Data Protection

IOSH operates under the Data Protection principles as laid out by the Information Commissioners Office (ICO). Our policies incorporate the guidance, but are designed to suit our business models, so may go further than the ICO guidance recommends. We take data protection and security very seriously.

Along with all of our other policies, our Data Protection policy is constantly under review, as we recognise that the organisation’s needs, technologies and appetite for risk change over time.

The principles are outlined below:

1. Personal data shall be processed fairly and lawfully. We have processes and systems in place to control the data stored on our central systems and also who has access to that data. We cannot provide the same guarantees to our members for personal data that’s collected by our volunteers, even if it’s collected with the best of intentions. This leaves the Institution and the individual volunteer open to potential legal action.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. For example, we should not record personal data, such as e-mail addresses, unless we have defined precisely why we would want to record them. If we do record someone’s e-mail address for a specific purpose, then the e-mail address should only be used for that purpose. The method of recording information needs to be secure and not open to anyone other than the data subject and the collector.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Only collect and store information which is needed, don’t collect information ‘just in case’ it might be useful one day. For example, there is no need to take both a daytime and evening telephone number if you know you will only make contact during the day.

4. Personal data shall be accurate and, where necessary, kept up to date. Our members’ personal data is only stored and accessible through a single database. To maintain data integrity we should not ask members for their data if it’s to be stored outside of the database. Such data would quickly become out-of-date and difficult to maintain.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. For example, nomination data collected for the AGM meeting and election process should be destroyed after the meeting has concluded, and must not be used for any unrelated purpose.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act. The data subject is the individual who the information relates to. Data can be processed by IOSH but only within the guidance and will not be disclosed to another party without the express permission of the data subject.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. We use personal data every day to contact our members and efficiently manage our business, however, this is stored in a secure and restricted database. We don’t transport that data outside of the database. Staff needing remote access can be enabled to access documents and information when out of the office. This access does not compromise our data storage.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. As we are an International organisation, our data security in the countries in which we operate is extremely important. All of our member data is controlled in the UK.

Our staff and volunteers have access to information in a number of different forms, and we have to be mindful how that data is used.

The most important thing to remember to comply easily with our data protection guidelines is not to record personal data, and where there is no choice but to record it, only use the data for the reason it was initially recorded.

[v1 - February 2016]