GENERAL DATA PROTECTION REGULATION POLICY

Download Copy

CONTENTS

1. Purpose of the policy and background to the General Data Protection Regulation (GDPR)
2. The Scope of this Policy
3. Identifying the roles and minimising risk
4. Data Protection Principles
5. The Lawful bases of processing
6. Data breaches
7. Privacy Notices
8. Individuals’ Rights
9. Children
10. Summary
11. Document Record

1. Purpose of the policy and background to the General Data Protection Regulation (GDPR)

This policy explains to councillors, staff, role holders and the public about GDPR. Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for as long as is necessary for processing and be processed in a manner that ensures its security. This policy includes the additional requirements of GDPR which apply in the UK from May 2018. This policy explains the duties and responsibilities of the Town Council and it identifies the means by which the council will meet its obligations.

2. Scope of the Policy

This policy applies to all data created, received or maintained by the Town Council in the course of carrying out its functions.

Data is defined as all personal data of anyone involved in the business carried out by the Town Council.

3. Identifying the roles and minimising risk

GDPR requires that everyone within the Council must understand the implications of GDPR and that roles and duties can be assigned.

• A Data Subject is an individual who is the subject of personal data;
• The Council is the Data Controller;
• Who is responsible for protecting a person’s personal data? The Town Council as a corporate body has ultimate responsibility for ensuring compliance with the Data Protection legislation.
• The Council has delegated this responsibility day to day to the Town Clerk. • Email: [email protected] • Phone: 01805 626135• Correspondence: Town Clerk, Great Torrington Town Council, Castle Hill, South Street, Great Torrington, Devon EX38 8AA
• The Data Processor is the person who processes data on behalf of the Data Controller.

GDPR requires continued care by everyone within the Council in the sharing of information about individuals, whether as a hard copy or electronically. A breach of the regulations could result in the Council facing a fine from the Information Commissioner’s Office (ICO) for the breach itself and also to compensate the individual(s) who could be adversely affected. Therefore, the handling of information is seen as medium risk to the Council (both financially and reputational). Such risk can be minimised by undertaking an information audit, issuing privacy statements, maintaining privacy impact assessments (an audit of potential data protection risks with new projects), minimising who holds data protected information and the Council undertaking training in data protection awareness.

4. Data Protection Principles

The council will follow the below data protection principles:

Personal data….

• Must be processed fairly and lawfully and in a transparent manner;
• Must be collected and held only for specified, explicit and lawful purposes;
• Must be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
• Must be accurate and kept up-to-date;
• Must not be kept for any longer than is necessary for the stated purpose;
• Must be processed in a manner that ensures appropriate security of the personal data;
• Must have appropriate technical and organisational safeguards against unauthorised or unlawful processing; must not be transferred to any country outside of the European Economic Area unless that country has an adequate level of protection of the rights and freedoms of the data subjects.

5. Processing Personal Data

The council may process personal data (that is not classed as special categories of personal data) for one or more of the following reasons:

• it is necessary for the performance of a contract, (or services); and/or
• it is necessary to comply with any legal obligation; and/or
• it is necessary for the council’s legitimate interests (or for the legitimate interests of a third party), unless there is a good reason to protect personal data which overrides those legitimate interests; and/or
• it is necessary to protect the vital interests of a data subject or another person; and/or
• it is necessary for the performance if a task carried out in the public interest or in the exercise of official authority vested in the controller.

6. Data breaches

The council have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur, the council must take notes and keep evidence of that breach. If you are aware of a data breach you must contact the Clerk or Chairman of the Council immediately and keep any evidence, you have in relation to the breach. If the council discovers that there has been a breach of HR-related personal data that poses a risk to the rights and freedoms of yourself, we will report it to the Information Commissioner within 72 hours of discovery. The council will record all data breaches regardless of their effect. If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will tell you that there has been a breach and provide you with information about its likely consequences and the mitigation measures we have taken.

7. Privacy Notices

Being transparent and providing accessible information to individuals about how the Council uses personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice. This is a notice to inform individuals about what a Council does with their personal information. A privacy notice will contain the name and contact details of the person responsible for Data Protection, the purpose for which the information is to be used and the length of time for its use. It should be written clearly and should advise the individual that they can, at any time, withdraw their agreement for the use of this information. Issuing of a privacy notice must be detailed on the Information Audit kept by the Council. The Council will adopt a privacy notice to use, although some changes could be needed depending on the situation, for example where children are involved.

8. Individuals’ Rights

GDPR gives individuals rights:

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure (the right to be forgotten)
• the right to restrict processing
• right to data portability (to be completed free of charge)
• the right to object
• the right not to be subject to automated decision-making, including profiling.

If a request is received to delete information, the person with day-to-day responsibility for GDPR at the Town Council should delete the information within one month.

If a request is manifestly unfounded then the request could be refused, or a charge may apply. The council will be informed of such requests.

9. Children

There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the Council requires consent from young people under 13, the Council must obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children age 13 plus, must be written in language that they will understand.

10. Summary

In summary, the main matters arising within this policy are:

• The Council must be registered with the ICO.
• A copy of this policy will be available on the Council’s website. The policy will be considered as a core policy for the Council.
• An information audit will be conducted and reviewed periodically when projects and services change.
• A privacy notice is available on Great Torrington Town Council’s website.
• The Town Council will manage the process.

This policy document is written with current information and advice. It will be reviewed at least annually or when further advice is issued by the ICO.

All employees, role holders and councillors are always expected to comply with this policy to protect privacy, confidentiality and the interests of the Council.

11. Document Record