The General Data Protection Regulations (now often known as 'GDPR') came into effect on 25 May 2018. We shall refer to them in this Policy as the 'Regulations'.
The Regulations govern the use of personal data relating to living 'data subjects'. Their purpose is to regulate the way that personal information about living individuals is obtained, stored, used, and disclosed. It doesn't matter how that information is held. The legislation gives individuals a 'right of privacy'. This includes the right to see data stored about them and to require any incorrect information to be put right. In certain cases, compensation may be payable if there has been a mistake.
The Regulations stipulate how personal data must be kept and used. Neasham Parish Council (the 'Council') is registered with the Information Commissioner in compliance with the Regulations.
This Policy Statement sets out the Council's commitment to maintaining the strictest level of confidentiality of personal data within its record systems in accordance with the Regulations. It should be read in conjunction with a detailed Privacy Notice which you can download from the Finance & Administration section of the web-site.
The Regulations give a number of terms specific meanings which need to be explained here:
Personal Data is any data that relates to a living individual who can be identified from that data. This includes any expression of opinion about the individual and any indication of the intentions of the Council in respect of the individual.
Processing, in relation to information or data, means obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data, including retrieval disclosure of that information or data.
Data Subject is an individual who is the subject of Personal Data.
Sensitive Personal Data is defined by eight categories of information about the Data Subject relating to
- racial or ethnic origins
- political opinions
- religious or similar beliefs
- membership of a trade union
- physical or mental health
- sexual life and orientation
- genetic data
- biometric data (e.g. facial recognition or fingerprint data)
Data Protection Officer is a person who, either alone or jointly with others, determines the purposes for which, and the manner in which, personal data is, or will be, processed. The Data Protection Officer for the Council is the Council Member appointed by the Council.
Person relates to a legal person and thus includes a corporate body such as the Council.
Information Commissioner's Office (ICO) is the organisation responsible for administering and enforcing the General Data Protection Regulations 2018 nationally.
The six principles of data protection set out in the Regulations are:
- Personal data must be processed lawfully, fairly and transparently.
- Personal data shall be used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.
- Personal should be adequate, relevant and limited ie only the minimum amount of data should be kept for specific processing.
- Personal data must be accurate and where necessary kept up to date.
- Personal data should not be stored for longer than is necessary, and that storage is safe and secure.
- Personal data should be processed in a manner that ensures appropriate security and protection.
Scope of the Policy
The Regulations apply to records held in a relevant filing system. As the Council is a public body, this includes structured and less formal files in which personal data relating to an individual may be readily accessible.
This Policy applies equally to all personnel of the Council.
The Council is the Data Controller. It has the responsibility for ensuring the Data Protection Policy is understood and enforced and for administering day to day compliance with the Regulations. The Clerk is responsible for processing data on behalf of the Council.
Documents associated with the operation of the Policy
General Privacy Notice
Privacy Notice for Personnel
You may need to read the relevant privacy notice and print a copy for your records. You may need to print a copy of the Consent Form to complete and return to the Clerk. You will find the documents in the Forms section of the website. The Clerk's contact details for the purposes of GDPR are:
The Clerk, Neasham Parish Council, 14 Teesway, Neasham, Darlington DL2 1QP
Tel: 07915 611456
The Data Protection Policy
The Council will hold the minimum personal data necessary to enable it to perform its functions. The data will be deleted in accordance with the Council's Records Management Policy. Every effort will be made to ensure that data is accurate and up to date, and that inaccuracies are corrected quickly.
The Council will design IT and manual systems to comply with the six principles of the Regulations. The Council will ensure that personal data is treated as confidential, and that access to personal data is restricted to identifiable system users.
The Council is committed in its aim that its employee will be properly trained, fully informed of its obligations under the Regulations, and made aware of his personal liabilities. The Council expects its employee and Councillors to comply fully with this Policy and the Data Protection Principles.
It is the duty of the Clerk acting on behalf of the Council in accordance with the written contract between the Council and the Data Processor (Clerk):
- to comply with the data protection principles, and
- to ensure individuals are informed if their personal data is to be processed by way of a fair processing notice, unless an exemption applies.
The Council must fulfil a request for access to personal data within one calendar month. It will not to make a financial charge for this service.
The Council will provide to any individual who makes a written request for their personal data with:
- A reply stating whether or not we hold personal data about them.
- A copy of that information, in clear language, unless specific legal exemptions apply.
Disclosure of personal data within the Council to Councillors or officers is on a 'need to know' basis.
Third Party Disclosure / Requests for Data Sharing
The Council will decide on any request for Third Party Disclosure in accordance with the principles set out in the Information Commissioner's Office publication 'Data Sharing Code of Practice'. It will apply as relevant the 'Data sharing check lists' appearing at section 15 of the Code.
A record will be kept of all third party disclosure requests which are received by the Council, which will include the decision made on the request and the reasons for the decision.
Breaches of Data
The Council will nominate a person(s) to be responsible for:
- recording and dealing with any data breaches which may arise,
- outlining a response plan, and
- setting out procedures to be followed.
The responsible person shall notify the ICO of any data breach that meets the reporting criteria, within the prescribed timescale set out in the Regulations.
This Policy was approved by Neasham Parish Council on 1 March 2021