Follow Find us on Facebook a link to our facebook Find us on Twitter a link to our twitter Listen to our Podcastsa link to listen to our podcast Spotlight on Local Newsa link to go to our news page Contact Us
A A A
a search button
Share

Data Protection Policy

a drawing of 3 people stood next to eachother

OVERVIEW

We hold personal data about our employees, residents, suppliers and other individuals for a variety of Council purposes. This policy sets out how we seek to protect personal data and ensure that Councillors and Officers understand the rules governing their use of personal data to which they have access during their work. This policy requires Officers to ensure that the Data Protection Officer (DPO) is consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.

DEFINITIONS

The business purposes for which personal data may be used by us: Personnel, administrative, financial, statutory and legislative purposes, payroll, consultations and business development purposes.

Council purposes include the following:

  • Compliance with our legal, regulatory and corporate governance obligations and good practice
  • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
  • Ensuring Council policies are adhered to (such as policies covering email and internet use)
  • Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of sensitive information, security vetting and checking
  • Investigating complaints
  • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
  • Monitoring staff conduct, disciplinary matters
  • Promoting Council services
  • Improving services

Personal data: Information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts, members of the public, Council service users, residents, grant applicants, hirers, correspondents Personal data we gather may include:

  • Individuals’ contact details
  • Educational background
  • Financial and pay details
  • Details of certificates and diplomas, education and skills
  • Marital status
  • Nationality
  • Job title
  • CV
  • Organisation contact details
  • Correspondence
  • Emails
  • Databases
  • Council records

Sensitive personal data

Any use of sensitive personal data should be strictly controlled in accordance with this policy.

That is personal data about an individual’s:

  • Racial or ethnic origin
  • Political opinions
  • Religious or similar beliefs
  • Trade union membership (or non-membership)
  • Physical or mental health or condition
  • Criminal offences, or related proceeding
  • Salary and pension

SCOPE

This policy applies to all councillors and staff who must be familiar with this policy and comply with its terms.

This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.

WHO IS RESPONSIBLE FOR THIS POLICY?

The Data Protection Officer, has overall responsibility for the day-to-day implementation of this policy.

PROCEDURES

FAIR AND LAWFUL PROCESSING

The Council must process personal data fairly and lawfully in accordance with individuals’ rights and the six lawful bases for processing personal data. The six lawful bases are processing the personal data:

1. with the consent of an individual for a specific purpose;

2. where this is necessary to comply with a contract;

3. where this is necessary to comply with the law;

4. to protect someone’s life;

5. to perform a task in the public interest or to perform official functions;

6. to carry out our legitimate interests.

Generally, most of the data we process will be to carry out our public tasks and our official functions. On occasions we will need the specific consent of an individual to process data.

THE DATA PROTECTION OFFICER’S RESPONSIBILITIES:

  • Keeping the Council updated about data protection responsibilities, risks and issues.
  • Reviewing all data protection procedures and policies on a regular basis.
  • Assisting with data protection training and advice for all staff, members and those included in this policy.
  • Answering questions on data protection from staff, council members and other stakeholders.
  • Responding to individuals such as members of the public, service users and employees who wish to know which data is being held on them.
  • Checking and approving with third parties that handle the council’s data any contracts or agreement regarding data processing.

RESPONSIBILITIES OF THE IT CONTRACTOR

  • Ensuring all systems, services, software and equipment meet acceptable security standards.
  • Checking and scanning security hardware and software regularly to ensure it is functioning properly
  • Researching third-party services, such as cloud services the company is considering using to store or process data.

RESPONSIBILITIES OF THE COUNCIL’S OFFICERS

  • Approving data protection statements attached to emails and other marketing copy
  • Addressing data protection queries from clients, target audiences or media outlets
  • Coordinating with the DPO to ensure all marketing initiatives adhere to data protection laws and the Council’s Policies.
  • Complying with the Council’s policies and data protection legislation including that contained in the UK General Data Protection Regulation (GDPR) and the Data Protection Act, 2018.

THE PROCESSING OF ALL DATA MUST BE:

  • Necessary to deliver Council services.
  • In the Council’s legitimate interests and not unduly prejudice the individual’s privacy
  • Carried out in accordance with the Council’s policies and the data protection legislation.
  • The Council has adopted a Privacy Policy which contains the privacy notice on data protection.

The notice:

  • Sets out the purposes for which we hold personal data on customers, employees, residents and service users
  • Explains how we use the personal data including sensitive personal data that we hold to deliver our services and perform our public tasks and duties.
  • Explains what we do to protect the personal data that we hold.
  • Sets out a person’s rights in respect of personal data

SENSITIVE PERSONAL DATA

In most cases where we process sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply, or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work, comply with burial legislation and allotment legislation). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

ACCURACY AND RELEVANCE

We will ensure that any personal data we process is accurate, fair, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the Data Information Officer.

YOUR PERSONAL DATA

You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required.

DATA SECURITY

Personal data will be kept secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the DPO will establish what, if any, additional specific data security arrangements will need to be implemented in contracts with those third-party organisations.

STORING DATA SECURELY

  • In cases when data is stored on printed paper, it must be kept in a secure place where unauthorised personnel and third parties cannot access it.
  • Printed data must be shredded when it is no longer needed.
  • Data stored on a computer must be protected by strong passwords that are changed regularly.
  • Data stored on CDs or memory sticks must be locked away securely when they are not being used.
  • Specific approval from the Town Clerk in consultation with the DPO must be obtained for any proposal to use any cloud to store data.
  • Servers containing personal data must be kept in a secure location.
  • Data should be regularly backed up.
  • Data should never be saved directly to mobile devices such as laptops, tablets or smartphones.
  • All servers containing sensitive data must be approved and protected by security software and a strong firewall.

DATA RETENTION

We will retain or store personal data for no longer than is necessary for the purposes for which the data was processed. What is necessary will depend on the circumstances of each case, considering the reasons that the personal data was obtained, but should be determined in a manner consistent with this policy and our statutory responsibilities.

SUBJECT ACCESS REQUESTS

Under the Data Protection legislation, individuals are entitled, subject to certain exceptions, to request access to information held about them.

If a subject access request (a SAR) is received, it must be dealt with promptly under the SAR procedure The DPO will assist in responding to SARs if required.

There are restrictions on the information to which a person is entitled under the applicable law.

PROCESSING DATA IN ACCORDANCE WITH THE INDIVIDUAL’S RIGHTS

Any request from an individual not to use their personal data for direct marketing purposes should be complied with.

Direct marketing material should not be sent to someone electronically (e.g. via email) unless there is an existing business relationship with them in relation to the services being marketed.

The DPO should be asked for advice on direct marketing before any new direct marketing activity is started

TRAINING

All staff will receive training on this policy and data protection generally. New employees will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.

It will cover:

  • The law relating to data protection
  • Our data protection and related policies and procedures.

Completion of training is compulsory for all employees.

CONDITIONS FOR PROCESSING

Any use of personal data must be justified using at least one of the lawful and legitimate bases for processing. All staff who are responsible for processing personal data will be aware of the bases for processing personal data. The lawful bases for processing personal data are available to data subjects in the privacy policy.

JUSTIFICATION FOR PERSONAL DATA

Personal data will be processed in compliance with the six data protection principles. The data protection principles require that personal data are:

1. Processed lawfully, fairly and in a transparent way.

2. Processed only for a specific explicit and legitimate purpose and not used in any way that is incompatible with that purpose.

3. Relevant, adequate and limited to the purposes for which they are processed.

4. accurate and kept up to date.

5. Kept for no longer that is necessary for the purposes for which they were processed.

6. Kept in a manner that ensures appropriate security of the data and that the data are protected from unauthorised or unlawful processing and accidental loss or damage.

The additional justification for the processing of sensitive personal data will be documented and it will be ensured that any biometric and genetic data are considered to be sensitive data.

CONSENT

The data that we collect may be subject to active consent by the data subject. Such a consent can be revoked at any time.

DATA PORTABILITY

Upon request, a data subject has the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another controller. This must be done for free.

RIGHT TO BE FORGOTTEN

A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an appropriate exemption applies.

PRIVACY IMPACT ASSESSMENTS

The DPO will be responsible for conducting any Privacy Impact Assessments and ensuring any relevant projects commence with a privacy plan.

When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

REPORTING BREACHES

All members of staff have an obligation to report actual or potential data protection compliance failures to the Town Clerk. This allows us to:

  • Investigate the failure and take remedial steps if necessary
  • Maintain a register of compliance failures
  • Make any report to the Information Commissioner’s office where necessary on any data protection breach. Any report that is required to be submitted will have to be made in 72 hours.

MONITORING

Everyone must observe this policy. The DPO has overall responsibility for this policy. The DPO will monitor the policy regularly to make sure it is being adhered to.

CONSEQUENCES OF FAILING TO COMPLY

Any failure to comply with this policy will put the Council at risk and may lead to action by the Information Commissioner’s Office.

The importance of this policy means that a failure to comply with any requirement by an employee may lead to disciplinary action under our procedures which may result in dismissal.

If you have any questions or concerns about anything in this policy, do not hesitate to contact the DPO.

en English
en Englishbs Bosniannl Dutchfr Frenchde Germanit Italianps Pashtopl Polishpt Portuguesero Romaniansr Serbiansk Slovakes Spanishuk Ukrainian
Accessibility by WAH