GDPR Policy
Policy Adopted on 23rd Feb 2023
This Data Protection Policy takes account of UK and EU law and conventions and specifically to address the General Data Protection Regulations 2018 (GDPR).
1. Data Protection Policy
Anyone who obtains personal information (“data”) about other individuals is a ‘data controller’ and is thus regulated by the Data Protection Act 1998 and the GDPR. The legislation controls what can lawfully be done with information and gives individuals certain rights to control how information about them is obtained, used, stored and distributed. These rights include the right to find out what information a data controller has about them and ask for copies of data. There is also now an enhanced set of Individual Rights that an organisation needs to respect.
The Council is a data controller in relation to all the information that the organisation obtains about employees, agency workers, suppliers, service users, residents and customers.
The Council will seek employees’ specific consent to the organisation processing data in whatever format including sensitive personal data about their employment. Personal data, including sensitive data, may be collected for statistical purposes (e.g. equality & diversity, absences, turnover) or to enable health and safety or employment and pay obligations to be met.
We must be able to demonstrate that any personal data we handle is:-
• processed lawfully, fairly and transparently
• collected for specified, explicit and legitimate purposes
• adequate, relevant and limited to what is necessary
• accurate and kept up to date where necessary
• kept for no longer than is necessary where data subjects are identifiable
• processed securely and protected against accidental loss, destruction or damage.
The Council is committed to following these principles. Data will be retained as necessary. Data will be kept in a secure system whether manual or computerised to the best of our ability at all times. When transmitting data this will be password protected and/or encrypted. The Council has no intention of sharing personal data outside the UK.
2. Access to Data
The Clerk will act as the responsible officer for data protection and the General Data Protection Regulations for the Parish Council and be supported in this role by CP Associates.
A request for access to any personal data that relates to an individual will be made by a written request using the Data Access Request form and the originator’s details will be verified. The completed form must be returned to the Clerk. There are no fees chargeable for this.
There may be certain circumstances where a person’s consent cannot be obtained or is not legally required. Before releasing personal data to external organisations (including the police) the organisation will seek to obtain legal advice on its obligations and where necessary ask for a court order or a Magistrates warrant before release of personal information.
The Council’s policy is to provide copies of all data that the organisation is obliged to disclose to third parties within 20 working days of receipt of a request being received by the data protection compliance officer. The Council considers that if a period of less than one year has elapsed since any previous request for access to data was complied with, it is not reasonable to expect us to be obliged to comply with a further request before a year has elapsed unless there are exceptional circumstances.
It is our policy to ensure that all data is as accurate as possible and all necessary steps to ensure that this is the case and to rectify any inaccuracies will be taken (see paragraph 3 below).
For the purposes of the DPA and the GDPR data is any personal information that is collected on an individual for whatever purpose and which is then recorded, processed or stored in some way for legal, business, technical or organisational reasons.
The information can be paper based and filed manually, or electronic and saved on computerised systems or in a “cloud” database. The GDPR extends this to include biometric or visual images that can identify a person, and any automated processing that takes place.
The Council will undertake an audit of all types of data collection, recording and processing taking place and repeat this on an annual basis. We will review the reasons for the data being obtained and justify why this should continue or make a decision it will no longer be obtained. Similarly, we will review the way in which the data is stored and processed to ensure all appropriate safeguards are in place and security/confidentiality measures are effective and will:-
• carry out a risk assessment of data systems and act on the results
• maintain up-to-date security systems (for example, using firewalls and encryption technology)
• restrict access to personal data to only those who demonstrate that they need it
• review data security regularly.
The Council will publish a periodic report on data protection and the measures taken to comply with legislation and individual’s rights.
3. Individuals' rights
While many of these rights are similar to those under the current DPA, the GDPR expands them and introduces new ones. Data subjects have the:-
• right to be informed about the processing of their personal data – the Guidance on Data Protection and this document sets out how the organisation is complying with the data protection requirements for the processing of personal data;
• right to rectification if their personal data is inaccurate or incomplete - on a regular basis employees will be asked to re-confirm or to amend the personal data kept. Requests to amend data will normally have to be processed within one month;
• right of access to their personal data and supplementary information, and the right to confirmation that their personal data is being processed - a statement (sometimes called a Privacy Statement or Notice) will be provided setting out what personal data is being collected, recorded and processed and why, also who has access to this personal data;
• data subject access requests (SARs) anyone can at any time request access to their personal data and a process for such requests will be devised. A SAR will be responded to within 20 working days of receipt (as per GDPR requirements);
• right to be forgotten by having their personal data deleted or removed on request where there is no compelling reason for an organisation to continue to process it - when a person receives their statement on what personal data is being collected they will be given the opportunity to challenge any data held on them and ask for its removal;
• right to restrict processing of their personal data, for example, if anyone considers that processing is unlawful or the data is inaccurate - as for the right to be forgotten;
• right to data portability of their personal data for their own purposes (anyone will be allowed to obtain and reuse their data) – data will be kept in a format capable of portability/transferability;
• right to object to the processing of their personal data for direct marketing, scientific or historical research, or statistical purposes - as for the right to be forgotten.
4. Consent
Each person will, on being given their Personal Data Statement, also be asked to give consent to the specific data being collected, stored, recorded and processed, or a legal basis for the information being obtained for which no consent is needed explained.
5. Breach of data protection policy or legal requirements
Any suspected or actual breach of this policy whether direct or indirect, malicious or unintentional must be reported immediately to the Clerk and the ICO (Information Commissioner’s Office) informed.
The Council will implement its Contingency Plan in order to immediately protect personal data and resolve the cause of the breach.
We will consider any serious breach of the policy and data protection rules to be gross misconduct for which the normal penalty will be summary dismissal.
The following elements are where we feel there may be an impact on the DPA/GDPR compliance requirements and therefore are part of this Policy.
6. [Intentionally Blank]
7. Contacting outside of working hours or while absent from the ‘workplace’
Councillors and clerk have a right to privacy outside of the ‘workplace’ and this will be respected and other councillors and members of the community will not access personal data to routinely contact councillors by telephone, email, social media or face to face unless by consent.
8. Confidentiality
Councillors and clerk must not disclose any information of a confidential nature relating to the organisation’s business to any other party without express authority from the council. This extends also to the disclosure of confidential personal data of other employees, agency staff, customers, suppliers or contractors.
Councillors and clerk are not allowed to remove any documents or tangible items which contain any confidential information or intellectual property (such as formulations, manufacturing processes etc.) at any time without proper advance authorisation, this will include computer files, records and other equipment that can be used to store information. If authorised to do so, councillors and clerk must safeguard the information and follow the Data Protection Act/GDPR principles. Upon the termination of employment or time in office, all documents and tangible items which belong to the organisation or which contain or refer to any confidential information must be returned by the councillor or clerk.
Subject to legal requirements or court orders, all confidential information from any re-usable material will be deleted upon the Clerk’s instruction and all other documents and tangible items which contain or refer to any confidential information will be destroyed. This will include computer files, discs and removable drives.
9. Use of computers
In order to maintain the integrity of computer system and records and to protect the confidentiality of any personal data, the following rules must be observed:-
• passwords for access to the system are confidential, must not be revealed to other persons and should be changed regularly;
• all software or disks must be checked before they are loaded onto or even placed in any computer;
• upon the discovery of computer virus and/or corrupted information, the Clerk must be advised immediately;
• the creation, generation, and distribution of materials that are offensive on race, sex, sexual orientation, transgender, disability, age or religious grounds are forbidden;
• it is forbidden to generate and/or distribute material which is offensive to or ridicules other councillors or the clerk;
• in respect of these rules material will be considered offensive if it causes distress to the person who receives or discovers it.
We will consider any serious breach of these rules to be gross misconduct for which the normal penalty will be summary dismissal or resignation.
10. Internet and social media sites
We recognise that in their private time councillors and clerk may wish to publish content on the internet through a variety of means.
Even outside of work they must adhere to the following guidelines when creating, modifying or contributing to websites.
(a) Social networking
The growth of computer use and internet expansion has led to an increase in the use of blogs and social networking sites. The Council has strict guidelines on the use of such sites:-
• the use of social networking sites and blogs must not be allowed to interfere with or bring into disrepute the conduct of the organisation or its name or reputation;
• no councillor or clerk must directly or indirectly refer to or implicate the organisation, other councillors or any of the community on any blog or social networking profile created by them;
• if, in any contribution or posting which identifies or could identify the individual as a councillor, clerk or other affiliate of the organisation, the councillor or clerk expresses an idea or opinion, he/she should include a disclaimer which clearly states that the opinion or idea expressed is that of the individual and does not represent that of the organisation;
• all will be made aware that harassment, defamation and libel laws cover what is said and written on social media and if anyone feels that they have been harassed, bullied or discriminated against, legal action can be taken against the perpetrator including the involvement of the police.
The Council will consider any serious breach of the above guidelines to be gross misconduct which may result in summary dismissal or resignation.
(b) Email/SMS code of conduct
Bullying, harassment or abuse of others through the use of e-mail or SMS is forbidden. This includes sending information that insults or harasses others with respect to sex, sexual orientation, transgender, race, age, disability or religion. It is forbidden to:-
• post confidential information about the Council, councillors or clerk without authorisation.
When replying to an e-mail or SMS, make sure that the reply is for the sender only and not the original mailing list (unless there is a requirement to do so).
Files that have hidden confidential information (e.g. base cost calculations you may have used to generate a quote) should only be sent if within the Data Protection Principles and this Policy. In any case attachments of a sensitive nature should be password protected or encrypted.
Should anyone be subject to harassment or abuse from e-mail or SMS at work from another councillor, clerk, or member of the community, then the matter should be reported immediately to the Clerk for further action.
11. Equality and Equal Opportunities and Anti-Bullying and Harassment at Work
The use of personal data and images in whatever format to discriminate, bully, harass or victimise another person be it a councillor or clerk or not, or using personal data to violate someone’s Human Rights will be treated as gross misconduct and may also leave the organisation and the individuals involved open to criminal and/or civil legal proceedings.
12. Protection against detriment
Councillors, clerk or member of the community will not suffer any detriment, or penalty for challenging the personal data we hold on them or the processes involved, for making subject data access requests or refusing consent to the obtaining, recording or processing of the individual’s personal data.
Anyone concerned about the legal status or ethical use of anyone’s personal data by the organisation should report this immediately to the Clerk.
13. Contractual Position
The above rules and Policy form part of the our code of conduct and everyone is expected to comply with them and the signed acceptance of the role signifies consent to these terms.
14. Evaluation and review
This Policy will be regularly reviewed by the Council to ensure its effectiveness and compliance with the law and any necessary changes agreed and implemented in consultation.
15. Implementation
Any comments or questions about the operation of this Policy should be addressed in writing to the Clerk at the address below.