Policies & Procedures

Data Protection Policy

Hogsthorpe Parish Council

DATA PROTECTION POLICY

 

This policy should be read in conjunction with the GDPR – Data Privacy Policy

 

Introduction

The Parish Council holds and processes information about employees, Councillors, residents and customers, and other data subjects for administrative and commercial purposes. When handling such information, the Parish Council, and all staff or others who process or use any personal information, must comply with the  Principles which are set out in the General Data Protection regulations and the Data Protection Act 1998 (the Act). In summary these state that personal data shall:

  • be processed fairly and lawfully;
  • be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with the purpose;
  • be adequate, relevant and not excessive for the purpose;
  • be accurate and up-to-date;
  • not be kept for longer than necessary for the purpose;
  • be processed in accordance with the data subject’s rights;
  • be kept safe from unauthorised processing, and accidental loss, damage or destruction;
  • not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data, except in specified circumstances.

 

Definitions

Staff, Councillors, residents and customers and other data subjects may include past, present and potential members of those groups.

Other data subjects and third parties may include contractors, suppliers, contacts, referees, friends or family members.

Processing refers to any action involving personal information, including holding, obtaining, recording, using or storing.

 

Notification of Data Held

The Parish Council shall notify all staff and Councillors, residents and customers and other relevant data subjects of the types of data held and processed by the Parish Council concerning them, and the reasons for which it is processed. The information which is currently held by the Parish Council and the purposes for which it is processed are set out in the Appendix 1 to this Policy. When processing for a new or different purpose is introduced the individuals affected by that change will be informed and the Appendix 1 will be amended. 

 

Staff Responsibilities

All staff shall:

  • ensure that all personal information which they provide to the Parish Council in connection with their employment is accurate and up-to-date;
  • inform the Parish Council of any changes to information, for example, changes of address;
  • check the information which the Parish Council shall make available from time to time, in written or automated form, and inform the Parish Council of any errors or, where appropriate, follow procedures for up-dating entries on computer forms.

 

 

The Parish Council shall not be held responsible for errors of which it has not been informed.

When staff hold or process information about Councillors, residents and customers, colleagues or other data subjects (for example, Councillors, residents and customers’ course work, pastoral files, references to other academic institutions, or details of personal circumstances), they should comply with Data Protection principles.

Staff shall ensure that:

  • all personal information is kept securely;
  • personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party.

 

Unauthorised disclosure may be a disciplinary matter, and may be considered gross misconduct in some cases.

When members of staff supervise Councillors, residents and customers doing work which involves the processing of personal information, they must ensure that those Councillors, residents and customers are aware of the Data Protection Principles, in particular, the requirement to obtain the data subject’s consent where appropriate.

 

Councillor and other Data Subjects Responsibilities

All Councillors, residents and customers shall:

  • ensure that all personal information which they provide to the Parish Council is accurate and up-to-date;
  • inform the Parish Council of any changes to that information, for example, changes of address;
  • check the information which the Parish Council shall make available from time to time, and inform the Parish  Council of any errors or, where appropriate, follow procedures for up-dating entries on computer forms.

 

NOTE: The Parish Council shall not be held responsible for errors of which it has not been informed. 

 

Rights to Access Information

Staff, Councillors, residents and customers and other data subjects in the

Parish Council have the right to access any personal data that is being kept about them either on computer or in structured and accessible files. Any person may exercise this right by submitting a request in writing to the Parish Clerk.  This process is called a subject assess request.

The Parish Council will make a charge of £10 for each Subject Access Request under the Act.

The Parish Council aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing by the Parish Clerk to the data subject making the request.

 

Subject Consent

In some cases, such as the handling of sensitive information or the processing of customer data, the Parish Council is entitled to process personal data only with the consent of the individual. Agreement to the Parish Council processing some specified classes of personal data is by agreement with the customer, and a condition of employment for staff. (See Appendix 1)

 

Sensitive Information

The Parish Council may process sensitive information about a person’s health, disabilities, criminal convictions, race or ethnic origin, or trade union membership. For example, some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18, and the Parish Council has a duty under the Children Act 1989 and other enactments to ensure that members of staff are suitable for the job. The Parish Council may also require such information for the administration of the sick pay policy, the absence policy, or the equal opportunities policy.

The Parish Council also asks staff for information about particular health needs, such as allergies to particular forms of medication, or conditions such as asthma or diabetes. The Parish Council will only use such information to protect the health and safety of the individual, for example, in the event of a medical emergency.

 

The Data Processor and the Designated Data Processor

The Parish Council (As a Corporate Body) is the data processor under the Act and is ultimately responsible for implementation. Information and advice about the holding and processing of personal information is available from the Clerk to the Council.

 

Retention of Data

The Parish Council will keep different types of information for differing lengths of time, depending on legal and operational requirements.

 

Compliance 

Compliance with the Act is the responsibility of all Councillors,  and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy must be taken up with the Parish Clerk.

 

Any individual, who considers that the policy has not been followed in respect of the processing of personal data about him or herself, must raise the matter with the Data Processor . If the matter is not resolved it should be referred to the staff grievance or complaints procedure.

If the matter cannot be resolved then a complaint can be raised with the Information Commissioners Office.

Telephone - 0303 123 1113

Email - casework@ico.org.uk

Address - Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

 

 

Appendix 1

 

Parish Council Information Processing

 

The Parish Council processes data, including personal data, for the following purposes:

  • Staff, Agent and Contractor Administration
  • Advertising, Marketing and Public Relations (no personal data is processed for this

purpose)

  • Accounts & Records
  • Staff Support Services
  • Research
  • Other Commercial Services
  • Publication of the Village Council Magazine
  • Crime Prevention and Prosecution of Offenders
  • Contractual Purposes (such as village hall bookings)

 

 

ADOPTED on 19 January 2023    Reviewed 1st February 2024