Data Protection Policy

1. Introduction

 Iceni Partnership is an organisation which needs to keep records of certain personnel data, including personal data relating to its employees, in order for the organisation to function effectively.  This may include information that identifies individuals by reference to their names, job titles, responsibilities or other matters related to the operation of the organisation.


To comply with the law, such information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.  There are additional safeguards for individuals in respect of processing sensitive personal data, that is the information as to that person’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual life or information in relation to the allegation of or commission of a sentence for any offence.  To do this Iceni Partnership must comply with the Data Protection principles as set out in the Data Protection Act 1998.


This policy addresses the following areas:


  1. What are the Data Protection principles?

  2. What is personal data?

  3. An employee’s rights under the Act.

  4. Responsibilities of the Employees

  5. Data Security


In addition Iceni Partnership complies fully with the Criminal Records Bureau (CRB) Code of Practice regarding the correct handling, use, storage, retention and disposal of disclosures and disclosure information.


2. What are the Data Protection principles?

In acccordance with the Data Protection Act, personal data held in a computerised format must comply with all the following principles.  The principles state that personal data must;


  1. Be obtained and processed fairly and lawfully and that a condition has been met for the processing of such data

  2. Not be held on file other than for legitimate purpose (not be used or made use of for any other purpose)

  3. Be adequate, relevant and not excessive in relation to the purpose for which it is kept

  4. Be accurate, and where necessary kept up to date

  5. Not be kept for longer than is absolutely necessary

  6. Be processed in accordance with the rights of the employee under this Act, such as the rights of access to personal data

  7. Be protected against unauthorised access or disclosure and against accidental loss, damage or destruction

  8. Not be transferred to any Country (eg. a sister, subsidiary Company etc) outside the EEA whose data protection laws are less adequate, unless the employee agrees or the transfer is necessary for employment purposes eg. a secondment.


3. What is personal data?

  1. It is data which relates to a named or readily identifiable individual.  It includes any expression of opinion about the person and any indication of the organisation’s intentions in relation to that employee.  The data can be held in the format of a letter, memo, report, certificate, a paper-based file or on a computer. For the purposes of this document we are referring to personnel information relating to an employee e.g. their personnel file.


Some personal data is considered to be sensitive. This includes information about an employee’s:


  1. Racial or ethnic origin

  2. Political opinions

  3. Religious beliefs

  4. Trade union membership (or non-membership)

  5. Physical or mental health or condition

  6. Sex life or sexual orientation

  7. Criminal (or alleged criminal) activities

  8. Criminal proceedings, criminal convictions (or any sentences imposed by the courts)


Iceni Partnership cannot hold sensitive data on an employee’s file without their consent.  It is essential therefore that when dealing with medical issues, for example, consent for access to medical records, is obtained from the employee.  There are exceptions to this stipulation which include when the organisation must hold sensitive data:


  1. In accordance with legal obligations e.g. Health and Safety requirements

  2. To protect the employee’s interests

  3. For the purposes of defending a complaint of unlawful discrimination on the grounds of sex, race, union membership etc

  4. For the purpose of maintaining and monitoring Swaffham Community Centre’s Equality Policy


Personal data likely to be found on an employee’s file could be:

  1. Name, address, telephone number

  2. Education and training information

  3. Interests/Hobbies

  4. Employment history (including reason for leaving)

  5. Experience (skills/knowledge etc)

  6. Whether the applicant has ever been convicted of a criminal offence

  7. Referee details (references are kept on file)

  8. Equal Opportunities form

  9. Original application form/interview notes

  10. Appraisal forms

  11. Vehicle information

  12. Training undertaken and required

  13. Next of kin details

  14. Contract and updates to the contract including salary changes (together with notification of this)

  15. Salary and pension information

  16. Any complaint or grievance action involving the staff member

  17. Responses from Disclosure checks


4. An employeee’s Rights under the Act

In accordance with the Data Protection Act, an employee has the following rights:


  • Notification of Data held and processed:


Any employee who is concerned about the nature, content, accuracy or relevance of the personal data on their personnel file may:


Ask for a description of the data Iceni Partnership holds about them;

Ask for an explanation of the purposes for which the data is being held;

Ask for details of the names of the people within Iceni Partnership to whom the data is routinely or occassionally disclosed.


  • Right to Access the Information:


An employee also has the right to access personal data that is being kept by Iceni Partnership about them and to be provided with hard copies of this data.


An employee who wishes to exercise either or both of these rights must make a request in writing to their line manager. Iceni Partnership will make a charge of £10 on each occasion that such a request is made.  Iceni Partnership will aim to respond to a request as quickly as possible but will ensure a response is given within 30 days of receipt of a written request or fee whichever is received later.


Iceni Partnership is not always obliged to disclose personal data on the request of the employee.  For example, Iceni Partnership may refuse to disclose personal data if:


  • It cannot comply with the request without disclosing information relating to another individual who can be identified from that information


  • It is processed for the purpose of management forecasting or planning to assist the organisation in the conduct of its business and where the disclosure of such personal data is likely to prejudice the conduct of the organisation


  • It consists of a reference given to, or to be given in confidence by Iceni Partnership for the purposes of education, training or employment of an employee


5. Responsibilities of Employees

 As part of their Terms and Conditions of employment, all employees must:


  1. Provide Iceni Partnership with their personal details ie. address, telephone numbers, bank details, next of kin and emergency contact details etc

  2. Check that any personal data that they have provided to Swaffham Iceni Partnership is accurate and up todate

  3. Inform Iceni Partnership of any changes to information which they have provided e.g. change of address


6. Data Security and Storage

 The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage and that both access and disclosure must be restricted.  All employees are responsible for ensuring that:


  1. Any personal data which they hold is kept securely e.g locked storage facilities, use of passwords etc

  2. Personnel information is not disclosed either orally, in writing or otherwise to any unauthorised third party or inappropriate work colleague


Iceni Partnership is committed to ensuring the correct handling, use, storage, retention and disposal of Disclosures and Disclosure information as laid down by the Criminal Records Bureau for all staff using the Criminal Records Bureau to help assess the suitability of applicants for positions of trust, both as paid employees and volunteers.


Disclosure information is only passed to those who are authorised to receive it in the course of their duties and it is only used for the specific purpose for which it was requested and for which the applicant/employee’s full consent has been given.


Once someone has been recruited or a further CRB check has been undertaken during the course of employment Iceni Partnership will not keep the Disclosure information for any longer than is necessary.  This is generally for a period of up to six months. Once the retention period has lapsed Iceni Partnership will ensure that the Disclosure information is destroyed by secure means.



NB.  The Data Protection Act is an extremely complex piece of legislation which contains sections which even the experts find difficult to interpret and which have not been tested.  Iceni Partnership reserves the right to amend this policy at any time to take into account of developments in this area of the law.