Data Protection Policy 2021-2024

Date Issued

Version

Status

Reason for change

29 October 2004

0.1

Draft

 n/a

9 May 2005

0.2

Draft

Revised Policy in line with established good practice.

20 July 2005

1.0

Approved Policy

Approved by Council Executive (subject to confirmation by Council)

24 December 2009

To be updated 311210

Approved Policy

Policy update

15 December 2014

2.0

In draft updated

Policy expired and revised in line with good practice

January 2016

3.0

Draft

Light touch refresh

February 2018

4.0

Draft

Refreshed in line with UK GDPR and Data Protection Bill 2018 (currently being read in the House of Commons)

August 2021

5.0

Final

Review and update

November 2023

5.1

Final

Refresh to correct terminology

Policy Statement

This policy describes the Council’s requirement to comply with Data Protection.

The Data Protection Act 1998 (DPA) was introduced to protect the interests of individuals. The General Data Protection Regulation and the Data Protection Act 2018 provide an update to this in particular bringing the legislation in line with the developments in technology. The legislation covers both electronic information and the manual files the Council holds.

The Council processes and keeps personal information about its customers so that it can provide them with the services they require.

The Council must comply with the Data Protection Principles as set out in Article 5 of the UK GDPR:

Personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. Collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed are erased or rectified without delay;
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals; and
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.

Scope

This document applies to all Councillors, Committees, Services, Partners, employees of the Council, Contractual third parties and agents of the council who use ICT facilities and equipment, or require remote access to the Council’s Information Systems or information.

This Policy applies to all information which is subject to the Data Protection Act, including;

  • All personal data processed by the Council or on behalf of the Council through contract and processing agreements.
  • All personal data held in a manual form in filling systems.
  • Any personal data held in an accessible record.

Objective

The Council must comply with all relevant legislation and good practice to protect the personal data it holds, and to monitor and review compliance with legislation and introduce changes where necessary.

This policy aims to ensure that personal data is processed fairly and lawfully.

Those who process data must respect the confidentiality of all personal data, this policy provides staff with appropriate procedures to handle such data.

This policy also aims to outline the rights of members of the public in gaining access to their personal data held by the Council, and to assist the Information Commissioners Office (ICO) as required.

Risks

The Council recognises that there are risks associated with users processing and handling information in order to conduct official Council business.

This policy aims to mitigate the following risks:

  • Accidental or deliberate breach of data protection.
  • Potential sanctions against the Council or individuals imposed by the ICO as a result of the loss or misuse of the data. The Council could be required to pay a fine up to €20 million for a serious breach of personal data.
  • Potential legal action from data subjects on a breach of data protection.
  • Council reputational damage as a result of a data protection breach.

Definitions

Data Controller: The person(s) who determines how and the manner in which personal data are or are to be processed (the Council)

Data Processor: The person who processes the data on behalf of the data controller

Data Subject: The person who the personal information is about

Data Sharing: The ability to share the same data resource with multiple applications or users.

Data Protection Officer (DPO): A Data Protection Officer (DPO) is a person in charge of ensuring an organisation’s compliance with the Data Protection Act.

Information Commissioners Office (ICO): The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Information Asset Owner: A senior member of staff who is nominated for one or more assets, by virtue of managerial position.

Personal Data: Information relating to living people who can be identified from the data or from that data and other information which is in the possession of, or likely to come into the possession of, the data controller.

Processing Data: Includes obtaining, sharing, disclosing, recording, holding, using, erasing or destroying personal information.

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.

Special Categories of Data (Sensitive Personal Data): Information relating to the race, political opinion, religious belief, trade union membership, physical or mental health, sexuality and any criminal history of an individual.

Information Management

In order to comply with the Data Protection Principles established in the UK GDPR and the Data Protection Act the following areas of information management must be followed.

Amount of data to be held

The Council will hold the minimum personal data necessary to enable it to perform its functions.  The data will be erased once the need to hold it has passed.  Every effort will be made to ensure that data is accurate and up-to-date, and that inaccuracies are corrected quickly.

Accuracy of Information

Personal data will be accurate and kept up to date, steps will therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards, inaccurate or out-of-date data will be destroyed.

Data Retention

Personal data will not be kept longer than is necessary for the purpose, this means that the data will be destroyed or erased from our systems when it is no longer required, this will be managed in line with the Councils Data Retention Policy.

Subject Access

Any member of staff who receives a request should forward this to the Performance and Information Governance Officer immediately; the Council must respond within 30 calendar days.

The Council will only disclose personal data to those recipients listed in the Notification Register, or where it is otherwise permitted by law to do so.  The council will always endeavour to seek the permission of the data subject, where it is required by law to do so. The Councils Privacy Notice provides clarity and transparency with regards to how the council intends to handle personal data.

Data Security

The Council will ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage, to personal data.

The Act requires us to put in place organisational procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data may only be transferred to a third-party data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves.

Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:-

  • Confidentiality; means that only the people who are authorised to use the data can access it.
  • Integrity; means that the personal data should be accurate and suitable for the purpose for which it is processed.
  • Availability; means that authorised users should be able to access the data if they need it for authorised purposes.

Disclosures

Disclosures of information must be in accordance with the provisions of the Act and the council’s registration/notification.  Where the council has a duty to disclose certain data to public authorities (for example: the Inland Revenue, Customs and Excise, and the Benefits agency), this will be done in accordance with statutory and other requirements.

Legal and internal rules limit disclosure within the authority either to council officers or elected members.  When a request for information is made, the minimum of personal data will be made available on a need to know basis as defined by the “Data Protection Principles”.  The Data Protection Officer should be consulted if clarification is required. 

Public Registers

The Council maintains a number of public registers that contain personal data or data that could be used to identify individuals. Strict compliance with the legislation giving rights of access will be used in all cases.

System Design

The Council intends that personal data must be treated as confidential. Computer and manual systems will be designed to comply with the Principles of the Data Protection Act so that access to personal data should be restricted to identifiable system users.  Personal data will be kept in an appropriately controlled and secure environment.

Training

It is the aim of the Council that all staff will be informed of their obligations under the Data Protection Act and aware of their personal liabilities, and where appropriate further training will be given.

Disciplinary Action

The Council expects all of its staff and members to comply fully with this Policy and the Principles of the Data Protection Legislation. Disciplinary action may be taken against any employee who breaches any of the instructions or procedures following from this policy.

Breach of Data Protection

If an employee or member of the public becomes aware that there has been a breach of this Policy, they should immediately report it to the Data Protection Officer who will be able to advice on immediate action to be taken.

Upon receipt of notification of a breach the Data Protection Officer will investigate the allegation and, if substantiated, identify an action plan which include details of containment and recovery action, an assessment of the risks and undertake to make the relevant notifications to the ICO and the affected data subjects as required.

The UK GDPR places a legal requirement on the council to report confirmed data breaches to the ICO within 72 hours of being made aware, where the breach is likely to result in a risk to the rights and freedoms of the individual(s). It is therefore essential that all identified breaches are reported to the Data Protection Officer as a matter of urgency.

In addition the council may be required by the General Data Protection Regulation and Data Protection Act to notify the data subject(s) where the breach is likely to result in a high risk to the rights and freedoms of the individual(s) without undue delay.

Responsibilities

Overall responsibility for the efficient administration of the Data Protection legislation lies with the Council, and is managed by the councils Corporate Management Team. Day to day delivery is exercised by the the Councils designated Data Protection Officer and supported by the Performance and Information Governance Officer.

Responsibilities of Staff (all staff permanent and temporary)

All staff, whether permanent or temporary, are required to read, understand and accept any policies and procedures that relate to personal data that they may handle in the course of their work.

All Staff have a responsibility for data protection and are required to adhere to this Policy, any associated procedures and to attend any associated training.

All Staff must;

  • Understand the main concepts within the Data Protection legislation, the data protection principles, special categories of data and informed consent.
  • Identify and report any risks to the security of personal data processed by the Council to their line manager or the Information Asset Owner, and any data breaches immediately to the Data Protection Officer.
  • Assist their customers/service users to understand their rights and the Council’s responsibilities in regards to data protection.
  • Identify and report any subject access requests to the Data Protection Officer (DPO) so that they can be processed in accordance with the Data Protection Act.

It is a requirement of the Council that all temporary staff, agency staff, volunteers, work experience and all managers requesting access to systems for these temporary workers read and undertake to comply with these guidelines in accordance with the DPA and the Council’s Data Protection Policy.

Individuals who do not handle data as part of their normal work have a responsibility to ensure that any personal data they see or hear goes no further.  This includes personal data and information extracted from such data, thus, for example, unauthorised disclosure of data might occur by passing information over the telephone, communicating information contained on a computer print-out or even inadvertently by reading a computer screen.

Security breaches involving personal data can cause harm and distress to the individuals that they affect. Whilst not all security breaches have such consequences, they can still cause serious embarrassment or inconvenience to the people concerned.

Responsibilities of Managers

All managers are required to ensure that they (and their staff) understand and adhere to this Policy and any associated procedures. They are responsible for ensuring that staff are informed and updated on any changes made to this Policy.

All managers must identify and report any risks or breaches to the security of personal data processed by the Council to their relevant line manager or appropriate Information Asset Owner, who must immediately report the data breach to the Data Protection Officer.

All managers must ensure that their staff undertake training in data protection and information security which is specific to their role. Refresher training will be undertaken periodically.

Day to day responsibility for administration and compliance with the Act is delegated to Directors and Heads of Service, for compliance with the Act’s provisions within their respective areas of authority.

Responsibilities of the Council

As the Council processes personal data on its customers, employees, members, suppliers and members of the public (Data Subjects) the Council is required to notify the ICO about the information it collects, how it uses that information, who it collects if from and who it shares it with. This is done through the Councils registration with the ICO.

This Policy applies to personal data processed by Elected Members in their capacity as Councillors and when carrying out their constituency responsibilities.

For political activities and campaigning for elections each elected member is individually responsible and may need to notify with the ICO personally for these limited purposes.

Responsibilities of the Data Protection Officer

A public authority such as the Council must appoint a Data Protection Officer.

The Data Protection Officer has the following responsibilities:

  • To inform and advise the Council and its employees about their obligations to comply with the General Data Protection Regulation and Data Protection Act
  • To monitor compliance with the General Data Protection Regulation and Data Protection Act, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
  • To be the first point of contact with the ICO and for individuals whose data is processed.

Privacy Impact Assessments

Before undertaking any new or changes to work stream/s, including projects, proposals, or initiatives that are likely to involve personal data the Council must carry out a Data Privacy Impact Assessment (DPIA).

DPIAs are a means of addressing privacy risk as part of overall project management. It is carried out with a view to identifying and managing any risks relating to personal data which is collected, used, stored, distributed and destroyed throughout the project.

The function of the DPIA is to ensure that data protection risks are properly identified and addressed wherever possible and that decision makers have been fully informed of the risks and the options available for mitigating them. For those policies that involve data sharing this could include the risks if data is not shared.

The DPIA will set out information such as the personal data to be collected, how it will be used, how it will be stored, whether it will be shared and for how long it will be retained.

Not every proposal will require a DPIA. The key questions in determining whether a DPIA is needed are:

  • Will the proposal involve the processing of personal data of individuals?
  • Has a DPIA already been conducted?

If personal data will be processed and there is no existing DPIA, a DPIA should be undertaken.

All DPIAs should be completed using the Councils template and guidance.

Data Handling

Collecting and Using Personal Data

Only collect personal data that is necessary. Nothing should be collected on the grounds that it ‘might come in useful’. Extra care should be taken when collecting or using Special Categories of personal data.

When collecting personal data it is important to ensure that the Data Subject is informed who the data controller is, the purpose(s) which the personal data is to be used for and any other information about how it will be used and/or shared. This must be provided through the Councils Privacy Notice template.

Personal data must be processed fairly and lawfully. It will be considered to be fairly and lawfully processed if one or more conditions are met, these can be found at appendix 1;

Personal data should only be used for the purpose(s) for which it is collected and not for any incompatible purpose. If it is to be used for any other purpose then the data subject should be advised of the other purpose(s) it is to be used for and the data subject’s consent must be obtained.

Anonymisation

Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information. The ICOs ‘Anonymisation Code of Practice’ explains the issues surrounding the anonymisation of personal data, and the steps an organisation can take to ensure that anonymisation is conducted effectively, while retaining useful data.

Storing Personal Data – individual duties

It is the responsibility of every employee to ensure that personal data is used and stored properly to prevent any unauthorised access.

Personal data should:

  • Be stored in locked desks or filing cabinets.
  • Only accessed and securely protected on Council equipment using industry standard authentication and limited access.
  • Not be visible on screens by unauthorised persons (including other members of staff).
  • Not be taken out of the Council offices or stored externally unless such use or storage is necessary and authorised by your line manager.
  • Only kept for as long as is necessary and disposed of securely when it is no longer needed.

Review it regularly and delete it promptly when no longer needed. Duplicate records should be kept to a minimum to reduce the risk of unauthorised access or loss and to avoid anomalies.

Data Subject Access Requests

Any person has the right to ask to see the information the council keeps about them.  This is known as a Data Subject Access Request.

To make such a request, a Data Subject Access Request Form is the recommended best practice.  The Form is available on the council’s website or by contacting the Performance and Information Governance Officer.

Alternatively, data subjects can write to the Data Protection Officer at Erewash Borough Council, Ilkeston Town Hall, Wharncliffe Road, Ilkeston, Derbyshire DE7 5RP. They can also call us on 0115 9072244, or make a request through one of our social media channels. Phone or social media requests will require a follow-up postal or email address for us to respond to, once the request is validated.

The council will:-

  • Ensure the identity of the data subject before providing the information,
  • Provide the information within 30 calendar days of receiving the proof of identity following the request, or give a reason why it cannot do so,

Processing in line with the data subjects’ rights

Data will be processed in line with data subjects’ rights.  Data subjects have a right to:

  • Be informed, typically through a privacy notice
  • Access their personal data and supplementary information
  • Have personal data rectified if it is inaccurate or incomplete
  • Request the deletion or removal of personal data where there is no compelling reason for its continued processing
  • Restrict processing
  • Data portability
  • Object to processing based on legitimate interest, performance of task in public interest/exercise of official authority, direct marketing and for scientific/historical research and statistics
  • Not be subject to a decision based solely on automated processing

Review of Policy

The Data Protection Policy will be reviewed every three years and approved by the Council Executive, or sooner if legislative changes apply which require formal approval.  Minor amendments may be made from time to time to ensure that the Policy remains current, and updates and re-issues will be circulated as necessary.

The Policy will be reviewed sooner in the event of any one or more of the following:

  • Weakness in the Policy is identified/highlighted;
  • Weaknesses in hardware and software controls are identified;
  • New threat(s) emerge or risks change;
  • Changes in legislative requirements are received;
  • Changes in local and/or national Government occur which are relevant to a review; and
  • New directives are received.

Contact Details

The council’s Statutory Data Protection Officer can be contacted at:

Data Protection Officer

Erewash Borough Council

Town Hall

Wharncliffe Road

Ilkeston

Derbyshire DE7 5RP

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

External and Internal Registration/Notification

The Council has an external registration/notification with the Information Commissioner.  The Register can be searched at www.ico.gov.uk

The Erewash Borough Council registration references are:

  • Z5708006 Erewash Borough Council
  • Z5707929 Electoral Registrar of Erewash Borough Council

The Register Entry gives general descriptions of the type of data processing activities carried out by Local Government.  The Register Entry is therefore supplemented by an internal register of data repositories, maintained by the Performance and Information Governance Officer.

Appendix 1 Basis for processing personal data

Under the General Data Protection Regulation there must be a lawful basis for all processing of personal data (unless an exemption or derogation applies).

Article 6(1) of the UK GDPR details the Lawful basis for processing and are summarised below.

Consent

  • Article 6(1)(a) – Processing is permitted if the data subject has consented to the processing

Contractual necessity        

  • Article 6(1)(b) – Processing is permitted if it is necessary for the entry into, or performance of, a contract with the data subject or in order to take steps at his or her request prior to the entry into a contract.

Compliance with legal obligation

  • Article (6)(1)(c) – Processing is permitted if it is necessary for compliance with a legal obligation.

Vital Interest

  • Article (6)(1)(d) – Processing is permitted if it is necessary to protect the vital interests of the data subject or of another natural person (for example children of the data subject)

Public Interest

  • Article (6)(1)(e) – Processing is permitted if it is necessary for the performance of a task carried out in the exercise of official authority vested in the controller (processing on this basis may be subject to objections from the data subject)

Legitimate Interest

  • Article (6)(1)(f) – Processing is permitted if it is necessary for the purposes of the legitimate interests pursued by the controller (or by a third party), except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects which require protection. Particularly where the data subject is a child.
  • The UK GDPR removes this lawful basis from the use of Public Authorities in the performance of their public duties. However the Data Protection Bill 2018 seeks to make this available for use by Public Authorities. Please discuss with the Data Protection Officer before using this option.

Processing Sensitive Personal Data

Article 9 states that the processing of Sensitive Personal Data is prohibited unless one of the following conditions for processing is established;

  • Explicit Consent Article 9 (2)(a) – the data subject has given explicit consent
  • Employment Law Article 9 (2)(b) – the processing is necessary in the context of employment law, or laws relating to social security and social protection.
  • Vital Interests Article 9 (2)(c) – the processing is necessary to protect vital interests of the data subject (or another person) where the data subject is incapable of giving consent.
  • Charity or not-for-profit bodies Article 9 (2)(d) – the processing is carried out in the course of the legitimate activities of a charity or a not-for-profit body, with respect to its own members, former members or persons with whom it has regular contact in connection with its purposes.
  • Data manifestly made public by the data subject Article 9 (2)(e) – the processing relates to personal data which have been manifestly made public by the data subject
  • Legal claims Article 9 (2)(f) – the processing is necessary for the establishment, exercise or defence of legal claims, or for courts acting in their judicial capacity.
  • Reasons of substantial public interest Article 9 (2)(g) – the processing is necessary for reasons of substantial public interest, and occurs on the basis of a law that is, inter alia, proportionate to the aim pursued and protects the rights of data subjects
  • Medical diagnosis and treatment Article 9 (2)(h) – the processing is required for the purpose of medical treatment undertaken by health professionals including assessing working capacity of employees and the management of health and social care systems and services
  • Public Health Article 9 (2)(i) – the processing is necessary for reasons of public interest in the area of public health.
  • Historical, statistical or scientific purposes Article 9 (2)(j )– the processing is necessary for archiving purposes in the public interest, for historical, scientific, research or statistical purposes
  • Exemptions under national law Article 9 (4) – these will be introduced through the Data Protection Bill/Act 2018

Appendix 2 Key Messages

Managers are responsible for ensuring users are aware of the Policy and are allowed the time for essential training and any follow up necessary.

Managers involved in any work streams must undertake a Privacy Impact Assessment before any formal decisions are made.

It is the responsibility of all users to ensure that they handle data in compliance with this Policy and the Data Protection Act.

Data subject access requests must be dealt with by the Performance and Information Governance Officer in accordance with the Data Protection Act and all time constraints.

All data protection breaches must be reported to the Data Protection Officer.

Do’s and Don’ts of Data Protection:

  • Do check that you have consent to share data
  • Do check that you have an information sharing agreement in place
  • Do think about data as if it were about you
  • Do only hold data for as long as it is needed
  • Do destroy files correctly and confidentially
  • Do make sure you have correct and accurate data
  • Do not share your passwords
  • Do not leave your PC or device unlocked when away from your desk
  • Do not leave documents on your desk if they contain personal or special categories of data
  • Do not disclose personal information unless you are sure you can and you know who is asking for it.

If in doubt contact the Data Protection Officer for support and advice.

Review Date: August 2024

Owner: Data Protection Officer