Data Protection Policy

(A pdf version of this policy is available for download here)

Introduction

St Erth Parish Council needs to collect and use certain types of information about people who it deals with in order to operate.  This includes information relating to current, past and previous employees, suppliers, customers and others with whom it communicates.

St Erth Parish Council is registered with the Information Commissioner’s Office under Register Entry No. ZA114183.

Types of Data

There is a clear distinction between ‘personal’ data and ‘sensitive personal’ data.

‘Personal’ data is data defined as relating to a living individual who can be identified from: that data; or that data plus other information which is in the possession of the Data Controller and includes an expression of opinion about the individual; and

‘Sensitive Personal’ data is defined as personal data consisting of information relating to:

• racial or ethnic origin;
• political opinion;
• religious or other beliefs;
• trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• physical or mental health or condition;
• sexual orientation; or
• criminal proceedings or convictions.

Processing Data

In accordance with the General Data Protection Regulations (GDPR) 2018, all organisations which process personal information (whether on paper, in a computer, or recorded on any other media) are required to comply with a number of important principles regarding privacy and disclosure.  This ensures that the information is:

• processed fairly and lawfully;
• only processed for the lawful purpose it was obtained;
• adequate, relevant and not excessive in relation to its purpose;
• accurate and kept up to date;
• not kept for longer than necessary;
• processed in line with the data subject’s rights;
• secure;
• not transferred to other countries without adequate protection.

Through appropriate management St Erth Parish Council will strictly apply the following criteria and controls:

• fully observe conditions regarding the fair collection and use of information;
• meet its legal obligations to specify the purposes for which information is used;
• collect and process relevant information, only to the extent that is required to ensure the quality of information used;
• apply strict checks to determine the length of time that information is held;
• ensure that the rights of the people about whom information is held, are able to be fully exercised under the GDPR;
• take appropriate technical and organisational security measures to safeguard personal information;
• ensure that personal information is not transferred abroad without suitable safeguards.

St Erth Parish Council will also ensure that:

• there is someone with specific responsibility for Data Protection in the organisation (the person currently nominated is the Parish Clerk);
• everyone managing and handling personal information:
  1. fully understands that they are responsible for following good practice in terms of protection;
  2. is adequately trained to do so; and
  3. are appropriately supervised.

Right to Access Information

Staff, Councillors, residents, customers and other data subjects have the right to:

• ask what the Council uses the information for;
• be provided with a copy of the information;
• be given details of the purposes for which the Council uses the information;
• ask that any incorrect data held is corrected.

Any person wishing to see information held about them should write to the Council, addressing the letter to the Parish Clerk. Information required includes name and address, proof of identity, date of birth and any other information which would assist in finding their information.  The Council will respond within 20 working days of receipt of application.

The Council may make a charge of £10 for each official Subject Access Request under the Act.

If an individual notifies the Council that the data is incorrect and requests that it be amended, the Council must advise the individual within 15 working days whether or not the amendment has been made.

Records Management

Good records management practice plays a pivotal role in ensuring that the Parish Council is able to meet its obligations to provide information, and to retain it, in a timely and effective manner in order to meet the requirements of the Act.  All records should be retained and disposed of in accordance with the Document Retention and Disposal Policy.

Breach of Policy

Compliance with the GDPR is the responsibility of all Councillors, residents, customers and members of staff. Any deliberate or reckless breach of the Policy may lead to disciplinary action and where appropriate, legal proceedings.

Any individual who believes that the Council has breached any of the requirements of the GDPR should raise the matter with the Data Controller initially.  Alternatively, a complaint can be made to the Information Commissioner’s Office at the following address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 113
www.ico.org.uk

The Commissioner will carry out an assessment of the Council’s processing to establish whether or not it is compliant with the GDPR.  Should the Council be non-compliant, then the Commissioner will issue a notice requiring it to take steps to ensure compliance.

Freedom of Information

In accordance with the Freedom of Information Act 2000, this Document will be posted on the Council’s Website www.sterth-pc.gov.uk and copies of this document will be available for inspection by contacting the Clerk.

Review

This policy will be reviewed annually (or earlier if required by changes to legislation or additional documentation) and amended as necessary based on good practice or evidence taken forward.