Skip to content Skip to left sidebar Skip to footer

DATA PROTECTION POLICY

Download PDF

Bressingham and Fersfield Parish Council

DATA PROTECTION POLICY

Version Control

ReviewedDateActionsStatus
1st October 2020 2020.01 New document Draft
ReviewedDateActionsStatus


Contents

  1. Aim and scope of policy………………………………………………………………………………………………………. 2
  2. Types of data held………………………………………………………………………………………………………………. 2
  3. Data protection principles…………………………………………………………………………………………………… 3
  4. Procedures………………………………………………………………………………………………………………………… 4
  5. Access to data……………………………………………………………………………………………………………………. 4
  6. Data disclosures…………………………………………………………………………………………………………………. 5
  7. Data security ……………………………………………………………………………………………………………………… 5
  8. International data transfers …………………………………………………………………………………………….. 6
  9. Breach notification……………………………………………………………………………………………………………… 6
  10. Training …………………………………………………………………………………………………………………………. 6
  11. Records…………………………………………………………………………………………………………………………. 6
  12. Data Protection Officer……………………………………………………………………………………………………. 6
  13. Data protection compliance …………………………………………………………………………………………….. 62
  1. Aim and scope of policy
    This policy applies to the processing of personal data in manual and electronic records kept by
    Bressingham and Fersfield Parish Council (the Parish Council). It also covers the Parish Council’s
    response to any data breach and other rights under the General Data Protection Regulation.
    This policy applies to the personal data of relevant individuals.
    The Parish Council makes a commitment to ensuring that personal data, including special categories
    of personal data and criminal offence data (where appropriate) is processed in line with GDPR and
    domestic laws and to conduct itself in line with this, and other related, policies. Where third parties
    process data on behalf of the Parish Council, the Parish Council will ensure that the third party takes
    such measures to maintain the Parish Council’s commitment to protecting data. In line with GDPR,
    the Parish Council understands that it will be accountable for the processing, management and
    regulation, and storage and retention of all personal data held in the form of manual records and on
    computers.
    Definitions:
    “Relevant individuals” are Parish Councillors, job applicants, existing and former employees,
    apprentices, volunteers, placement students, workers and self-employed contractors, agents, and
    other role holders within the Parish Council including former staff and former councillors.
    “Personal data” is information that relates to an identifiable person who can be directly or indirectly
    identified from that information, for example, a person’s name, identification number, location, online
    identifier. It can also include pseudonymised data.
    “Special categories of personal data” is data which relates to an individual’s health, sex life, sexual
    orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes
    genetic and biometric data (where used for ID purposes).
    “Criminal offence data” is data which relates to an individual’s criminal convictions and offences.
    “Data processing” is any operation or set of operations which is performed on personal data or on sets
    of personal data, whether or not by automated means, such as collection, recording, organisation,
    structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
    dissemination or otherwise making available, alignment or combination, restriction, erasure or
    destruction.
  2. Types of data held
    Personal data is kept in paper and electronic files. The following types of data may be held by the
    Parish Council, as appropriate, on relevant individuals:
    • name, address, phone numbers – for individual and next of kin
    • CVs and other information gathered during recruitment or appointment
    • references from former employers
    • National Insurance numbers
    • job title, job descriptions and pay grades3
    • conduct issues such as letters of concern, disciplinary proceedings
    • holiday records
    • internal performance information
    • medical or health information
    • sickness absence records
    • tax codes
    • terms and conditions of employment
    • training details.
    Relevant individuals should refer to the Parish Council’s privacy notice for more information on the
    reasons for its processing activities, the lawful bases it relies on for the processing and dataretention
    periods.
  3. Data protection principles
    All personal data obtained and held by the Parish Council will:
    • be processed fairly, lawfully and in a transparent manner
    • be collected for specific, explicit, and legitimate purposes
    • be adequate, relevant and limited to what is necessary for the purposes of processing
    • be kept accurate and up to date. Every reasonable effort will be made to ensure that
    inaccurate data is rectified or erased without delay
    • not be kept for longer than is necessary for its given purpose
    • be processed in a manner that ensures appropriate security of personal data including
    protection against unauthorised or unlawful processing, accidental loss, destruction or
    damage by using appropriate technical or organisation measures
    • comply with the relevant GDPR procedures for international transferring of personal data.
    In addition, personal data will be processed in recognition of an individuals’ data protection rights, as
    follows:
    • the right to be informed
    • the right of access
    • the right for any inaccuracies to be corrected (rectification)
    • the right to have information deleted (erasure)
    • the right to restrict the processing of the data
    • the right to portability4
    • the right to object to the inclusion of any information
    • the right to regulate any automated decision-making and profiling of personaldata.
  4. Procedures
    The Parish Council has taken the following steps to protect the personal data of relevant individuals,
    which it holds or to which it has access:
    • It provides information to its employees on their data protection rights, how it uses their
    personal data, and how it protects it. The information includes the actions relevant individuals
    can take if they think that their data has been compromised in anyway.
    • It provides its employees with information and training to make them aware of the
    importance of protecting personal data, to teach them how to do this, and to understand how
    to treat information confidentially.
    • It can account for all personal data it holds, where it comes from, who it is shared with and
    also who it might be shared with
    • It carries out risk assessments as part of its reviewing activities to identify any vulnerabilities
    in its personal data handling and processing, and to take measures to reduce the risks of
    mishandling and potential breaches of data security. The procedure includes an assessment
    of the impact of both use and potential misuse of personal data in and by the Parish Council.
    • It recognises the importance of seeking individuals’ consent for obtaining, recording, using,
    sharing, storing and retaining their personal data, and regularly reviews its procedures for
    doing so, including the audit trails that are needed and are followed for all consent decisions.
    The Parish Council understands that consent must be freely given, specific, informed and
    unambiguous. The Parish Council will seek consent on a specific and individual basis where
    appropriate. Full information will be given regarding the activities about which consent is
    sought. Relevant individuals have the absolute and unimpeded right to withdraw that consent
    at any time.
    • It has the appropriate mechanisms for detecting, reporting and investigating suspected or
    actual personal data breaches, including security breaches. It is aware of its duty to report
    significant breaches that cause significant harm to the affected individuals to the Information
    Commissioner and is aware of the possible consequences.
    • It is aware of the implications international transfer of personal datainternationally.
  5. Access to data
    Relevant individuals have a right to be informed whether the Parish Council processes personal data
    relating to them and to access the data that the Parish Council holds about them. Requests for access
    to this data will be dealt with under the following summary guidelines:
    • A subject access request should be made to the Clerk to the Parish Council (the Clerk).
    • The Parish Council will not charge for the supply of data unless the request is manifestly
    unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be
    provided to parties other than the employee making the request.
    • The Parish Council will respond to a request without delay. Access to data will be provided, 5
    subject to legally permitted exemptions, within one month as a maximum. This may be
    extended by a further two months where requests are complex or numerous.
    Relevant individuals must inform the Parish Council immediately if they believe that the data is
    inaccurate, either as a result of a subject access request or otherwise. The Parish Council will take
    immediate steps to rectify the information.
    For further information on making a subject access request, employees should consult with the Clerk.
  6. Data disclosures
    The Parish Council may be required to disclose certain data/information to any person. The
    circumstances leading to such disclosures include:
    • any employee benefits operated by third parties
    • disabled individuals – whether any reasonable adjustments are required to assist them at
    work
    • individuals’ health data – to comply with health and safety or occupational health
    obligations towards the employee
    • for Statutory Sick Pay purposes
    • HR management and administration – to consider how an individual’s health affects his or
    her ability to do their job
    • the smooth operation of any employee insurance policies or pension plans.
    These kinds of disclosures will only be made when strictly necessary for the purpose.
  7. Data security
    The Parish Council adopts procedures designed to maintain the security of data when it is stored and
    transported. In addition, employees must:
    • ensure that all files or written information of a confidential nature are stored in a secure
    manner and are only accessed by people who have a need and a right to accessthem
    • ensure that all files or written information of a confidential nature are not left where they
    can be read by unauthorised people
    • check regularly on the accuracy of data being entered into computers
    • always use the passwords provided to access the computer system and not abuse them by
    passing them on to people who should not have them
    • use computer screen blanking to ensure that personal data is not left on screen when not
    in use.
    Personal data relating to employees should not be kept or transported on laptops, smart devices, or
    portable, external or other devices, unless authorised by the Clerk.
    Where personal data is recorded on any such device it should be protected by:6
    • Ensuring that data is recorded on such devices only where necessary.
    • Using an encrypted system — a folder should be created to store the files that need extra
    protection and all files created or moved to this folder should be automatically encrypted.
    • Ensuring that laptops, smart devices and external drives are not left unattended where they
    can be stolen.
    Failure to follow the Parish Council’s rules on data security may be dealt with via the Parish Council’s
    disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on
    the severity of the failure.
  8. International data transfers
    The Parish Council does not transfer personal data to any recipients outside the EEA.
  9. Breach notification
    Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be
    reported to the Information Commissioner within 72 hours of the Parish Council becoming aware of
    it and may be reported in more than one instalment.
    Individuals will be informed directly if the breach is likely to result in a high risk to the rights and
    freedoms of that individual.
    If the breach is sufficient to warrant notification to the public, the Parish Council will do so without
    undue delay.
  10. Training
    New employees must read and understand the policies on data protection as part of their induction.
    All employees receive training covering basic information about confidentiality, data protection and
    the actions to take upon identifying a potential data breach.
    The nominated data controller/auditors/protection officers for the Parish Council are trained
    appropriately in their roles under the GDPR.
    All employees who need to use the computer system are trained to protect individuals’ private data,
    to ensure data security, and to understand the consequences to them as individuals and the Parish
    Council of any potential lapses and breaches of the Parish Council’s policies and procedures.
  11. Records
    The Parish Council keeps records of its processing activities including the purpose for the processing
    and retention periods in its HR Data Record. These records will be kept up to date so that they
    reflect current processing activities.
  12. Data Protection Officer
    Councils are exempt from the requirement to appoint a Data Protection Officer.
  13. Data protection compliance
    The Clerk is the Parish Council’s appointed compliance officer in respect of its data protection
    activities. The Clerk can be contacted at email bandf.pc@outlook.com