On 25th May 2018, the General Data Protection Regulations (“GDPR”) came into force and the Data Protection Act 1998 (“the DPA”) was replaced by a new Data Protection Act 2018.
The GDPR updates the principles under the DPA, with a view to protecting individuals against infringements of their private that cause harm. The GDPR introduced a new transparency requirement, a more robust data minimisation concept and controller accountability. The principles are:
Lawfulness, fairness & transparency – your personal data must be processed lawful, fairly and in a transparent manner
Limited lawful purpose – personal data must only be collected for specified, explicit and legitimate purposes
Data minimisation – personal data collected must be adequate, relevant and limited to what is necessary for the intended purposes i.e. minimised to what is needed
Accuracy – personal data must be accurate and where necessary, kept up to date
Storage limitation – personal data must not be kept in a form which permits identification for any longer than necessary for the given purpose
Integration & confidentiality – personal data must be processed in a manner which ensures its appropriate security
Accountability – the Council is responsible for, and must be able to demonstrate, compliance with the data protection principles.
The lawful and correct treatment of personal information is extremely important to the Council not only to ensure the Council meets its legal requirements, but also to maintain the confidence of those with whom the Council deals that the Council is acting in an honourable and transparent way.
Processing of Information:
The Council, through appropriate management and strict application of criteria and controls will, when processing personal information on any individual:
- observe fully conditions regarding the collection and use of information;
- meet the Council's legal obligations under the GDPR and Data Protection Act 2018 to specify the purpose for which information is used;
- collect and process appropriate information only to the extent that it is needed to fulfil operational needs or to comply with any legal requirement;
- ensure the quality of information processed is accurate;
- apply strict checks to determine the length of time information is held, and identify destruction dates;
- ensure that the rights of people about whom information is held can be fully exercised under the Act including:-
- the right to be informed that processing is being undertaken
- the right of access to personal information
- the right to prevent processing in certain circumstances
- the right to correct, rectify, block or erase information, which is regarded as wrong information.
- ensure technical and organisational security measures are put in place to safeguard personal information;
- ensure that personal information is not transferred outside the European Economic area without suitable safeguards.
- ensure that staff are reminded that data covered by the GDPR and Data Protection Act is exempt from disclosure under the Freedom of Information Act 2000.
Individuals whose data is collected by the Council must be made aware at the time of collection of all the processes that data may be subject to. No manual or automatic processing of an individual's data can take place unless reasonable steps have been taken to make that individual aware of that processing.
Individuals must also be informed of likely recipients of their information, both internal and external, and also be given details of who to contact in order
to query the use or content of their information (firstname.lastname@example.org)
Data Uses and Purposes
All processing performed must be for a purpose that is necessary to enable the Council to perform its duties and services, and which has been notified by the Council to the Information Commissioner. Personal data can only be processed in line with notified purposes.
No new processing may take place UNTIL the Information Commissioner has been notified of the relevant purpose AND the data subjects have been informed and, if legally required, their consent obtained. All new occurrences of, or future developments for, processing of personal data shall therefore be reported to the Electoral Services Officer, who is responsible for maintaining Council's Data Protection registrations.
All personal data should be regarded as confidential and only disclosed to persons (internal and external) who are listed for the purpose concerned in the Council's current notification AND whose authority has been explicitly established.
Information owned by the Council must not be used for non-Council purposes. This applies when Council data is being processed at employees' homes. Employees may only remove personal data from a Council office with the authority of their Service Lead or the Chief Executive and will be held responsible for any misuse or unauthorised disclosures while the data is in their control.
Customer Relationship Management
The Council has implemented Customer Relationship Management ("CRM") to capture and manage information about our customers. Information collected is stored in a central database, allowing information to be collected once but used many times.
Each customer can make a call to Customer Services where staff will be able to find their details and advise of the progress made on their case. The information is stored safely and securely. It is not used for marketing purposes and is only used to provide a better service to our customers.
The sharing of this customer data across the Council allows the Council to make gains in both efficiency and effectiveness by improving the ability of front line staff to resolve issues at first contact or deal automatically with enquiries that originate over the web.
Information processed shall not be excessive or irrelevant to the notified purposes. Information will be held only for so long as is necessary for the notified purposes, after which it shall be deleted or destroyed. Whenever information is processed, reasonable measures shall be taken to ensure that it is up to date and accurate.
Organisational Responsibilities and Security
- All personal data should be kept secure, in a manner appropriate to its sensitivity and the likely harm should a breach of the Act occur. Security shall be applied to all stages of processing to prevent unauthorised access or disclosure (internal or external), damage (accidental or deliberate) or loss.
- Personal data must not be left on display or unsecured when unattended. Computer software shall be kept secure when not in use. System entry passwords should be known only to the holder and be changed regularly.
- Everyone managing and handling personal information is appropriately trained to do so.
- Everyone managing and handling personal information is appropriately supervised.
- Anybody wanting to make enquiries about handling personal information knows what to do.
- Queries about handling personal information are promptly and courteously dealt with.
- Methods of handling personal information are clearly described.
- A regular review and audit is made of the way personal information is managed.
- Methods of handling personal information are regularly assessed and evaluated.
- Performance with handling personal information is regularly assessed and evaluated.
- The Council has compiled Data Protection Guidance for Staff and all employees are requested to follow the Guidance and to co-operate with the Council to ensure the Guidance is effective.
- It is the duty of individual employees and Members to ensure that personal information held by them is dealt with in accordance with GDPR and the Data Protection Act.
- Any breaches of security shall be reported to the department’s Service Lead and Legal Services for investigation and subsequent remedial action.
Processing carried out by a third party on behalf of the Council shall be subject to a contract, which stipulates compliance with the Principles of the Act and this Policy.
Similarly, when the Council is processing personal data on behalf of a third party it will need to demonstrate that the data is subject to the same standard of care.