BACKGROUND

The nature of our work involves collecting data from customers, staff and other organizations, storing and processing them electronically. The data we collect come within the definition of 'personal data' under the Data Protection Act 1998. Therefore, we operate our business in a way that complies with the provisions of the Act. The purpose of this policy is to:

1. ensure that personal data are protected, secure and confidential.
2. establish and follow good practice for the benefit of customers and business associates.
3. be transparent about how we store and process personal data
4. ensure full compliance with the Data Protection Act 1978, and
5. ensure that OIS Ltd protects itself from a breach of the Act.

The law is governed by the Data Protection Act 1998. It is a very detailed and comprehensive legislation which sets out how non-exempt organisations must collect, store and process personal data.

There are 8 data protection principles which ensure that organisations collect, store and process personal data in a way that protects the confidentiality of customers. These principles are set out in schedule 1 of the Act and are as follows:

i. Data must be handled fairly and lawfully.
We have legitimate grounds to obtain, store and process customers' data, namely, to assist you obtain a passport, visa and for other purposes authorised by the law and contracts between us and our customers. We ensure that your data will not be used for anything unlawful.

ii. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Due to the nature of our job, the purpose for which you are giving us your personal data is obvious to you and us. We will not use your data for any other purpose incompatible with the original purpose unless you first give us your consent or we are compelled by law to do so.

iii. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
We will only take information we consider relevant and sufficient to deliver our contract with you.

iv. Personal data shall be accurate and, where necessary, kept up to date.
We ensure that the personal data you give us is correct and not misleading. We achieve this by giving you the opportunity to confirm the information you give us and also by requesting documentary proof when necessary. If there are relevant changes in your personal data, eg, change of name or nationality, please let us know as soon as possible so that we can update your record.

v. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
We will, from time to time, review our data base to see if some personal data are still needed to be stored by us. If the purpose for which they were stored has been achieved and we consider that it is no longer necessary to continue storing them, we will securely delete them.

vi. Personal data shall be processed in accordance with the rights of data subjects under this Act.
We will process your personal data in such a way that it will enable you to do any of the following:

1. a right of access to a copy of your personal data, popularly known as 'subject access request'. The current fee for that is £10 per standard request and we aim to provide this within 14 days. Subject Access Request should be made to info@oisservices.com by email or by post The Head of Centre, OIS Services, 56-57 Fleet street, EC4Y 1JU, London
2. a right to object to processing your personal data in a way that is likely to cause damage or distress to you;
3. a right to prevent processing your personal data in a way that is incompatible to the original purpose or purposes;
4. a right to object to decisions being taken by automated means;
5. a right, when appropriate, to have inaccurate personal data rectified, blocked or deleted, and
6. a right to claim compensation for damages caused by a breach of the Act.

vii. Personal data security
Your personal data are held in a very secure environment both physically and technically. The areas where personal data are kept are out of bounds for all non-authorised persons. Access to these parts of the premises can only be gained by electronic key issued only to authorised persons. Your personal data can only be accessed on the system by authorised persons. Only such authorised persons can alter, disclose or destroy your personal data. Further, such authorised persons can only carry out any of those functions in the course of their lawful duties. Therefore, the chances of your personal data being unlawfully processed or accidentally damaged, destroyed or lost are very minimal. Further, it is our policy to ensure that:

1. each authorised employee who has access to personal data has his own password which is not shared with other persons,
2. approved security software and firewall are used to protect our data,
3. printed personal data not in use are shredded,
4. we discourage personal data being stored on laptops and other mobile devices and media but if they do, should be locked securely and not taken out of the office.

viii. Transfer of personal data outside the European Economic Area
Your personal data will not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. There are only few counties outside the EEA that have been accepted as having adequate levels of protection for the processing of persona data comparable to the EEA countries. When we are transferring personal data to the USA, we ensure that the recipient is a signatory to the US Department of Commerce Safe Harbour Scheme. This scheme is recognised by the European Commission as providing adequate protection for data subjects. In relation to other countries outside the EEA that have not been accepted as having equivalent security and safeguards in place for processing personal data, we either sign a separate contract, the terms of which are approved by the European Directives or ensure that there is a clause in the contract that protects the processing of personal data of all our clients.

All members of staff are aware of the importance of collecting, storing and processing personal data properly. However, our Data Protection Officer will respond to any concerns about how your data is being used, please telephone him/her for assistance. The Chairman is ultimately responsible to ensure that OIS meets it legal obligations under the Data Protection Act.