatin, regulatins and supprting framewrks that prvide backgrund t this, as well as related BBSRC plicies and strategies are listed in Appendix 1. Plicy Objectives 19.0 The bjectives f this plicy are t ensure that: prper prcedures are in place fr the prcessing and management f persnal data there is smene within the rganisatin wh has specific respnsibility and knwledge abut data prtectin cmpliance. a better and supprtive envirnment and culture f best practice prcessing f persnal data is prvided fr staff all staff understand their respnsibilities when prcessing persnal data, and that methds f handling that infrmatin are clearly understd Authr: BBSRC Infrmatin Team Date: April 2016 Page 4

5 Nt Prtectively Marked individuals wishing t submit a Subject Access Request are fully aware f hw t d this and wh t cntact Subject Access Requests are dealt with prmptly and curteusly individuals are assured that their persnal data is prcessed in accrdance with the data prtectin principles, that their data is secure at all times and safe frm unauthrised access, alteratin, use r lss ther rganisatins with whm BBSRC data needs t be shared r transferred, meet cmpliance requirements any new systems being implemented are assessed n whether they will hld persnal data, whether the system presents any risks, damage r impact t individuals data and that it meets this plicy Plicy Principles 20.0 In rder t meet the requirements f the 8 principles f the DPA, BBSRC adheres t the fllwing values when prcessing persnal data: 20.1 Fair Cllectin and Prcessing The specific cnditins cntained in Schedules 2 and 3 f the DPA (see Appendices 4 and 5) regarding the fair cllectin and use f persnal data will be fully cmplied with. Individuals will be made aware that their infrmatin has been cllected, and the intended use f the data specified either n cllectin r at the earliest pprtunity fllwing cllectin. This may be verbally, written r thrugh electrnic directin t the BBSRC Privacy Ntice. Persnal data will be cllected and prcessed nly t the extent that it is needed t fulfil business needs r legal requirements. Persnal data held will be kept up t date and accurate. Retentin f persnal data will be appraised and risk assessed t determine and meet business needs and legal requirements, with the apprpriate retentin schedules applied t that data. Persnal data will be prcessed in accrdance with the rights f the individuals abut whm the persnal data are held. Individuals whse persnal infrmatin is held n a BBSRC Cntacts Database will be prvided with the ptin t pt ut f receiving event invitatins and future cmmunicatins. A cease prcessing request frm an individual will be acknwledged within 3 wrking days, with the final respnse within 21 days. The final respnse will state whether BBSRC intend t cmply with the request and t what extent, r will state the reasns why it is felt the requestr s ntice is unjustified. Authr: BBSRC Infrmatin Team Date: April 2016 Page 5

6 Nt Prtectively Marked Staff will advise the Data Prtectin Officer in the event f any intended new purpses fr prcessing persnal data. N new purpse fr prcessing data will take place until the ICO has been ntified f the relevant new purpse and the data subjects have been infrmed, r in the case f sensitive data, their cnsent has been btained Security Apprpriate technical, rganisatinal and administrative security measures t safeguard persnal data will be in place. Staff will reprt any actual, near miss, r suspected data breaches t the BBSRC Data Prtectin Officer fr investigatin. Lessns learnt during the investigatin f breaches will be relayed t thse prcessing infrmatin t enable necessary imprvements t be made. Any unauthrised use f IT services and cmmunicatin facilities by staff, including sending f sensitive r persnal data t unauthrised persns, r use that brings BBSRC int disrepute will be regarded as a breach f this plicy. Staff will use apprpriate security classificatin 3 t prtect and secure any dcument cntaining persnal infrmatin. In this way, infrming recipients f the measures that need t be emplyed fr its apprpriate handling. An Infrmatin Asset Register will be maintained identifying persnal data held at Swindn Office, where it is held, hw it is prcessed and wh has access t it. Annual Data Prtectin Awareness Training will be prvided t staff t keep them better infrmed f relevant legislatin and guidance regarding the prcessing f persnal infrmatin. There is a member f staff within BBSRC Office wh has specific respnsibility fr data prtectin, cvering all aspects within the scpe f this plicy Data Sharing Persnal data will nt be transferred utside the Eurpean Ecnmic Area unless that cuntry r territry can ensure a suitable level f prtectin fr the rights and freedms f the data subjects in relatin t the prcessing f their persnal data. Persnal data in any frmat will nt be shared with a third party rganisatin withut a valid business reasn, a signed Data Sharing Agreement in place, r withut the data subjects cnsent. The Data Sharing agreement will be drafted by the Data Prtectin Officer and the Security Officer t ensure that all BBSRC security requirements are addressed in the cntract. 3 Staff are required t ensure that they understand and use all Security Classificatins crrectly and their bligatins t treat all infrmatin with care. Authr: BBSRC Infrmatin Team Date: April 2016 Page 6

7 Nt Prtectively Marked 20.4 Privacy Impact Assessments The Infrmatin Team will wrk t carry ut Privacy Impact Assessments n all new systems intended fr implementatin in BBSRC t determine the risks and impacts t the persnal data f the individuals thse systems are intended t hld. Persnal data will nt be used t test any systems, unless it is prven t be satisfactry and safe that such use is the nly practical methd t test that system Access Members f staff will have access t persnal data nly where it is required as part f their functinal remit. Staff are made aware that in the event f a Subject Access Request being received in BBSRC, all crprate systems, including their s may be searched and relevant cntent disclsed, whether marked as persnal r nt. The BBSRC Privacy Ntice will include a cntact address fr data subjects t use shuld they wish t submit a Subject Access Request, make a cmment r cmplaint abut hw BBSRC is prcessing their data, r abut BBSRC s handling f their request fr infrmatin A Subject Access Request will be acknwledged t the data subject within 3 wrking days, with the final respnse and disclsure f infrmatin (subject t exemptins) within 40 calendar days. A fee may be charged fr this, at BBSRC s discretin, which will be n mre than 10. A data subject s persnal infrmatin will nt be disclsed t them until their identity has been verified. Third party persnal data will nt be released by BBSRC when respnding t a Subject Access Request r Freedm f Infrmatin Request (unless cnsent is specifically btained, bliged t be released by law r necessary in the substantial public interest). All data subjects have a right f access t their wn persnal data; BBSRC will prvide advice t data subjects n hw t request r access their persnal data held by BBSRC Links with the Freedm f Infrmatin Act 2000 The Freedm f Infrmatin Act 2000 enables greater public access t infrmatin prcessed by public bdies such as the BBSRC. Hwever, persnal data cntinues t be prtected by the Data Prtectin Act 1998, and is therefre exempt frm disclsure under the Freedm f Infrmatin Act (Sectin 40). Plicy Respnsibilities Authr: BBSRC Infrmatin Team Date: April 2016 Page 7

8 Nt Prtectively Marked 21.0 Primary Respnsibility Rle Respnsible fr : Data Prtectin Officer (DPO) / Infrmatin and Recrds Officer (IRO)/ Electrnic Recrds Officer maintaining the BBSRC ntificatin with the ICO advising staff n data prtectin cmpliance maintaining the BBSRC Infrmatin Asset Register (IAR) assessing management f persnal data listed n the IAR fr ptential risks prcessing subject access requests reprting any persnal data breaches t the SIRO, ISO and ICO as apprpriate carrying ut Privacy Impact Assessments against planned new systems that will hld persnal data issuing data sharing guidance and develping Data Sharing Agreements between BBSRC and external rganisatins develpment, administratin, disseminatin, review and applicatin f this plicy Senir Infrmatin Risk Officer (SIRO) Infrmatin Security Officer (ISO) Infrmatin Asset Owners (IAO) Infrmatin Asset Administratrs (IAA) prviding an annual statement f internal cntrl relating t the management f persnal data t the Chief Executive reprting n Infrmatin Risk Management t the BBSRC Bard and parent departments assessing infrmatin assets held fr the impact f lss managing Infrmatin Security Incidents and crrect reprting t SIRO, ICO and parent department. infrmatin risk assessment returns t BBSRC SIRO and BIS advising staff n infrmatin security and assurance matters supprting this plicy and implementing within their specific areas f the business persnal data prcessed within their area f business risk management f persnal data within their area f business prviding annual assurance f the risk cntrls t the ISO and SIRO maintaining an accurate IAR fr their area f the business delegating limited respnsibility t an Infrmatin Asset Administratr within their area f the business reprting any persnal data security incidents r breaches t their IAO, DPO and ISO maintaining an IAR fr their area f business fr annual signff by their IAO encuraging and prmting use f prtective marking t their team/grup ensuring apprpriate retentin and dispsal f persnal data held within their area f the business in accrdance with the BBSRC retentin plicy Authr: BBSRC Infrmatin Team Date: April 2016 Page 8

9 Nt Prtectively Marked 22.0 Supprting Respnsibility Rle Chief Executive Grup Directrs Office Administratin Grup Head f Infrmatin Team Respnsible fr: BBSRC persnal data verall supprting this plicy and applying within their respective Grups apprval, endrsement and supprt f this plicy ensuring the security f electrnic infrmatin supprting and applying this plicy ffice wide Head f Cuncil Secretariat Line Managers All Staff supprt f this plicy in relatin t the applicatin f Freedm f Infrmatin plicies, practices, standards, guidelines and prcedures. supprting and encuraging their staff t cmply with this plicy and take part in annual data prtectin awareness training. cmplying with this plicy attending annual training fr data prtectin awareness applying the crrect prtective marking t infrmatin they create Plicy Cmmunicatin 23.0 Internal 23.1 This plicy will be made available t all staff by being declared as a recrd and stred within the apprpriate Office Plicies Site n SharePint Cmmunicatin f this plicy will be made thrugh ntificatin n the SharePint Prtal, within the weekly ffice SharePint Bulletin and thrugh staff training External 24.1 This plicy and the BBSRC Privacy Ntice will be cmmunicated externally by publishing it n the BBSRC website The BBSRC Data Prtectin Officer can be cntacted via the address dataprtectinenquiries@bbsrc.ac.uk Authr: BBSRC Infrmatin Team Date: April 2016 Page 9

10 Nt Prtectively Marked Plicy Benefits 25.0 This plicy will benefit BBSRC by: enabling excellent standards f management and prcessing f persnal data thrugh the prvisin f a cnsistent and stable culture twards data prtectin applied ffice wide ensuring cntinued cmpliance with the DPA principles prviding an apprpriately supprtive envirnment and culture twards best practice prcessing and prtectin f persnal data ensuring emplyee cnfidence and cmpliance in their prcessing f persnal data, being fully infrmed and aware f their respnsibilities and bligatins imprved readiness f the service t prcess Subject Access Requests, better decisin making, develpment f plicy and prcedures, and design and implementatin f infrmatin systems thrugh the cnsideratin and assessment f persnal data reducing ptential risk f legal r reputatinal damage thrugh pr persnal data management prviding cnfidence t the BBSRC cmmunity that their persnal data is being handled crrectly and ensuring data subjects knw hw t access it Appendix 1: Relevant Authritative Bdies and Related Dcuments Authritative Bdies Infrmatin Cmmissiner Office (ICO) The Infrmatin Cmmissiner s Office is the UK s independent authrity set up t uphld infrmatin rights in the public interest, prmting penness by public bdies and data privacy fr individuals. Authr: BBSRC Infrmatin Team Date: April 2016 Page 10

11 Nt Prtectively Marked Cabinet Office Cmmunicatins Electrnics Security Grup (CESG) Jint Infrmatin Systems Cmmittee (JISC) The Natinal Archives (TNA) The Cabinet Office crdinates plicy and strategy acrss gvernment departments and is the driving frce behind the Infrmatin Assurance agenda within central gvernment departments and arms-length bdies. The CESG is the Infrmatin Assurance arm f UK Gvernment Cmmunicatins Headquarters (GCHQ) - Authr f many f UK Gvernment Security and Infrmatin standards and best practices in the UK. JISC is an advisry cmmittee t the Research Cuncils prviding expertise t supprt data and infrmatin management prgrammes. TNA is the UK gvernment s fficial archive and central advisry bdy n the care f, and hw the DPA affects, recrds and archives. Related Dcuments Security Plicy Framewrk Gd Data Handling Guidance BBSRC Frensic Readiness Plicy BBSRC Infrmatin and Recrds Management Plicy BBSRC Retentin Plicy fr Infrmatin and Recrds BBSRC Prtective Marking Plicy BBSRC Infrmatin Gvernance Plicy BBSRC Plicy HMG Security Plicy Framewrk authred by the Cabinet Office prvides central internal prtective security plicy and risk management fr gvernment departments and assciated bdies. It is the surce n which all lcalised security plicies shuld be based. CESG Gd Data Handling Guide 2008 prvides advice fr departments with a requirement t prtect persnal and sensitive infrmatin as part f their day t day business. This Plicy cvers the requirement fr BBSRC t be able t prvide frensic level supprt (audit lgs) t supprt security incident reslutin. Defines BBSRC's plicy fr the management f infrmatin and recrds. Defines BBSRC s plicy fr the retentin f infrmatin and recrds. Defines the plicy and prcedures that enable the crrect marking and handling f infrmatin by staff. This plicy prvides the framewrk fr the clear wnership f infrmatin and the management f infrmatin security risks. This plicy defines the apprpriate and acceptable use f acrss the Office and supprts better infrmatin management and data prtectin principles. Appendix 2: Dcument and Versin Cntrl Dcument Cntrl Versin 1.0 Effective Frm Date /2015 Apprved By Office Administratin Grup Authr: BBSRC Infrmatin Team Date: April 2016 Page 11

12 Nt Prtectively Marked Date f Apprval Date f Review Retentin Perid Owner Authr Indefinitely; 2 years after superceded Cmmunicatins and Infrmatin Management Grup Meldy Allsebrk/ Angie Chapman VERSION CONTROL Versin Number Status Revisin Date Authr(s) Summary f Changes 0.1 Original Dcument 05/10/2012 Meldy Allsebrk Versin 1 Apprved/Final 0.2 Review - Draft 08/09/2015 Angie Chapman Review and update f Original Plicy Dcument DISTRIBUTION FOR REVIEW Name Title Apprved Date Paul Chitsn Assciate Directr Infrmatin Team OAG TAGS/KEYWORDS Plicy Recrd Data Prtectin Security Prtect Infrmatin Management Persnal Persnal Data Risk Infrmatin Dcument Data Legislatin Infrmatin Security Persnal Infrmatin Sensitive Appendix 3: Data Prtectin Definitins and Terms Data Persnal Data Infrmatin which is recrded in any frmat, whether stred electrnically r in a structured paper based filing system. Any infrmatin that identifies a living individual. This includes any expressin f pinin abut the individual and any Intentins twards the individual. Authr: BBSRC Infrmatin Team Date: April 2016 Page 12

13 Nt Prtectively Marked Sensitive Persnal Data Prcessing Data Subject Data Cntrller Data Prcessr Exemptins Relevant Filing System Subject Access Request Third Party Recipient Persnal infrmatin relating t racial r ethnic rigin, plitical pinin, religius beliefs, trade unin membership, sexual life, physical r mental health, cmmissin r alleged cmmissin f any ffence. Any activity where the data is used, such as btaining, recrding, string, viewing, cpying, accessing, disclsing, erasing, destrying. An individual wh is the subject f persnal infrmatin. The rganisatin that determines hw the persnal data will be used and the manner in which it will be prcessed. An rganisatin that prcesses persnal data n behalf f a Data Cntrller. Sme persnal data are exempt frm disclsure under the DPA, including cnfidential references given (nt received), cnsideratin f suitability fr hnurs, management frecasts and career planning. Any set f manual infrmatin which is structured by reference t individuals r ther criteria making the cntent readily accessible. A request by a data subject, t the data cntrller, asking t see their persnal infrmatin. This can either mean that the data is abut smene else, r smene else is the surce; i.e. any ther persn r rganisatin ther than the data subject the data cntrller a data prcessr Any persn t whm the data are disclsed including emplyees r agents f the data cntrller; this des nt include any persn t whm disclsure is made as a result f an inquiry r request fr infrmatin. Appendix 4: Cnditins fr Prcessing Persnal Data Schedule 2 f the Data Prtectin Act 1998 The 1 st Principle f the DPA requires persnal data t be prcessed fairly and lawfully, and, nt t be prcessed unless ne f the cnditins (belw) in Schedule 2 is met. Authr: BBSRC Infrmatin Team Date: April 2016 Page 13

14 Nt Prtectively Marked 1 The data subject has given his/her cnsent t the prcessing. 2 Prcessing is necessary fr: a) the perfrmance f a cntract t which the data subject is a party b) taking steps at the request f the data subject with a view t entering int a cntract 3 Prcessing is necessary fr cmpliance with any legal bligatins t which the data cntrller is subject. 4 Prcessing is necessary in rder t prtect the vital interests f the data subject. 5 Prcessing is necessary fr the: a) administratin f justice b) exercise f any functins cnferred n a persn under any enactment c) exercise f any functins f the Crwn r a gvernment department d) exercise f any ther functins f a public nature carried ut in the public interest by any persn 6 Prcessing is necessary fr the purpses f legitimate interests f the data cntrller r by the third party t whm data may be disclsed, except where the prcessing is unwarranted in any particular case by reasn f prejudice t the rights and freedm r legitimate interests f the data subject. In practice this means that rganisatins must: a) have legitimate grunds fr cllecting and using the persnal data b) nt use the data in ways that have unjustified adverse effects n the individual c) be transparent abut hw it is intended t use the data by prviding apprpriate privacy ntices when cllecting persnal data d) handle persnal data nly in ways they wuld reasnably expect e) make sure n unlawful activities are carried ut with the data Appendix 5: Cnditins fr Prcessing Sensitive Persnal Data Schedule 3 f the Data Prtectin Act 1998 Under the 1 st Data Prtectin Principle, sensitive persnal data must nt be prcessed unless ne f the fllwing 19 legitimate cnditins (belw) frm Schedule 3 f the DPA is met. Explicit cnsent f the data subject Cmpliance with emplyment law bligatins Authr: BBSRC Infrmatin Team Date: April 2016 Page 14

15 Nt Prtectively Marked Vital interests f the data subject Prcessing by nt-fr-prfit rganisatins. Infrmatin made public by the data subject Legal advice and establishing r defending legal rights Public functins Medical purpses Recrds n racial equality Detectin f unlawful activity Prtectin f the public Public interest disclsure Cnfidential cunselling Certain data relating t pensins Religin and health data fr equality f treatment mnitring Legitimate plitical activities Research activities that are in the substantial public interest Plice prcessing Prcessing by elected representatives Appendix 6: Rights f Data Subjects Principle 6 f the Data Prtectin Act 1998 gives rights t individuals in respect f the persnal data that rganisatins hld abut them. These are a right t: have access t a cpy f the infrmatin cmprised in their persnal data bject t prcessing that is likely t cause r is causing damage r distress prevent prcessing fr direct marketing bject t decisins being taken by autmated means have inaccurate persnal data rectified, blcked, erased r destryed claim cmpensatin fr damages caused by a breach f the Act The right f subject access is wide-ranging and unless a relevant exemptin applies an individual is entitled t see their persnal data cntained in all lcatins, including: Appraisal recrds Minutes f meetings s stred n any system in the wrkplace References received frm third parties Disciplinary recrds Sickness recrds Perfrmance review ntes Interview ntes Individuals are nly entitled t see their wn persnal data and are nt entitled t receive any infrmatin which relates t anyne else. Appendix 7: Eurpean Ecnmic Areas There are n additinal restrictins n the mvement f persnal data between EEA cuntries. These are currently: Authr: BBSRC Infrmatin Team Date: April 2016 Page 15

16 Nt Prtectively Marked Austria Belgium Bulgaria Cratia Cyprus Czech Republic Denmark Estnia Finland France Germany Greece Hungary Iceland Ireland Italy Latvia Liechtenstein Lithuania Luxemburg Malta Netherlands Nrway Pland Prtugal Rmania Slvakia Slvenia Spain Sweden United Kingdm The Eurpean Cmmissin has decided that certain cuntries have an adequate level f prtectin fr persnal data. Currently the fllwing cuntries are cnsidered as having adequate prtectin: Andrra Argentina Canada Fare Islands Guernsey Isle f Man Israel Jersey New Zealand Switzerland Uruguay Transferring f data utside f the EEA requires additinal cntrls and agreements that ensure the prvisin f adequate cntrls are in place t prtect persnal data. The laws and agreements are cnstantly under review (such as the 2015 Eurpean Curt f Justice ruling ablishing the Safe Harbur agreement with the US). The Data Sharing Agreement prcess recgnises the changing envirnment and reviews all applicatins t ensure that steps are taken t cmply with current legislatin and rulings. In additin the DSA lg prvides BBSRC with the ability t review existing agreements and take apprpriate actin in respnse t legislative changes. Authr: BBSRC Infrmatin Team Date: April 2016 Page 16