The Data Protection Act 1998 (DPA) was passed in order to implement the European Data Protection Directive and applies to all personal data which are held either electronically or in a manual filing system.
The British Acupuncture Council (BAcC) is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.
The BAcC holds personal information about individuals such as employees, members, applicants, subcontractors, suppliers and others, defined as 'data subjects' in the Act. Such data must only be processed in accordance with this policy. Any breach of the policy may result in the BAcC, as the registered 'data controller', being liable in law for the consequences of the breach. This liability may extend to the individual processing the data, and to his/her line manager under certain circumstances.
All data users must comply with the eight data protection principles. The principles define how data can be legally processed. 'Processing' includes obtaining, recording, holding or storing information and carrying out any operations on the data, including adaptation, alteration, use, disclosure, transfer, erasure, and destruction.
- Personal data shall be processed fairly and lawfully.
- Personal data shall be held only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed.
- Personal data shall be accurate and where necessary kept up to date.
- Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
- Personal data shall be processed in accordance with the rights of data subject under the DPA.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of the data.
- Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The DPA defines both 'personal data' and 'sensitive personal data'. Data users must ensure that the necessary conditions are satisfied for the processing of personal data and in addition that the extra, more stringent, conditions are satisfied for the processing of sensitive personal data.
Personal data has a broad ranging definition and can include not only items such as home and work address, age, telephone number and schools attended but also photographs and other images. Sensitive personal data consists of racial/ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life and criminal record.
Responsibilities of data users
All members of BAcC staff, Board members, committee members and subcontractors have a responsibility to ensure compliance with the Act and this policy, and to develop and encourage good information handling practices, within their areas of responsibility. All users of personal data within the BAcC have a responsibility to ensure that they process the data in accordance with the eight data protection principles and the other conditions set down in the DPA.
The BAcC will perform periodic audits to ensure compliance with this policy and the Act and to ensure that the notification is kept up to date.
Designated data controller
The BAcC's HR and facilities manager is responsible for ensuring compliance with the Data Protection Act and implementation of this policy on behalf of the BAcC. She can be contacted at:
British Acupuncture Council
63 Jeddo Road
London W12 9HQ
020 8735 0400
Access to data
The Act gives data subjects a right to access personal data held about them by the BAcC, and allows the BAcC to charge a fee for such access (up to a prescribed maximum). The BAcC will seek to take an approach which facilitates access to their personal data by individuals without them having to make formal subject access requests under the Act, whilst acting within the data protection principles. A record must be kept of all requests for access to personal data.
All formal subject access requests must be responded to within the terms laid down by the Act, and must be notified to the chief executive and HR and facilities manager as soon as they are received.
The BAcC aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 40 days of receipt of a request unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request. The BAcC will normally charge the prescribed maximum fee (currently £10) for subject access requests.
The need to process data for normal purposes will have been communicated to all data subjects. In some cases, if the data is sensitive, for example information about health, race or gender, express consent to process the data must be obtained. Processing may be necessary to operate BAcC policies, such as health and safety and equal opportunities.
Retention of data
Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. Some forms of data need to be retained longer than others to comply with legal and other requirements. This applies to both electronic and non-electronic personal data.
All BAcC users of personal data must ensure that all personal data they hold is kept securely. They must ensure that it is not disclosed to any unauthorised third party in any form either accidentally or otherwise.