Data Protection policy

The National Portrait Gallery Data Protection Policy

1) Introduction

The National Portrait Gallery needs to keep certain personal data and sensitive personal data, for example about staff, visitors, sitters and artists, in order to fulfil its purpose. Under the provisions of the Data Protection Act 1998, which came into force on 1 March 2000, the Gallery has a legal duty to ensure that this personal information is collected and used fairly, stored safely and not disclosed to any other person or organisation unlawfully. The purpose of the Act is ‘to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy’ and in doing so it also provides data subjects (ie. individuals about whom personal information/sensitive personal information is processed) increased protection through express new rights.

2) Scope

The aim of this policy is both to ensure that all staff are aware of their particular responsibilities in relation to the Data Protection Act and its associated codes of practices; and to inform members of the public how the Gallery complies with the legislation. It is also to minimise the risk of the Gallery breaching the Act; thereby potentially damaging valued relationships with staff; customers; and other audiences as well as its reputation.

This policy covers all personal data and sensitive personal data held in electronic format or in relevant manual filing systems that is processed by the National Portrait Gallery. (For definitions see below).

It applies to all individuals working for the National Portrait Gallery in whatever role. This includes permanent and contracted Gallery staff, as well as temporary employees; volunteers; interns etc.

The security of information held by the Gallery is governed by the Gallery’s Information Security Policy.

3) Definitions

Under the terms of the Act:
Personal data means information about a living person who can be identified from that information.
Sensitive personal data is a subset of personal data and subject to tighter controls on its processing.
Data subject means the individual about whom the personal data/sensitive personal data is held.
Processing means obtaining, holding, organising, retrieving, altering etc. In fact virtually any activity concerned with the data constitutes processing.
Electronic format means data held as word documents, e-mails, in databases etc.
Relevant manual filing systems means a filing system in which information about individuals is readily available. For example, files ordered alphabetically by name (exhibition lenders files, staff files, notes on sitters) or by which there is another point of access (reference number system etc.). It does not apply to incidental references to individuals in files structured by reference to topics not relating to those individuals.

4) Legal Basis

The Gallery’s responsibilities in relation to data protection are determined by the Data Protection Act (1998). Third party access to data is additionally conditioned by the Freedom of Information Act (2005).

5) Statement of Principles

The National Portrait Gallery is committed to the eight Data Protection Principles contained in the Data Protection Act 1998. These represent the minimum standards of practice for any organisation with respect to personal data/sensitive personal data and state that it must be:
1. processed fairly and lawfully
2. obtained only for the purposes specified and shall only be processed for those purposes
3. adequate, relevant and not excessive for the purpose for which they are processed
4. accurate and kept up to date
5. kept for no longer than is necessary
6. processed in accordance with the rights of data subjects under the 1998 Data Protection Act
7. protected against unauthorised processing of personal data/sensitive personal data and against accidental loss or destruction to personal data/sensitive personal data
8. not transferred outside the European Economic Area without adequate protection.

6) Rights of Data Subjects

• Any individual data subject, including staff, has the right to ask what information the National Portrait Gallery holds about them and why this is being held.

• If any such information is held, an individual data subject also has the right, on request:
a) to see any personal data/sensitive personal data that is being kept about them on computer, and also to have access to paper based data held in relevant manual filing systems
b) to be informed as to how to get the information updated or amended
c) to be informed as to any regular or possible recipients of the information.

• Any person who wishes to exercise this right should make the request in writing to the Data Protection Officer. If an access request is received by any other members of staff it should be forwarded to the Data Protection Officer.

• The National Portrait Gallery will comply with requests for access to personal information as quickly as possible. In compliance with the law, this will always be within 40 calendar days of receipt of a request.

• As well as right of subject access, individual data subjects have the right to object to direct marketing, including marketing of the National Portrait Gallery’s products and services. Where an individual decides to exercise this right, this fact should be accurately recorded.

• As well as a right of subject access, individual data subjects may, in certain circumstances, have other rights under the Act, including the right to have inaccurate information corrected. The Data Protection Officer should be informed of a request to exercise this right is received.

7) Responsibilities

• The Board of Trustees of the National Portrait Gallery is the Data Controller. The Data Controller is the legal entity who must comply with the Act and ensure that its provisions are upheld in all processing across the Gallery.

• The Head of Archive and Library is the Gallery’s Data Protection Officer. The Data Protection Officer is accountable and responsible for overseeing all Data Protection activities and promoting compliance throughout the Gallery. Under the terms of the Act, the National Portrait Gallery is obliged to prepare an annual notification to the Information Commissioner providing details of the types of data it processes and for what purpose. The Data Protection Officer is the individual responsible for ensuring that the Gallery’s entry, including Register of Records caught by the Act, is complete and up-to-date with assistance from relevant Heads of Department and Records Management staff. The current register entry can be found through the Information Commissioner’s website.

• The Personnel Department will ensure that appropriate guidance and training on compliance with the Data Protection Act 1998 is made available to all staff engaged in the processing of personal data/sensitive personal data.

• The Contracts and Procurement Adviser acts as the first point of contact for data protection queries throughout the Gallery, makes suggestions for best practice and identifies areas of risk. The Contracts and Procurement Adviser works with staff who process personal data/sensitive personal data and Heads of Department to promote compliance within departments but it is the responsibility of Heads of Department to address any risks identified and to ensure that the provisions of the Act are upheld (see below).

Records Management staff in the Archive and Library are responsible for determining retention periods for records.

Heads of Departments are accountable for data protection compliance in their departments. It is their responsibility to ensure that all processing within their area complies with the Act, in particular that all points of personal data/sensitive personal data collection include appropriate data protection statements (see Appendix 1) and that any contracts or agreements with external contractors processing personal data/sensitive personal data on the Gallery’s behalf (e.g. distribution or mailing services, data convertors etc.) include a relevant data protection clause. Heads of Department are responsible for ensuring that risks are identified and managed appropriately, that staff receive adequate training and that legal advice is sought where necessary.

Staff who process personal data/sensitive personal data in the course of their work are responsible for ensuring compliance with the legislation and this policy document in their area. It is their responsibility to be aware of the terms of the Act and to raise any concerns about how personal data/sensitive personal data is collected and managed in their area with their Head of Department. The Gallery will ensure they are given appropriate training to fulfil this responsibility. Staff must also advise the Data Protection Officer of any changes to data processing in their areas, so that the Gallery’s Register of Records caught by the Act can be amended accordingly.

All external data processors processing personal data/sensitive personal data on behalf of the National Portrait Gallery (i.e. third parties) are contractually required to comply with the Data Protection Act 1998 and any associated codes of practice. Heads of Department are responsible for ensuring that this is upheld (see above).

8) Procedures

The Gallery will organise an annual training session for liaison staff. Additional best practice procedures are available on the staff network drive. A set of model data protection statements approved by the Gallery’s external legal advisers can be found in the appendix to this policy.

9) Breach

Breach of data protection legislation is a criminal and potentially civil offence and the National Portrait Gallery will regard wilful or reckless breach of this policy as a disciplinary offence and such breaches will be subject to the Gallery’s disciplinary procedures.

It is the duty of all members of staff to flag immediately to their Head of Department and the Data Protection Officer any matter arising which involves, or is thought to involve, a breach of data protection legislation. Any serious breach will be reported to the Chair of the Audit and Compliance Committee.

10) Review

This policy will be reviewed every 5 years.
Next review: April 2016

11) Date of Approval

Approved at the 744th meeting of the Trustees on 5 May 2011