Data Protection Policy

Statement of Commitment

We understand the importance of ensuring that personal data, including sensitive personal data, is always treated lawfully and appropriately and that the rights of individuals are upheld.

We are required to collect, use and hold personal data about individuals. Data is required for the purposes of carrying out our statutory obligations, delivering services and meeting the needs of individuals that we deal with. This includes current, past and prospective employees, service users, members of the public, Members of the Council, our business partners and other local authorities or public bodies.

Policy Objectives

In order to comply with the requirements of the General Data protection Regulation (GDPR) we will make sure that:

1. Any personal data will be collected, used and held, lawfully and appropriately
2. Regular data sharing with external partners and other relevant agencies will be subject to information sharing agreements. Partnerships will only be entered into where there is a clear statutory power enabling the council to participate such as the Crime and Disorder Act 1998
3. External agencies contracted to undertake any data processing on behalf of us will be required to demonstrate compliance with the General Data Protection Regulation and satisfy the council that it has the necessary technical and organisational measures in place to protect personal data
4. There are policies and procedures in place which are regularly reviewed and updated to ensure staff understand their responsibilities towards protecting personal data
5. Training needs are identified and provided to ensure that those handling personal data are trained appropriately
6. There is an appointed officer within the organisation who has specific responsibility and knowledge about data protection covering all aspects within the scope of this policy and who is a point of contact for all queries
7. There are a number of employees throughout the organisation who have specific, collective responsibilities for data protection
8. Data Subjects rights can be fully exercised
9. Subject Access Requests are dealt with promptly and courteously
10. Any new projects being implemented that involve personal data will undergo a privacy impact assessment
11. We will regularly review and update this policy, procedures and guidance for Council employees and members

We are required by law to share or make available some of the personal data we collect and hold. This information may be shared for a number of reasons, including to safeguard public funds, and for the prevention and detection of crime. For more details on this, please read our Privacy Notice.

We are fully committed to compliance with the requirements of the General Data protection Regulation (GDPR) and are registered as a Data Controller with the Information Commissioner’s Office. Our registration number is Z9180064.

Meeting our Policy’s Objectives

In order to meet the objectives that are listed above, we need to make sure that the following are always considered and that appropriate controls and procedures are in place to ensure compliance with the General Data Protection Regulation (GDPR).

Collecting and Processing Personal Data

• When we collect personal data, we will make sure that where required, we make individuals aware that their information is being collected, the purpose for collecting the data specified and whether it will be shared with any third parties. This will be done through our Privacy Notice. When reviewing documents and forms, we will always consider whether a privacy notice should be included
• No new purpose for processing data will take place until the Information Commissioner’s Office has been notified of the new relevant purpose and the data subjects have been informed and consent has been sought where required

Data Security

• Council employees and members must report any suspected data breaches to the Data Protection Officer for investigation. Where necessary, the Data Protection Officer will notify the Information Commissioner’s Office. Read our Data Breach Policy (Link to Policy)
• Council employees and Members must use appropriate levels of security to store or share personal data. Read our Information Security Policy (Link to the Information Security Policy overview and from there to the individual security policies)
• When new projects involving personal data are being developed, Data Protection Impact Assessments will be carried out by the Project Manager and reviewed by the Information Governance Group in order to assess any privacy risks. Read more about Data Protection Impact Assessments
• An Information Asset register is maintained by the Information Governance Working Group identifying:
  • All personal data held
  • Where it is held
  • How it is processed
  • Who has access to it
  • Who has overall responsibility for it
  • How long it should be kept for

Personal data will not be shared with a third party organisation without a valid business reason. Where required we will notify individuals that the sharing will take place in the form of a privacy notice. If any new purposes for the data sharing are to take place, we will seek consent from the individuals concerned.

When personal data is to be shared regularly with a third party, a Data Sharing Agreement must be implemented.

Any data sharing will also take into consideration:

• Any statutory basis of the proposed information sharing
• Whether the sharing is justified
• How to ensure the security of the information being shared

Data Access

• Our employees and Members will have access to personal data only where it is required in order to fulfil their role
• All data subjects have a right of access to their own personal data. Employees will be made aware of and will provide advice to data subjects about how to request or access their personal data held by us.
• Our employees and Members are aware of what to do when requests for information are made under the General Data Protection Regulation (GDPR)
• Our employees and members are made aware that in the event of a Subject Access Request being received by us, their emails may be searched and relevant content disclosed
• Privacy Notices will include a contact address for data subjects to use if they want to submit a Subject Access Request, make a comment or complaint about how we are processing their data, or about the handling of a Subject Access Request
• A Subject Access request will be acknowledged to the data subject within 24 hours (check this timescale) with the final response and disclosure of information (subject to exemptions) within 30 calendar days
• A data subject’s personal data will not be disclosed to them until their identity has been verified
• Third party personal data will not be released by us when responding to a Subject Access Request (unless consent is obtained, it is required to be released by law, or it is deemed reasonable to release)

Read more about Subject Access Requests

Compliance with this Policy

• This Policy applies to all our employees, Council members and all people or organisations acting on behalf of the Council
• Each Director/Service Area Manager will ensure compliance with this policy appropriate to the personal data activities within their remit
• If any Council employee, or Member, or persons acting on our behalf are found to knowingly, or recklessly breach the Council’s Data Protection Policy appropriate disciplinary and/or legal action will be taken
• The Council has a designated Data Protection Officer, and designated officers with data protection responsibilities make up the Information Governance Group

Implementation of this Data Protection Policy will be led by our Data Protection Officer. Any questions or concerns about this policy should be taken up with our Data Protection Officer.