All organisations hold large volumes of personal and in some cases highly sensitive information about their staff, customers and correspondents.
The Data Protection Act makes rigorous demands of the way we handle personal information. There are eight principles to comply with. Personal information must be fairly and lawfully processed and processed for limited purposes. It must be adequate, relevant and not excessive, accurate and up to date, not kept for longer than is necessary, processed in line with individual rights, kept secure and not transferred to other countries without adequate protection.
Individuals have the right to see the information held about them. Organisations must respond to access requests within fixed deadlines and refusals must cite valid exemption clauses.
In practice, personal information must be collected for a stated purpose and used only for that purpose. It must be retention scheduled with disposal exercises carried out at due times. It must be held in secure systems in secure buildings or be encrypted on any portable device. It must not be shared with other organisations without good reason and methods of sharing must comply with information sharing agreements and protocols for transmission.
Unless you are very sure of your data handling methods and your procedures for dealing with Data Protection access requests, you need a Data Protection Audit.
Cimtech will audit your roles and responsibilities, policies and procedures against Data Protection requirements using methods approved by the Information Commissioner.
The Cimtech report will deliver a gap analysis and will also offer a way forward to compliance with resources, costs and timescales.
A Data Protection Audit can also be delivered as part of a wider Information Security and Compliance Review.