Data Protection Policy

Download the Data Protection Policy (PDF, 121KB)

 

Introduction

St Erth Parish Council (the Council) has a responsibility under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018 to hold, obtain, record, use and store all personal data relating to an identifiable individual in a secure and confidential manner.  This Policy sets out how the Council complies with this legislation to ensure that personal data is processed lawfully, fairly, transparently and securely.

This Policy applies to all Councillors, employees, volunteers, contractors, and any third parties processing personal data on behalf of the Council.

The Council is registered with the Information Commissioner’s Office under Register Entry No. ZA114183.

Types of Data

Personal Data – any information relating an identified or identifiable living individual.

Special Category Data – personal data revealing:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (for identification)
  • health data
  • sex life or sexual orientation

Criminal Offence Data – personal data relating to criminal convictions and offences.

Data Protection Principles

Article 5 of the UK GPDR requires that personal data must be:

  • processed lawfully, fairly and transparently.
  • collected for specified, explicit and legitimate purposes.
  • adequate, relevant and limited to what is necessary (data minimisation).
  • accurate and, where necessary, kept up to date.
  • kept no longer than necessary (storage limitation).
  • processed securely with appropriate technical and organisational measures.

Lawful Basis for Processing

The Council will only process personal data where a lawful basis applies under Article 6 UK GDPR. These may include:

  • Public Task – where processing is necessary for the performance of a task carried out in the public interest
  • Legal Obligation – where processing is required to comply with law
  • Contract – where processing is necessary to fulfil a contract
  • Consent – where an individual has given clear consent
  • Legitimate Interests – where applicable and balanced against individual rights

Special Category Data is processed only where an additional lawful basis under Article 9 UK GDPR and Schedule 1 of the DPA 2018 applies.

Roles and Responsibilities

The Council is the Data Controller, and as such is responsible for ensuring compliance with data protection legislation.

The Clerk is the Council’s Data Protection Lead and is responsible for:

  • overseeing compliance
  • managing data protection requests
  • reporting data breaches
  • maintaining appropriate records
  • ensuring training is provided

All councillors, staff and contractors must:

  • handle personal data securely
  • follow this policy
  • report suspected breaches immediately

Rights of Data Subjects

The person about whom the information is held (the “data subject”) has various rights under the Act including:

  • the right to be informed about what personal data is being processed;
  • the right of access to that information;
  • the right to rectification of any inaccuracies or incomplete data;
  • the right to erasure of any personal data;
  • the right to restrict processing;
  • the right to data portability i.e. transfer of data to another data controller;
  • the right to object;
  • rights relating to automated decision-making.

Individuals wishing to request their information as a subject access request should refer to the Subject Access Request Policy.

Data Retention

Personal data will be retained only for as long as is necessary for its lawful purpose in accordance with the Council’s Retention Policy.  Data will be reviewed periodically and securely destroyed when no longer required.

Data Security

The Council implements appropriate technical and organisational measures including encryption, secure systems, access controls, password protection, and secure disposal procedures, as set out in the Information Technology Policy.

Data Processors

Where personal data is shared with third parties (for example auditors, IT providers or contractors)  the Council will ensure appropriate contracts are in place, data is only shared where lawful and necessary and appropriate safeguards are implemented

International Transfers

The Council will ensure that information is not transferred to countries outside the United Kingdom unless those countries are covered by UK adequacy regulations or appropriate safeguards are in place (e.g., standard contractual clauses) in accordance with UK GDPR requirements.

Data Breaches

All data breaches must be reported immediately to the Clerk.  Where a breach is likely to result in a risk to individuals’ rights and freedoms, it will be reported to the Information Commissioner’s Office within 72 hours.  The Clerk will also notify any affected individuals.

Complaints

Complaints regarding data protection should be reported to the Clerk and will be handled under the Council’s Complaints Procedure.  Individuals may also lodge a complaint with the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilsmslow SK9 5AF.  Tel: 0303 123 113 www.ico.org.uk.

Review

This policy will be reviewed annually (or earlier if required by changes to legislation or additional documentation) and amended as necessary based on good practice or evidence taken forward.

Adopted at the Council meeting on 23rd March 2021 (254/20-21bi)
Last reviewed on 3rd March 2026 (213/03/25-26b)
Next review due March 2027