Information & Data Protection Policy
In order to conduct its business, services and duties, Loggerheads Parish Council processes a wide range of data, relating to its own operations and some which it handles on behalf of partners. In broad terms, this data can be classified as:
• Data shared in the public arena about the services it offers, its mode of operations and other information it is required to make available to the public.
• Confidential information and data not yet in the public arena such as ideas or policies that are being worked up.
• Confidential information about other organisations because of commercial sensitivity.
• Personal data concerning its current, past and potential employees, Councillors, and volunteers.
• Personal data concerning individuals who contact it for information, to access its services or facilities or to make a complaint.
Loggerheads Parish Council will manage responsibly, all data which it handles and will respect the confidentiality of both its own data and that belonging to partner organisations it works with and members of the public. In some cases, it will have contractual obligations towards confidential data, but in addition will have specific legal responsibilities for personal and sensitive information under data protection legislation.
The Council will review and revise this policy, when required, in the light of experience, comments from data subjects and guidance from the Information Commissioners Office.
The Council will be as transparent as possible about its operations and will work closely with public, community and voluntary organisations. Therefore, in the case of all information which is not personal or confidential, it will be prepared to make it available to partners and members of the parishes communities. Details of information which is routinely available is contained in the Council’s Publication Scheme which is based on the statutory model publication scheme for local councils.
Protecting Confidential or Sensitive Information
Loggerheads Parish Council recognises it must at times, keep and process sensitive and personal information about both employees and the public, it has therefore adopted this policy not only to meet its legal obligations but to ensure high standards.
The General Data Protection Regulation (GDPR) which becomes law on 25th May 2018 and will, like the the Data Protection Act 1998 before them, seek to strike a balance between the rights of individuals and the sometimes, competing interests of those such as the Council with legitimate reasons for using personal information.
The policy is based on the premise that Personal Data must be:
• Processed fairly, lawfully and in a transparent manner in relation to the data subject.
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Accurate and, where necessary, kept up to date.
• Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
|Data Protection Terminology
Data subject – means the person whose personal data is being processed. That may be an employee, prospective employee, or someone transacting with it in some way.
Personal data – means any information relating to a natural person or data subject that can be used directly or indirectly to identify the person. It can be anything from a name, a photo, and an address, date of birth, an email address, bank details, and posts on social networking sites or a computer IP address.
Sensitive personal data – includes information about racial or ethnic origin, political opinions, and religious or other beliefs, trade union membership, medical information, sexual orientation, genetic and biometric data or information related to offences or alleged offences where it is used to uniquely identify an individual.
Data controller – Loggerheads Parish Council is the Data Controller under the Act, which means that it determines what purposes personal information held, will be used for. It is also responsible for notifying the Information Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for.
Data processor – in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Processing information or data – means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
• organising, adapting or altering it
• retrieving, consulting or using the information or data
• disclosing the information or data by transmission, dissemination or otherwise making it available
• aligning, combining, blocking, erasing or destroying the information or data. regardless of the technology used.
The Data Protection Policy can be downloaded here.