OK then Data Protection Compliance Plan.
I am going to split this into 2 segments, Personnal data and Business Data. The reasoning behind this is that the DPA in the UK makes the same distinction and the requirements are subtley different.
OK Personnal Data then:
Paper Based:
All Paper based personnal records will be stored in a secure manner with restricted access being given only to authorised personnel (Locked filing cabinet with limited keyholders). A list of Authorised personnel for this purpose is displayed above the record storage area.
Personnel have a right under the DPA to request a copy of any data held by the company on them and they can request this at any time in writing and a copy will be presented within 30 days. The DPA allows for a charge of upto ?10 for this access, the company at this time has decided to Waive this fee/charge ?X per request (Delete one of these).
Electronic personnel records are held on a limited access computer system with only authorised personnel being able to access them, they are only printed for essential purposes and printed copies are destroyed immediatly after use. Personal data is not to be removed from the central computewr system either by use of memory sticks or other removable media unless the data has been fully encrypted. for more advice on this contact the IT Department.
Business data:
Paper Records
The Paper records of the business data held by us is to be stored in accordance with company procedures. all business premises will be secured outside of working hours. Only personnel requiring access to these records for the conduct of there duties should access these records.
Electronic records, only those with appropriate passwords can access this data and any printed copy is to be destroyed as soon a possible after use. The data is not to be taken off site via any form of removable media without appropriate encrypton being applied. If in doubt the IT department can advise.
In All cases when dealing with Data covered by the DPA then caution is to be used before disclosure, and if in any doubt advice is to be sought from the data protection advisor.
Hope that helps,
Olly