Privacy Policy
Data Protection Policy

The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive
(95/46/EC) and applies to all data relating to, and descriptive of, living individuals (defined by the Act as " personal data") which are held either electronically or in a structured manual filing system. The Act came into force on 1st March 2000 with most of its provisions becoming effective on 24th October 2001.

The Scottish Wider Access Programme (hereafter referred to as SWAP) is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data held by it.
 
Data may only be processed in accordance with this policy and with the terms of SWAP's Notification to the Information Commissioner, which sets out the purposes for which SWAP holds and processes personal data. Any breach of the policy may result in SWAP, as the registered Data Controller, being liable in law for the consequences of the breach. This liability may extend to the individual processing the data and the Director under certain circumstances.

This policy applies regardless of where the data is held and, in respect of automatically processed data, the ownership of the equipment used, if the processing is for SWAP purposes.
 
Principles

All data users must comply with the eight Data Protection Principles. The Principles define how data can be legally processed. 'Processing' includes obtaining, recording, holding or storing information and carrying out any operations on the data, including adaptation, alteration, use, disclosure, transfer, erasure, and destruction.
 
  • Personal data shall be processed fairly and lawfully.
  • Personal data shall be held only for one or more specified and lawful purposes and shall 
not be further processed in any manner incompatible with that purpose or purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose 
for which it is processed.
  • Personal data shall be accurate and where necessary kept up to date.
  • Personal data processed for any purpose shall not be kept for longer than is necessary 
for that purpose.
  • Personal data shall be processed in accordance with the rights of data subject under the 
DPA.

  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of the data.
  • Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The DPA defines both personal data and sensitive personal data. Data users must ensure that the necessary conditions are satisfied for the processing of personal data and in addition that the extra, more stringent, conditions are satisfied for the processing of sensitive personal data.
 
‘Personal data’ has a broad ranging definition and can include not only items such as home and work address, age, telephone number and schools attended but also photographs and other images, if focussed on an individual and disclosing information which is biographical in a significant sense. ‘Sensitive personal data’ consists of religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life and criminal record.

Responsibilities of Director of SWAP

The Director of SWAP has a responsibility to ensure compliance with the Act and this Code, and to develop and encourage good information handling practices, within their areas of responsibility. All users of personal data within SWAP have a responsibility to ensure that they process the data in accordance with the eight Principles and other conditions set down in the DPA.

Access to Data

The Act gives data subjects a right to access to personal data held about them by SWAP, and allows SWAP to charge a fee for such access (up to a prescribed maximum). SWAP will however seek to take an approach which facilitates access to their personal data by individuals without them having to make formal subject access requests under the Act, whilst acting within the Data Protection Principles. All formal subject access requests must be responded to within the 40-day period prescribed by the Act, and must be notified to the Director as soon as they are received. Any cases of doubt as to whether a request for access to personal data is a subject access request under the Act must be referred to the Director without delay.

Retention of Data

Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. This applies to both electronic and non-electronic personal data.

SWAP will publish a policy on retention and disposal.

Data Transfer

SWAP adheres to the ICO Data Sharing Code of Practice 2011.
 
When personal data are transferred internally the recipient must only process the data in a manner consistent with the original purpose for which the data was collected.

Personal data can only be transferred out of the European Economic Area under certain circumstances. The Act lists the factors to be considered to ensure an adequate level of protection for the data and some exemptions under which the data can be exported. Information published on the Web must be considered to be an export of data outside the EEA.

Data Security

All SWAP users of personal data must ensure that all personal data they hold is kept securely. They must ensure that it is not disclosed to any unauthorised third party in any form either accidentally or otherwise.

Status of the Policy

The updated policy was approved by SWAP’s Management Group in May 2013. Any breach will be taken seriously.

Data Protection Officer

SWAP has notified the Office of the Information Commissioner that it processes personal data. Questions related to the terms of the notification and other day to day matters on the operation of the policy and the Act can be dealt with by the Directors of SWAP East and SWAP West.
 
SWAP East
34 Buccleuch Place
Edinburgh
EH8 9JS

(t) 0131 650 6861
(w) www.scottishwideraccess.org

SWAP West
Glasgow Kelvin College
43 Shamrock Street
Glasgow G4 9LD
(t) 0141 564 7206
(e) swapwest@scottishwideraccess.org
about us