DATA PROTECTION POLICY
- Introduction
Broomhaugh & Riding Parish Council (the Council) has a responsibility under the Data Protection Act 2018 to hold, obtain, record, use and store all personal data relating to an identifiable individual in a secure and confidential manner. This Policy is a statement of what the Council does to ensure its compliance with the Act.
The Data Protection Policy applies to all Council employees, councillors, volunteers, and contractors. The Policy provides a framework within which the Council will ensure compliance with the requirements of the Act and will underpin any operational procedures and activities connected with the implementation of the Act.
- Background
The Data Protection Act 2018 governs the handling of personal information that identifies living individuals directly or indirectly and covers both manual and computerised information.
It provides a mechanism by which individuals about whom data is held (the “data subjects”) can have a certain amount of control over the way in which it is handled.
Some of the main features of the Act are:
- All data covered by the Act must be handled in accordance with the Six Data Protection Principles (see Appendix 1)
- The person about whom the information is held (the Data Subject) has various rights under the Act including the right to be informed about what personal data is being processed, the right to request access to that information, the right to request that inaccuracies or incomplete data are rectified, and the right to have personal data erased and to prevent or restrict processing in specific circumstances. Individuals also have the right to object to processing based on the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling); and processing for the purposes of scientific/historical research and statistics. There are also rights concerning automated decision making (including profiling) and data portability.
- Processing of special categories of data must be done under a lawful basis. This data includes information about race, ethnic origin, political persuasion, religious belief, trade union membership, genetics, biometrics (where used for identification purposes), health, sex life and sexual orientation.
- The Data Protection Act deals with criminal offence data in a similar way to special category data and sets out specific conditions providing lawful authority for processing it.
- There is a principle of accountability of data controllers to implement appropriate technical and organisational measures that include internal data protection policies and procedures, staff training and awareness of the requirements of the Act, internal audits of processing activities, maintaining relevant documentation on processing activities, appointing a data protection officer, and implementing measures that meet the principles of data protection by design and data protection by default, including data minimisation, transparency, and creating and improving security features on an ongoing basis.
- Data controllers must have written contracts in place with all data processors and ensure that processors are only appointed if they can provide ‘sufficient guarantees’ that the requirements of the Act will be met and the rights of data subjects protected.
- Data breaches that are likely to result in a risk to the rights and freedoms of individuals must be reported to the Information Commissioner’s Office within 72 hours of the council becoming aware of the breach. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the Council will notify those individuals concerned directly.
- The Information Commissioner is responsible for regulation and issue notices to organisations where they are not complying with the requirements of the Act. She also has the ability to prosecute those who commit offences under the Act and to issue fines.
- Policy Statement
The Council is committed to ensuring that personal information is handled in a secure and confidential manner in accordance with its obligations under the Data Protection Act 2018 and professional guidelines. The Council will use all appropriate and necessary means at its disposal to comply with the Data Protection Act and associated guidance and will process data strictly in accordance with the criteria laid out in Appendix 2.
- Roles and Responsibilities
4.1 Parish Council
The Council will be responsible for ensuring that the organisation complies with its responsibilities under the Data Protection Act through monitoring of activities and incidents via reporting by the Data Protection Officer. The Council will also ensure that there are adequate resources to support the work outlined in this policy to ensure compliance with the Data Protection Act.
4.2 All Staff and Councillors
All staff and councillors will ensure that:
- Personal information is treated in a confidential manner in accordance with this and any associated policies.
- The rights of data subjects are respected at all times.
- Privacy notices will be made available on our website to inform individuals how their data is being processed.
- Personal information is only used for the stated purpose, unless explicit consent has been given by the Data Subject to use their information for a different purpose.
- Personal information is only disclosed on a strict need to know basis, to recipients who are entitled to that information.
- Personal information held within applications, systems, personal or shared drives is only accessed in order to carry out work responsibilities.
- Personal information is recorded accurately and is kept up to date.
- Any subject access requests are handled appropriately (See Subject Access Request Policy).
- Actual or potential breaches of the Data Protection Act are handled appropriately and notified to the Data Protection Officer as soon as the breach is discovered (See Data Breach Policy – Data-Breach-Policy).
It is the responsibility of all staff and councillors to ensure that they comply with the requirements of this policy and any associated policies or procedures.
4.3 Contractors and Employment Agencies
Where contractors are used, the contracts between the Council and these third parties should contain mandatory information assurance clauses to ensure that the contract staff are bound by the same code of behaviour as members of staff and councillors in relation to the Data Protection Act.
4.4 Volunteers
All volunteers are bound by the same code of behaviour as members of staff and councillors in relation to the Data Protection Act.
- Records Management
Good records management practice plays a pivotal role in ensuring that the Council is able to meet its obligations to provide information, and to retain it, in a timely and effective manner in order to meet the requirements of the Act. All records should be retained and disposed of in accordance with the Council’s Document Retention Policy (See Document Retention Policy).
- Consent
The Council will take all reasonable steps to ensure that members of the public, members of staff, volunteers, and contractors are informed of the reasons the Council requires information from them, how that information will be used and who it will be shared with. This will enable the data subject to give explicit informed consent to the Council handling their data where the legal basis for processing is consent.
Should the Council wish to use personal data for any purpose other than that specified when it was originally obtained, the data subject’s explicit consent should be obtained prior to using the data in the new way unless exceptionally such use is in accordance with other provisions of the Act.
Should the Council wish to share personal data with anyone other than those recipients specified at the time the data was originally obtained, the data subject’s explicit consent should be obtained prior to sharing that data, failure to do so could result in a breach of confidentiality.
- Disclosure
Where a person makes unsolicited contact with the Council in connection with the Council’s statutory duties and powers, the Council may disclose personal data to its members (i.e. the elected councillors) only where that disclosure is necessary to enable the matter raised to be correctly addressed or the data subject has given their consent (including by email). The same principle applies where the unsolicited contact is direct to a member – the member must ensure that disclosure to the Council (including to other members) is necessary or the data subject has consented.
Where a person contacts the Council in response to a general consultation request from the Council, any views expressed will be presented in an anonymous format and no personal data will be disclosed.
No further disclosure of personal data will occur without the consent of the data subject unless such disclosure is required by law.
- Accuracy and Data Quality
The Council will ensure that all reasonable steps are taken to confirm the validity of personal information directly with the data subject.
All members of staff and councillors must ensure that user’s personal information is checked and kept accurate and up to date on a regular basis.
Where a member of the public exercises their right for their data to be erased, rectified, or restricted, or where a member of the public objects to the processing of their data, the Data Protection Officer must be notified and the appropriate procedures followed.
- Providers
The Council must have written contracts in place with all suppliers who process personal data on behalf of the Council as “data processors”. The Council will ensure that processors are only appointed if they can provide ‘sufficient guarantees’ through the procurement process that the requirements of the Act will be met and the rights of data subjects protected.
- Complaints
Any expression of dissatisfaction from an applicant with reference to the Council’s handling of personal information will be treated as a complaint, and handled under the Council’s complaint’s processes. The Data Protection Officer will be involved in responding to the complaint.
Should the complainant remain dissatisfied with the outcome of their complaint to the Council, a complaint can be made to the Information Commissioner’s Office who will then investigate the complaint and take action where necessary.
- Security and Confidentiality
All staff and councillors must ensure that information relating to identifiable individuals is kept secure and confidential at all times. The Council will ensure that its holdings of personal data are properly secured from loss or corruption and that no unauthorised disclosures of personal data are made.
The Council will ensure that information is not transferred to countries outside the European Economic Area (EEA) unless that country has an adequate level of protection for security and confidentiality of information which has been confirmed by the Information Commissioner.
- Rights of Data Subjects
Individuals wishing to request their information as a subject access request should contact the Council, who will arrange for the information to be processed in accordance with the Data Protection Act. Further information on this is available in a separate policy document: Subject Access Request Policy (see Subject Access Request Policy).
Individuals should also make requests in writing to the Council if they wish to exercise their other rights under the legislation.
APPENDIX 1
DATA PROTECTION PRINCIPLES
First Principle: processed lawfully, fairly and in a transparent manner in relation to individuals;
Second Principle: collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
Third Principle: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Fourth Principle: accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
Fifth Principle: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
Sixth Principle: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
APPENDIX 2
PROCESSING OF PERSONAL DATA
- Purpose and manner
The Council will process personal data for the following purpose
- Performance of its statutory duties and powers, including:
- the management of the Council’s facilities and existing contracts,
- the processing of relevant financial transactions including grant applications and payments for goods and services supplied to the Council,
- the employment of staff,
- the administration of members,
- working in partnership with other public agencies, local and regional groups,
- the conduct of appropriate safeguarding procedures,
- the promotion of the interest of the Council,
- the maintenance of the Council’s records and accounts
- sending data subjects information they have requested.
- Assessment of and response to the concerns of residents (whether or not in connection with a statutory duty or power) and, where the concern relates to a matter relevant to the Council, the concerns of non-residents
The processing of personal data for the purposes outlined allows the Council to provide an enhanced and effective service to its community and partners, and to respond appropriately to data subjects about matters of concern to them.
The Council processes personal data by collecting, recording, organising, structuring, adapting, retrieving, using, disclosing, disseminating, restricting, erasing or destroying data. The personal data which is or may be processed is listed below:
- Names, titles, contact details such as address, telephone number and email address;
- Where they are relevant to the services provided by the Council, or where a person provides them, the Council may process information such as gender, age, marital status, nationality, education/work histories, family composition and dependants;
- Where a person makes an application to the Council for funding, financial identifiers such as bank account numbers, payment transaction identifiers and claim numbers:
- Where a person provides them to the Council and they are directly relevant to the purpose of the contact with that person, special category data (also known as sensitive information – see section 3)
- Where a person visits the Council’s website, both ‘persistent’ and ‘session’ cookies are used to assist in the website’s use, (e.g. by enhancing navigation or recording preferences about how a person previously viewed a webpage such as the size of text). Cookies cannot be used to identify an individual person.
In the majority of cases the personal data processed by the Council has been provided to the Council by the data subject. Electronic correspondence, together with any attachment, is filed by reference to email address, subject matter and date. All other electronic documents are filed by reference to the data subject’s name. Paper records relating to personal data are digitised, unless impractical do to so. Electronic data, together with regular back up data is retained securely using suitable password protection. Back up data is protected against theft, fire and flood. Other ‘relevant filing systems’ are held securely in locked units. Data will be deleted in accordance with the Council’s Document Retention Policy.
- Lawful basis
There are four bases upon which the Council relies for the lawful processing of personal data:
- consent – can be relied upon for any purpose but a controller must be able to demonstrate that consent was given;
- contract – necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering into a contract;
- legal obligation – necessary for compliance with a legal obligation to which the controller is subject
- public task – necessary for the Council to perform a task in the public interest or for the Council’s official functions, and the task or function has a clear basis in law
In general, where processing is in connection with a statutory duty or power, including activity under Section 137 Local Government Act 1972, ‘legal obligation’ or ‘public task’ are the lawful bases upon which the Council relies to process the data. However, where the processing also relates to the performance of a contract, the Council relies upon ‘contract’ as the lawful basis. These three lawful bases are often overlapping. Where the Council processes personal data in order to keep data subjects informed of specified Council activities, ‘consent’ will be the lawful basis upon which the Council relies to process that data.
- Special category data (or sensitive information)
The processing of special category data requires further consideration and must, in addition to the requirement in paragraph 2, comply with one of the conditions listed in Article 9(2) of GPDR. The Council will not request special category data from data subjects unless there are exceptional circumstances. Special category data is generally processed only in the following two ways:
- Where a data subject contacts the Council to complain or raise any issue and, during that contact, reveals special category data about themselves which is specific and integral to the matter of concern raised, or
- Where a data subject provides contact details including special category data about themselves to enable the Council to communicate with them about matters that relate to them as a consequence of the special category data revealed.
In respect of (i) above, the Council will regard the data subject as having consented explicitly to the Council processing that data for that specific purpose. Where the special category data is superfluous to the issue, it will be deleted. With regard to (ii) above, the Council will only process the special category data with the explicit consent of the data subject. Less commonly the Council may process this type of personal data where it is needed in relation to legal claims or where it is needed to protect a person’s interests and they are not capable of giving consent, or where they have already made the information public.