Hanworth Parish Council Data Protection Policy
Purpose of the policy and background to Data Protection
This policy explains to councillors, staff and the public about data protection. Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for as long as is necessary for processing and be processed in a manner that ensures its security. This policy explains the duties and responsibilities of the council and it identifies the means by which the council will meet its obligations.
Identifying the roles and minimising risk
Data protection legislation requires that everyone within the council understands the implications and that roles and duties are assigned. The Council is the data controller and the clerk is the data processor. It is the Clerk’s duty to undertake an information audit, manage the information collected by the council, issue privacy statements, deal with requests and complaints raised and arrange for the safe disposal of information.
Data protection legislation requires continued care by everyone within the council, councillors and staff, in the sharing of information about individuals, whether as a hard copy or electronically. A breach of the regulations could result in the council facing a fine from the Information Commissioner’s Office (ICO) for the breach itself and to compensate the individual(s) who could be adversely affected. Therefore, the handling of information is seen as high / medium risk to the council (both financially and reputationally) and one which will be included in the risk assessments of the council. Such risk can be minimised by undertaking an information audit, issuing privacy statements, maintaining privacy impact assessments (an audit of potential data protection risks with new projects), minimising who holds data protected information and the council undertaking training in data protection awareness.
Data breaches
The Clerk will investigate data breaches. Investigations will be undertaken within one month of the report of a breach and the details and findings will be reported to the full council. Procedures are in place to detect, report and investigate a personal data breach. The ICO will be advised of a breach (within 3 days) where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the clerk will also notify those concerned directly.
It is unacceptable for non-authorised users to access IT using employees’ log-in passwords or to use equipment while logged on. It is unacceptable for employees, volunteers and councillors to use IT in any way that may cause problems for the Council, for example the discussion of internal council matters on social media sites could result in reputational damage for the Council and to individuals.
Privacy Statement and Privacy Notices
Being transparent and providing accessible information to individuals about how the Council uses personal data is a key element of the data protection legislation. The most common way to provide this information is in a privacy statement. This statement informs individuals about what the council does with their personal information, how it will be circulated to and between councillors and their legal rights
Privacy notices will be used from time-to-time when data is collected for specific purposes e.g. allotment holders. The notice will contain the name and contact details of the data controller, the purpose for which the data is to be used and the length of time it will be retained. It will be written clearly and will advise the individual that they can, at any time, withdraw their agreement for the use of this data (if applicable). Issuing of a privacy notice will be detailed on the Information Audit kept by the council. The council will adopt a privacy notice to use, although some changes could be needed depending on the situation, for example where children are involved. Where consent is being relied on as the lawful basis for processing the data, privacy notices must contain a positive opt-in and be verifiable.
Information Audit
The Clerk will undertake an information audit which details the personal data held, where it came from, the purpose for holding that information and with whom the council will share that information. This will include information held electronically or as a hard copy. Information held could change from year to year with different activities, and so the information audit will be reviewed at least annually or when the council undertakes a new activity. The information audit review will be conducted ahead of the review of this policy and the reviews will be minuted.
Individuals’ Rights
Data protection legislation gives individuals rights:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling.
If a request is received to delete information, then the Clerk must respond to this request within a month. The Clerk has the delegated authority from the Council to delete information.
If a request is considered to be manifestly unfounded then the request could be refused, or a charge may apply. The Council will be informed of such requests and will determine the charge.
Children
There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the council requires consent from young people under 13, the council must obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children aged 13 plus, must be written in language that they will understand.
Summary
The main actions arising from this policy are:
- The Council must be registered with the ICO.
- A copy of this policy will be available on the Council’s website.
- An information audit will be conducted and reviewed at least annually or when projects and services change.
- A privacy statement will be available on the council’s website and reference to it will be made in all emails sent from the council’s email address.
- Privacy notices will be issued where appropriate.
- Data Protection will be included in the Council’s risk assessment.
- The full council manages the process.
This policy document is written with current information and advice. It will be reviewed at least annually or when further advice is issued by the ICO.
All employees, volunteers and councillors are always expected to comply with this policy to protect privacy, confidentiality and the interests of the Council.
Reviewed…May 2022………………….
For review …May 2023…………………