Data Protection Policy
1.1. The London BioScience Innovation Centre (LBIC) holds and processes information about employees, client companies, and other data subjects for administrative and commercial purposes. All staff handling such information must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the Act). In summary these state that personal data shall:
- be processed fairly and lawfully,
- be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with the purpose,
- be adequate, relevant and not excessive for the purpose
- be accurate and up-to-date,
- not be kept for longer than necessary for the purpose,
- be processed in accordance with the data subject’s rights,
- be kept safe from unauthorised processing, and accidental loss, damage or destruction,
- Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data, except in specified circumstances.
- “Staff”, “client companies” and “other data subjects” may include past, present and potential members of those groups.
- “Other data subjects” and “third parties” may include contractors, suppliers, contacts, referees, friends or family members.
- “Processing” refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.
2. Notification of Data Held
The London BioScience Innovation Centre (LBIC) shall notify all staff, client companies and other relevant data subjects of the types of data held and processed which relates to them, and the reasons for which it is processed. The information which is currently held by LBIC and the purposes for which it is processed are set out in the Data Protection Register entry. When processing for a new or different purpose is introduced the individuals affected by that change will be informed and the Data Protection Register entry will be amended.
3. Staff Responsibilities
3.1. All staff shall
- Ensure that all personal information which they provide in connection with their employment is accurate and up-to-date;
- Inform LBIC of any changes to information, for example, changes of address.
- Check the information which is made available from time to time, in written or automated form, and inform LBIC of any errors. LBIC shall not be held responsible for errors of which it has not been informed.
3.2. Staff shall ensure that
- All personal information is kept securely.
- Personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter, and may be considered gross misconduct in some cases.
4. Rights to Access Information
4.1. Staff, client companies and other data subjects in LBIC have the right to access any personal data that is being kept about them either on computer or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the appropriate designated data controller.
4.2. LBIC will make a charge of £10 for each official Subject Access Request under the Act.
4.3. LBIC aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing by the designated data controller to the data subject making the request.
5. Subject Consent
5.1. In some cases, such as the handling of sensitive information, LBIC is entitled to process personal data only with the consent of the individual.
5.2. LBIC may process sensitive information about a person’s health, disabilities, criminal convictions, race or ethnic origin, or trade union membership. LBIC may also require such information for the administration of the sick pay policy, the absence policy or the equal opportunities policy.
5.3. LBIC may also ask for information about particular health needs, such as allergies to particular forms of medication, or conditions such as asthma or diabetes. Such information will only be used to protect the health and safety of the individual, for example, in the event of a medical emergency.
6. The Data Controller and the Designated Data Controllers
The Director of LBIC is the data controller under the Act. Responsibility for day-to-day matters will be delegated to the Facilities Supervisor as the appointed Data Protection Officer. Information and advice about the holding and processing of personal information can be gained from the Data Protection Officer.
7. Retention of Data
LBIC will keep different types of information for differing lengths of time, depending on legal and operational requirements. A list of recommended retention times is to be agreed
8.1. Compliance with the Act is the responsibility of all client companies and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Officer.
8.2. Any individual, who considers that the policy has not been followed in respect of personal data about him or herself, should raise the matter with the designated data controller initially. If the matter is not resolved it should be referred to the staff grievance procedure.