ST DAY PARISH COUNCIL DATA PROTECTION POLICY

1) INTRODUCTION

The Parish Council has a duty to comply with the Data Protection Act 1998. This policy sets out how the Council will process data in order to comply with the Act.

Data is information which:

• Is being processed
• Is recorded with the intention of being processed
• Is recorded on file or is intended to be held on file
• Is none of the above but forms part of an accessible record as defined in section 68
• Is recorded information held by the Council and to which none of the above applies

Personal data is information about a living individual from which that individual can be identified, for example:

• Computer input documents
• Information processed by computer or CCTV
• Information contained in medical records
• Information contained in structured manual records

2) DATA PROTECTION PRINCIPLES

All personal data held by the Council will be processed in a fair and lawful manner and in accordance with the data protection principles as set out below.

Principle 1

The Council will:

a) Only collect and use personal data where it has legitimate grounds.
b) Not use personal data in unjustified ways that will have adverse effects on the individuals concerned.
c) Be transparent about how the data is to be used and individuals whose data may be used will be given appropriate privacy notices when their personal data is collected.
d) Handle people’s personal data in no other way than can be reasonably expected.
e) Ensure that nothing unlawful is done with personal data.

Principle 2

a) The Council will only obtain personal data for one or more specified and lawful purposes. b) Personal data will not be processed in any manner that is not compatible with specified or lawful purposes.
c) The Council will be open about its reasons for obtaining personal data and how that information will be held.
d) The Council will make it clear why personal data is being collected and what it is to be used for.
e) Privacy notices will be given to individuals when their personal data is collected.
f) Personal data will be processed fairly and held in line with the reasonable expectation of each individual whose data is held by the Council.
g) The Council will comply with the requirement to notify the Information Commissioner.
h) Should personal data be disclosed for any other purpose than originally intended any disclosure will be fair.

Principle 3

a) Personal data will be adequate, relevant and not excessive in relation to the purposes for which it is to be processed.
b) Only personal data about an individual that is sufficient for the purpose it is intended will be held.
c) The minimum amount of personal data that the Council requires will be identified in keeping with “data minimisation”.

Principle 4

Personal data held by the Council will be accurate and, where necessary, kept up to date. The Council will do this by:
a) Taking reasonable steps to ensure that personal data obtained is accurate.
b) Ensuring that the source of any personal data is clear.
c) Considering any challenges to the accuracy of information and whether it is necessary to update the information.

Principle 5

Personal data will not be held by the Council for longer than is necessary. The Council will:
a) Review the length of time that personal data is kept.
b) Consider the purpose for which the information is being held to determine whether it needs to be retained or whether it is no longer required.
c) Securely delete information that is no longer needed.
d) Update, archive or securely delete out-dated information.

Principle 6

In compliance with data protection the Council will ensure that individuals have the right to:

a) Access a copy of information containing their personal data.
b) Object to processing of their data that may cause, or is, causing damage or distress.
c) Prevent processing for direct marketing.
d) Object to decisions being taken by automated means.
e) Have inaccurate personal data rectified, blocked, erased or destroyed in certain circumstances.
f) Claim compensation for damages caused by a breach of the Act.

Principle 7

The Council will insure that personal data is held securely and take appropriate measures against:

• Unauthorised or unlawful processing of personal data
• Accidental loss or destruction of, or damage to, personal data.

The Council will do this by:

a) Securing personal data so that it can only be accessed by authorised persons.
b) Ensuring that personal data is backed up by robust policies and procedures.
c) Responding to any breach of security swiftly and effectively.

Principle 8

Personal data will not be transferred to a country or territory outside the EEA unless assurance is given that an adequate level of protection can be guaranteed for the rights and freedoms of data subjects for the processing of personal data.
a) The Council will inform individuals about disclosure of their personal data should it be given or required by third parties overseas.
b) If personal data is sent overseas the Council will ensure that the necessary contracts are in place, if applicable, and that adequate safeguards are in place.

3) DATA PROTECTION ACT AND EMPLOYEES

The Act applies to the monitoring of employees for example:

• To detect crime
• To detect excessive use of telephone calls, private emails and internet use via the Council’s resources.

The Council operates an ‘Internet, email and telephone’ policy which applies to all employees.
The Council reserves the right to withhold Information if it will make it more difficult to detect crime.
The Council will only seek to collect information concerning an employee’s health with the employee’s consent. Once collected this information will be held securely and with limited access to the information. The Council will only collect justified information.

4) EMPLOYEES’ RIGHT TO ACCESS INFORMATION

The Council’s employees have a legal right to access information held by the Council, which includes any information regarding any grievances or disciplinary action, and information gathered through monitoring processes.

5) APPLICATION OF POLICY

This policy applies to all Council employees, councillors and members of the public.

6) DATA CONTROL

The Parish Clerk is the Council’s Data Controller.