Data Protection Policy

The Policy

It is the Company's policy that personal information is kept secure and disclosed only to those who need to know.

Disclosure occurs whenever information passes from one person to another. It may be written or spoken. Unauthorised disclosure will be treated as a serious offence. Data is protected if it is information which is processed or held on computer or other automated means or is in a manual form and is held as part of a relevant filing system under the Data Protection Act 1998.

Disclosure within the Company

Within the Company, managers and other employees should only have access to the personal information they require in order to fulfil the properly authorised requirements of their jobs. Disclosure may be necessary and may properly occur between companies in the Group and specified third parties.

The Company is concerned to ensure that it monitors the sex and ethnic mix of employees. Data held about employees will be also be used for equal opportunities monitoring.

Disclosure to people and organisations outside

As a general rule personal information may only be given to people or organisations outside the Company if the employee (or potential employee, or former employee) has given his consent. Consent may be written or spoken.

The Data Protection Act 1998

The Act applies to all types of personal information, which is or has been stored on computers as well as some manual data. It sets out eight Data Protection Principles which every individual handling such personal data must be aware of and must comply with.

The Act also requires every organisation or individual using personal data to enter on a public register a description of the purposes for which the hold data, of the types of data held, the sources of data and the persons to whom data might be disclosed. It is a criminal offence to use or disclose personal data other than in accordance with a current description on the register.

Randstad Education is registered under the provisions of the Act as both an organisation that controls the contents and use of personal data processed or intended to be processed automatically and one that carries out such automatic processing. The IT department holds Randstad Education's registration documents.

All those whose work involves the use of personal data must therefore make themselves familiar with the Data Protection Principles and the basic rules set out in this policy. Managers controlling the use of data must be aware of the relevant parts of the Company's register entries, and ensure that their staff and everyone to whom they provide data know of the restrictions which apply.

Subject Access to Data

The Act came into force in mid 1999 replacing the Data Protection Act 1984. The Act provides for individuals to request details of personal data held on them.In response to such a request, which must be in writing, the Company will provide copies of the information held, and such details as the purposes for which it is used, those to whom it may be disclosed and the source of the data. Please note that there may be circumstances where information cannot be provided because doing so would involve disclosing information on others and it is reasonable to withhold information for these reasons.

Requests from employees will be handled by the Human Resources Department who will endeavour to deal with all requests within 40 days of receipt. The Act allows us to charge a fee for providing such data. The charge is currently £10 per request subject to review from time to time. The Company is not obliged to comply with a subject access request where a similar request has been made by the same individual previously and a reasonable interval has not elapsed between the Company's compliance with the previous request and the making of the new request.

Overseas Transfer of Data

The Act forbids transfers of personal data to recipients in countries outside the EU, including transfers in machine-readable forms such as tapes or discs, unless specific conditions are complied with. You must not therefore transmit or carry personal data to countries outside the UK without first satisfying yourself that the transfer is permitted. You are required to refer to your manager or the Human Resources Department in these circumstances before any transfer is made.

Adequacy, Relevance and Accuracy

Managers responsible for collections of data containing personal data will review the data regularly to ensure that they are adequate, relevant and accurate. Personal data which is no longer required must be deleted or destroyed after 2 years. In many cases it will be appropriate to invite you to check the information held about you and confirm that it is complete and up to date.

Security

Appropriate measures will be taken to prevent unauthorised access to personal data. Aspects to be considered will include:

Physical security of discs, tapes, printouts and manual data
Secure siting or locking of computer terminals, personal computers and manual records
Password protection and other software controls

Particular care is needed to ensure that security is maintained when data is downloaded to personal computers, and in respect of printouts and derived material supplied to other users. Likewise, where manual records are being updated or changed and earlier versions are discarded. Appropriate care must be taken in all dealings with data covered by the Act.

Legal Penalties

Use or disclosure of personal data outside the terms of a current entry on the Data Protection Register is a criminal offence for which the Company or the individual can be fined.

Contravention of the Data Protection Principles may lead to action by the Data Protection Registrar, who has wide-ranging powers to restrict what personal data the Company is permitted to hold and the ways in which it can use it.

If a data subject suffers damage because of unauthorised use or disclosure, inaccurate or missing data, or the loss or destruction of data he may seek compensation in the Courts.