Skip to content Skip to left sidebar Skip to footer

Policy Documents

ACCESSIBILITY STATEMENT

Accessibility statement for Bressingham and Fersfield Community Website

This website is a community website funded and maintained by Bressingham and Fersfield Parish Council. We want as many people as possible to be able to use this website. For example, that means you should be able to:

  • navigate most of the website using just a keyboard
  • navigate most of the website using speech recognition software
  • listen to most of the website using a screen reader (including the most recent versions of JAWS, NVDA and VoiceOver)

The layout and text of the website has been designed to be as simple as possible to understand.

AbilityNet has advice on making your device easier to use if you have a disability.

How accessible this website is

We know some parts of this website are not fully accessible:

  • You can increase the text size to as much a 300% whilst maintaining readability
  • You cannot modify the line height or spacing of text
  • We can’t guarantee the full accessibility of our PDF documents or Word documents to screen reader software

What to do if you cannot access parts of this website

If you need information on this website in a different format like accessible PDF, large print, easy read, audio recording or braille:

We’ll consider your request and get back to you in 14 days.

Reporting accessibility problems with this website

We’re always looking to improve the accessibility of this website. If you find any problems not listed on this page or think we’re not meeting accessibility requirements, contact: mail@bressinghamandfersfield.org

Enforcement procedure

The Equality and Human Rights Commission (EHRC) is responsible for enforcing the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 (the ‘accessibility regulations’). If you’re not happy with how we respond to your complaint, contact the Equality Advisory and Support Service (EASS).

Technical information about this website’s accessibility

Bressingham Parish Council Parish Council is committed to making its website accessible, in accordance with the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018.

This website is partially compliant with the Web Content Accessibility Guidelines version 2.1 AA standard.

Non-compliance with the accessibility regulations

None

Disproportionate burden

None

How we tested this website

This website was last tested on 19/07/2021. The test was performed using the Wave Accessibility software.

Elements tested:

What we’re doing to improve accessibility

We continue to monitor this website’s accessibility and improve on it where we can. We follow a specific set of guidelines to ensure all our content meets the WCAG 2.1 Standard.

This statement was prepared on 19/07/2021. It was last updated on 01/08/2021.

RECORDS RETENTION POLICY

Download PDF

Bressingham and Fersfield Parish Council
Records Retention Policy


Version Control

ReviewedDateActionsStatus
1st October 2020 2020.01 New document Draft
ReviewedDateActionsStatus


Contents

  1. Introduction………………………………………………………………………………………………………………………. 2
  2. Scope………………………………………………………………………………………………………..…………………… 2
  3. Responsibilities………………………………………………………………………………………………………………….. 2
  4. Retention Schedule …………………………………………………………………………………………………………… 32

  1. Introduction
    This document describes the policy framework by which Bressingham and Fersfield Parish
    Council (the Council) manages is records, to comply with its legal and regulatory obligations
    and to contribute to its effectiveness.
  2. Scope
    Records are defined as all those documents which facilitate the business carried out by the Council and
    which are thereafter retained (for a set period) to provide evidence of its transactions or activities.
    This policy applies to all records created, received or maintained by the Council in the course of
    carrying out its functions. These records may be created, received or maintained in hard copy or
    electronically. A small percentage of the Council records may be selected for permanent preservation
    as part of the Councils archives and for historical research.
  3. Responsibilities
    The Council recognizes its corporate responsibility to maintain its records and record management
    systems in accordance with the regulatory environment.
    The Clerk to the Council (the Clerk) has overall responsibility for this policy and for records
    management. The Clerk will give guidance for good records management practice and will promote
    compliance with this policy so that information will be retrieved easily, appropriately and in a timely
    manner.
    Relevant individuals, including Councillors, Employees and any other individuals appointed or
    contracted to create, maintain or dispose of records, must ensure that records for which they are
    responsible are accurate and are maintained and disposed of in accordance with the Council’s
    records management guidelines.
    .
  4. Retention Schedule
    The retention schedule refers to record series regardless of the media in which they are stored.
Document Category Minimum Retention PeriodReason
Administration & Finance
Minutes of Council meetingsIndefiniteArchive
Minutes of committee meetingsIndefiniteArchive
Scales of fees and charges6 yearsManagement
Receipt and payment accountsIndefiniteArchive
Receipt books of all kinds6 yearsVAT
Bank Statements, including
deposit/savings accounts
Last completed audit yearAudit
Bank paying-in booksLast completed audit yearAudit
Cheque book stubsLast completed audit yearAudit
Quotations and tenders6 yearsLimitations Act 1980 (as
amended)
Paid invoices6 years
VAT
Paid cheques6 yearsLimitations Act 1980 (as
amended)
VAT records6 years generally but 20
years for VAT on rents
VAT
Petty cash, postage and
telephone books
6 yearsTax, VAT, Limitations Act
1980 (as amended)
Wages books12 yearsSuperannuation
Insurance policiesWhile validManagement
Certificates for
Insurance against
liability for employees
40 years from date on which
insurance commenced or was
renewed
The Employers’ Liability
(Compulsory Insurance)
Regulations 1998 (SI.2753),

Investments
IndefiniteAudit, Management
Title deeds, leases, agreements,
contracts
Indefinite Audit, Management
Members allowances register6 yearsTax, Limitation Act 1980 (as
amended)
Employment
Staff employment contracts6 years after ceasing
employment
Management
Staff payroll information3 yearsManagement
Staff references6 years after ceasing
employment
Management
Application forms (interviewed –
unsuccessful)
6 monthsManagement
Application forms (interviewed –
successful)
6 years after ceasing
employment
Management
Disciplinary files6 years after ceasing
employment
Management
Staff appraisals6 years after ceasing
employment
Management
Health and Safety
Accident books3 years from date of last entryStatutory
Risk assessmentAt least until a further risk
assessment has taken place
which renders the first one
obsolete – though 10 years if
there have been potentially
dangerous exposures
Management
General Management
Councillors contact details Duration of membership Management
Lease agreements12 yearsLimitation Act 1980
Contracts6 yearsLimitation Act 1980
Email messages At end of useful life Management
Consent forms At end of useful lifeManagement

GENERAL PRIVACY NOTICE

Download PDF

Bressingham and Fersfield Parish Council
GENERAL PRIVACY NOTICE

Version Control

ReviewedDateActionsStatus
1st October 2020 2020.01 New document Draft
ReviewedDateActionsStatus

Contents

  1. Processing of Personal Data ………………………………………………………………………………………………… 2
  2. Who we Are ……………………………………………………………………………………………………………………. 2
  3. How we use Personal Data ………………………………………………………………………………………………….. 2
  4. The Legal basis for processing your personal data………………………………………………..……………………….. 4
  5. Personal Data that we Process and Why……………………………………………………………..…………………….. 4
  6. Sharing your personal data………………………………………………………………………………….……………….. 5
  7. How long do we keep your personal data? …………………………………………………………………………………. 5
  8. Your rights and your personal data …………………………………………………………………………….……………. 6
  9. Transfer of Data Abroad ……………………………………………………………………………………………………… 7
  10. Further processing………………………………………………………………………………………………….………….. 7
  11. Changes to this notice………………………………………………………………………………………………….……… 7
  12. Contact Information ………………………………………………………………………………………………………….. 72
  13. Processing of personal data
  1. Processing of personal data
    The processing of personal data is governed by legislation relating to personal data which applies in
    the United Kingdom including the General Data Protection Regulation (the “GDPR”) and other
    legislation relating to personal data and rights such as the Human Rights Act.
    “Personal data” is any information about a living individual which allows them to be identified from
    that data e.g. a name, photographs, videos, email address, or address.
    Identification can be directly using the data itself or by combining it with other information which
    helps to identify a living individual (e.g. a list of staff may contain personnel ID numbers rather than
    names but if you use a separate list of the ID numbers which give the corresponding names to identify
    the staff in the first list then the first list will also be treated as personal data).
  2. Who we are.
    This Privacy Notice is provided to you by Bressingham and Fersfield Parish Council (the Parish Council).
    Website: https://bressinghamandfersfield.org
    Address: Bressingham and Fersfield Parish Council, c/o The Clerk to the Parish Council.
    Email: bandf.pc@outlook.com
    The Parish Council complies with Data Protection Law.
    We are a “data controller” for the data that we process about you.
    We will always take account of your interests and rights if we process your data.
  3. How we use personal data.
    This General Privacy Notice sets out your rights and the Parish Council’s obligations to you.
  4. Data Protection Law says that the personal data we hold about you must be:
    • Used lawfully, fairly and in a transparent way.
    • Collected only for valid purposes that we have clearly explained to you and not used in any
    way that is incompatible with those purposes.
    • Relevant to the purposes we have told you about and limited only to those purposes.
    • Accurate and kept up to date.
    • Kept only for as long as is necessary for the purposes we have told you about.
    • Kept and destroyed securely, including ensuring that appropriate technical and security
    measures are in place to protect your personal data to protect personal data from loss,
    misuse, unauthorised access and disclosure.
  5. We use your personal data for some of or all the following purposes:
    • To deliver public services including to understand your needs to provide the services that
    1 Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with
    others, determines the purposes and means of the processing of personal data.3
    you request and to understand what we can do for you and inform you of other relevant
    services.
    o To promote the interests of the Parish Council.
    o To maintain our own accounts and records.
    o To seek your views, opinions or comments.
    o To notify you of changes to our facilities, services, events, councillors and other role
    holders.
    o To send you communications which you have requested and that may be of interest
    to you. These may include information about campaigns, appeals, other new projects
    or initiatives.
    o To process relevant financial transactions including grants and payments for goods
    and services supplied to the Parish Council
    o To allow the statistical analysis of data so we can plan the provision ofservices.
    • To enable us to meet all legal and statutory obligations and powers including any delegated
    functions.
    • To confirm your identity to provide some services.
    • To contact you by post, email, telephone or using social media (e.g. Facebook, Twitter,
    WhatsApp).
    • To help us to build up a picture of how we are performing.
    • To prevent and detect fraud and corruption in the use of public funds and where necessary
    for the law enforcement functions.
    • To carry out comprehensive safeguarding procedures (including due diligence and
    complaints handling) in accordance with best safeguarding practice from time to time with
    the aim of ensuring that all children and adults-at-risk are provided with safe environments
    and generally as necessary to protect individuals from harm or injury.
    • Our processing may also include the use of CCTV systems for the prevention and prosecution
    of crime.
  6. We work with other Data Controllers, including but not restricted to:
    • Local authorities
    • Community groups
    • Charities
    • Other not for profit entities
    • Contractors
    • Credit reference agencies
    We may need to share your personal data we hold with them so that they can carry out their
    responsibilities to the Parish Council.
    If we and the other data controllers listed above are processing your data jointly for the same
    purposes, then the Parish Council and the other data controllers may be “joint data controllers” which
    means we are all collectively responsible to you for your data. 4
    Where each of the parties listed above are processing your data for their own independent purposes
    then each of us will be independently responsible to you and if you have any questions, wish to
    exercise any of your rights (see below) or wish to raise a complaint, you should do so directly to the
    relevant data controller.
  7. The legal basis for processing your personal data.
    The Parish Council is a public authority and has certain powers and obligations.
    Most of your personal data is processed for compliance with a legal obligation which includes the
    discharge of the Parish Council’s statutory functions and powers.
    Sometimes when exercising these powers or duties it is necessary to process personal data of
    residents or people using the Parish Council’s services.
    We may process personal data if it is necessary for the performance of a contract with you, or to take
    steps to enter into a contract. An example of this would be processing your data in connection with
    your use of our facilities, resources or equipment.
    Sometimes the use of your personal data requires your consent. In that situation we will obtain your
    consent to that use, first.
  8. Personal data that we process and why.
    The Parish Council will process some, or all, of the following personal data where necessary to
    perform its tasks:
    • Names, titles, and aliases.
    • Photographs.
    • Contact details such as telephone numbers, addresses, and email addresses.
    • Where they are relevant to the services provided by a council, or where you provide them to
    us, we may process information such as gender, age, marital status, nationality,
    education/work history, academic/professional qualifications, hobbies, family composition,
    and dependents.
    • Where you pay for activities such as use of a council resource or facility, we may process
    financial identifiers such as bank account numbers, payment card numbers,
    payment/transaction identifiers, policy numbers, and claim numbers.
    Sensitive and Special Categories of Data
    The personal data we process may include sensitive or other special categories of personal data such as
    criminal convictions, racial or ethnic origin, mental and physical health, details of injuries, medication
    or treatment received, political beliefs, trade union affiliation, genetic data, biometric data, data
    concerning and sexual life or orientation.
    These types of data are described in the GDPR as “Special categories of data” and require higher levels
    of protection. We need to have further justification for collecting, storing and using this type of
    personal data.
    We may process special categories of personal data in the following circumstances:
    • In limited circumstances, with your explicit written consent.5
    • Where we need to carry out our legal obligations.
    • Where it is needed in the public interest.
    Including, as appropriate:
    • information about your physical or mental health or condition in order to take decisions on
    your fitness to take part in activities that we may offer you.
    • your racial or ethnic origin or religious or similar information, to monitor compliance with
    equal opportunities legislation.
    • To comply with legal requirements and obligations to third parties.
    Less commonly, we may process this type of personal data where it is needed in relation to legal
    claims or where it is needed to protect your interests (or someone else’s interests) and you are not
    capable of giving your consent, or where you have already made the information public.
    Do we need your consent to process your sensitive personal data?
    In limited circumstances, we may approach you for your written consent to allow us to process
    certain sensitive personal data. If we do so, we will provide you with full details of the personal data
    that we would like and the reason we need it, so that you can carefully consider whether you wish to
    consent.
  9. Sharing your personal data.
    This section provides information about the third parties with whom the Parish Council may share
    your personal data.
    These third parties have an obligation to put in place appropriate security measures and will be
    responsible to you directly for the way in which they process and protect your personal data.
    It is likely that we will need to share your data with some, or all, of the following but we will do so
    only where necessary:
    • The Data Controllers listed in Section 4.
    • Our agents, suppliers and contractors. For example, we may ask a commercial provider to
    publish or distribute newsletters on our behalf, or to maintain our website or database
    software.
    • On occasion, other local authorities or not for profit bodies with which we are carrying out
    joint ventures e.g. in relation to facilities or events for the community.
  10. How long do we keep your personal data?
    In general, we keep data only for as long as we need it. This means that we will delete it when it is no
    longer needed.
    Exceptions:
    • We will keep some records permanently if we are legally required to do so.
    • We may keep some other records for an extended period. For example, it is currently best
    practice to keep financial records for a minimum period of 8 years to support HMRC audits or
    provide tax information.
    • We may have legal obligations to retain some data in connection with our statutory obligations 6
    as a public authority.
    • The Parish Council is permitted to retain data to defend or pursue claims. In some cases, the
    law imposes a time limit for such claims (for example 3 years for personal injury claims or 6
    years for contract claims). We will retain some personal data for this purpose for as long as we
    believe it is necessary to be able to defend or pursue a claim.
  11. Your rights and your personal data
    You have the following rights with respect to your personal data.
    When exercising any of the rights listed below, we may need to verify your identity for your security
    before processing your request. In such cases we will need you to respond with proof of your identity
    before you can exercise these rights.
  12. The right to access personal data we hold on you.
    • At any point you can contact us to request the personal data we hold on you as well as why we
    have that personal data, who has access to the personal data and where we obtained the
    personal data from. Once we have received your request, we will respond within one month.
    • There are no fees or charges for the first request but additional requests for the same personal
    data or requests which are manifestly unfounded or excessive may be subject to an
    administrative fee.
  13. The right to correct and update the personal data we hold on you.
    • If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your
    data will be updated.
  14. The right to have your personal data erased.
    • If you feel that we should no longer be using your personal data or that we are unlawfully using
    your personal data, you can request that we erase the personal data we hold.
    • When we receive your request, we will confirm whether the personal data has been deleted or
    the reason why it cannot be deleted (for example because we need it for to comply with a legal
    obligation).
  15. The right to object to processing of your personal data or to restrict it to certain purposes
    only.
    • You have the right to request that we stop processing your personal data or ask us to restrict
    processing.
    • Upon receiving the request, we will contact you and let you know if we are able to comply or if
    we have a legal obligation to continue to process your data.
  16. The right to dataportability
    • You have the right to request that we transfer some of your data to another controller. We will
    comply with your request, where it is feasible to do so, within one month of receiving your
    request.
    • The right to withdraw your consent to the processing at any time for any processing of data to
    which consent was obtained.
    • You can withdraw your consent easily by telephone, email, or by post (see Section 12 Contact
    Details).7
  17. The right to lodge a complaint with the Information Commissioner’s Office.
    • You can contact the Information Commissioners Office on 0303 123 1113 or via email
    https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office,
    Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
  18. Transfer of Data Abroad
    Any personal data transferred to countries or territories outside the European Economic Area (“EEA”)
    will only be placed on systems complying with measures giving equivalent protection of personal
    rights either through international agreements or contracts approved by the European Union. Our
    website is also accessible from overseas so on occasion some personal data (for example in a
    newsletter) may be accessed from overseas.
  19. Further processing
    If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we
    will provide you with a new notice explaining this new use prior to commencing the processing and
    setting out the relevant purposes and processing conditions. Where and whenever necessary, we will
    seek your prior consent to the new processing.
  20. Changes to this notice
    This Privacy Notice is reviewed regularly. The current version is available on this website:
    https://bressinghamandfersfield.org/
  21. Contact Information
    Please contact us if you have any questions about this General Privacy Notice or the personal data we
    hold about you, or to exercise all relevant rights, or make queries or complaints at:
    Email: bandf.pc@outlook.co

DATA PROTECTION POLICY

Download PDF

Bressingham and Fersfield Parish Council

DATA PROTECTION POLICY

Version Control

ReviewedDateActionsStatus
1st October 2020 2020.01 New document Draft
ReviewedDateActionsStatus


Contents

  1. Aim and scope of policy………………………………………………………………………………………………………. 2
  2. Types of data held………………………………………………………………………………………………………………. 2
  3. Data protection principles…………………………………………………………………………………………………… 3
  4. Procedures………………………………………………………………………………………………………………………… 4
  5. Access to data……………………………………………………………………………………………………………………. 4
  6. Data disclosures…………………………………………………………………………………………………………………. 5
  7. Data security ……………………………………………………………………………………………………………………… 5
  8. International data transfers …………………………………………………………………………………………….. 6
  9. Breach notification……………………………………………………………………………………………………………… 6
  10. Training …………………………………………………………………………………………………………………………. 6
  11. Records…………………………………………………………………………………………………………………………. 6
  12. Data Protection Officer……………………………………………………………………………………………………. 6
  13. Data protection compliance …………………………………………………………………………………………….. 62
  1. Aim and scope of policy
    This policy applies to the processing of personal data in manual and electronic records kept by
    Bressingham and Fersfield Parish Council (the Parish Council). It also covers the Parish Council’s
    response to any data breach and other rights under the General Data Protection Regulation.
    This policy applies to the personal data of relevant individuals.
    The Parish Council makes a commitment to ensuring that personal data, including special categories
    of personal data and criminal offence data (where appropriate) is processed in line with GDPR and
    domestic laws and to conduct itself in line with this, and other related, policies. Where third parties
    process data on behalf of the Parish Council, the Parish Council will ensure that the third party takes
    such measures to maintain the Parish Council’s commitment to protecting data. In line with GDPR,
    the Parish Council understands that it will be accountable for the processing, management and
    regulation, and storage and retention of all personal data held in the form of manual records and on
    computers.
    Definitions:
    “Relevant individuals” are Parish Councillors, job applicants, existing and former employees,
    apprentices, volunteers, placement students, workers and self-employed contractors, agents, and
    other role holders within the Parish Council including former staff and former councillors.
    “Personal data” is information that relates to an identifiable person who can be directly or indirectly
    identified from that information, for example, a person’s name, identification number, location, online
    identifier. It can also include pseudonymised data.
    “Special categories of personal data” is data which relates to an individual’s health, sex life, sexual
    orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes
    genetic and biometric data (where used for ID purposes).
    “Criminal offence data” is data which relates to an individual’s criminal convictions and offences.
    “Data processing” is any operation or set of operations which is performed on personal data or on sets
    of personal data, whether or not by automated means, such as collection, recording, organisation,
    structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
    dissemination or otherwise making available, alignment or combination, restriction, erasure or
    destruction.
  2. Types of data held
    Personal data is kept in paper and electronic files. The following types of data may be held by the
    Parish Council, as appropriate, on relevant individuals:
    • name, address, phone numbers – for individual and next of kin
    • CVs and other information gathered during recruitment or appointment
    • references from former employers
    • National Insurance numbers
    • job title, job descriptions and pay grades3
    • conduct issues such as letters of concern, disciplinary proceedings
    • holiday records
    • internal performance information
    • medical or health information
    • sickness absence records
    • tax codes
    • terms and conditions of employment
    • training details.
    Relevant individuals should refer to the Parish Council’s privacy notice for more information on the
    reasons for its processing activities, the lawful bases it relies on for the processing and dataretention
    periods.
  3. Data protection principles
    All personal data obtained and held by the Parish Council will:
    • be processed fairly, lawfully and in a transparent manner
    • be collected for specific, explicit, and legitimate purposes
    • be adequate, relevant and limited to what is necessary for the purposes of processing
    • be kept accurate and up to date. Every reasonable effort will be made to ensure that
    inaccurate data is rectified or erased without delay
    • not be kept for longer than is necessary for its given purpose
    • be processed in a manner that ensures appropriate security of personal data including
    protection against unauthorised or unlawful processing, accidental loss, destruction or
    damage by using appropriate technical or organisation measures
    • comply with the relevant GDPR procedures for international transferring of personal data.
    In addition, personal data will be processed in recognition of an individuals’ data protection rights, as
    follows:
    • the right to be informed
    • the right of access
    • the right for any inaccuracies to be corrected (rectification)
    • the right to have information deleted (erasure)
    • the right to restrict the processing of the data
    • the right to portability4
    • the right to object to the inclusion of any information
    • the right to regulate any automated decision-making and profiling of personaldata.
  4. Procedures
    The Parish Council has taken the following steps to protect the personal data of relevant individuals,
    which it holds or to which it has access:
    • It provides information to its employees on their data protection rights, how it uses their
    personal data, and how it protects it. The information includes the actions relevant individuals
    can take if they think that their data has been compromised in anyway.
    • It provides its employees with information and training to make them aware of the
    importance of protecting personal data, to teach them how to do this, and to understand how
    to treat information confidentially.
    • It can account for all personal data it holds, where it comes from, who it is shared with and
    also who it might be shared with
    • It carries out risk assessments as part of its reviewing activities to identify any vulnerabilities
    in its personal data handling and processing, and to take measures to reduce the risks of
    mishandling and potential breaches of data security. The procedure includes an assessment
    of the impact of both use and potential misuse of personal data in and by the Parish Council.
    • It recognises the importance of seeking individuals’ consent for obtaining, recording, using,
    sharing, storing and retaining their personal data, and regularly reviews its procedures for
    doing so, including the audit trails that are needed and are followed for all consent decisions.
    The Parish Council understands that consent must be freely given, specific, informed and
    unambiguous. The Parish Council will seek consent on a specific and individual basis where
    appropriate. Full information will be given regarding the activities about which consent is
    sought. Relevant individuals have the absolute and unimpeded right to withdraw that consent
    at any time.
    • It has the appropriate mechanisms for detecting, reporting and investigating suspected or
    actual personal data breaches, including security breaches. It is aware of its duty to report
    significant breaches that cause significant harm to the affected individuals to the Information
    Commissioner and is aware of the possible consequences.
    • It is aware of the implications international transfer of personal datainternationally.
  5. Access to data
    Relevant individuals have a right to be informed whether the Parish Council processes personal data
    relating to them and to access the data that the Parish Council holds about them. Requests for access
    to this data will be dealt with under the following summary guidelines:
    • A subject access request should be made to the Clerk to the Parish Council (the Clerk).
    • The Parish Council will not charge for the supply of data unless the request is manifestly
    unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be
    provided to parties other than the employee making the request.
    • The Parish Council will respond to a request without delay. Access to data will be provided, 5
    subject to legally permitted exemptions, within one month as a maximum. This may be
    extended by a further two months where requests are complex or numerous.
    Relevant individuals must inform the Parish Council immediately if they believe that the data is
    inaccurate, either as a result of a subject access request or otherwise. The Parish Council will take
    immediate steps to rectify the information.
    For further information on making a subject access request, employees should consult with the Clerk.
  6. Data disclosures
    The Parish Council may be required to disclose certain data/information to any person. The
    circumstances leading to such disclosures include:
    • any employee benefits operated by third parties
    • disabled individuals – whether any reasonable adjustments are required to assist them at
    work
    • individuals’ health data – to comply with health and safety or occupational health
    obligations towards the employee
    • for Statutory Sick Pay purposes
    • HR management and administration – to consider how an individual’s health affects his or
    her ability to do their job
    • the smooth operation of any employee insurance policies or pension plans.
    These kinds of disclosures will only be made when strictly necessary for the purpose.
  7. Data security
    The Parish Council adopts procedures designed to maintain the security of data when it is stored and
    transported. In addition, employees must:
    • ensure that all files or written information of a confidential nature are stored in a secure
    manner and are only accessed by people who have a need and a right to accessthem
    • ensure that all files or written information of a confidential nature are not left where they
    can be read by unauthorised people
    • check regularly on the accuracy of data being entered into computers
    • always use the passwords provided to access the computer system and not abuse them by
    passing them on to people who should not have them
    • use computer screen blanking to ensure that personal data is not left on screen when not
    in use.
    Personal data relating to employees should not be kept or transported on laptops, smart devices, or
    portable, external or other devices, unless authorised by the Clerk.
    Where personal data is recorded on any such device it should be protected by:6
    • Ensuring that data is recorded on such devices only where necessary.
    • Using an encrypted system — a folder should be created to store the files that need extra
    protection and all files created or moved to this folder should be automatically encrypted.
    • Ensuring that laptops, smart devices and external drives are not left unattended where they
    can be stolen.
    Failure to follow the Parish Council’s rules on data security may be dealt with via the Parish Council’s
    disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on
    the severity of the failure.
  8. International data transfers
    The Parish Council does not transfer personal data to any recipients outside the EEA.
  9. Breach notification
    Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be
    reported to the Information Commissioner within 72 hours of the Parish Council becoming aware of
    it and may be reported in more than one instalment.
    Individuals will be informed directly if the breach is likely to result in a high risk to the rights and
    freedoms of that individual.
    If the breach is sufficient to warrant notification to the public, the Parish Council will do so without
    undue delay.
  10. Training
    New employees must read and understand the policies on data protection as part of their induction.
    All employees receive training covering basic information about confidentiality, data protection and
    the actions to take upon identifying a potential data breach.
    The nominated data controller/auditors/protection officers for the Parish Council are trained
    appropriately in their roles under the GDPR.
    All employees who need to use the computer system are trained to protect individuals’ private data,
    to ensure data security, and to understand the consequences to them as individuals and the Parish
    Council of any potential lapses and breaches of the Parish Council’s policies and procedures.
  11. Records
    The Parish Council keeps records of its processing activities including the purpose for the processing
    and retention periods in its HR Data Record. These records will be kept up to date so that they
    reflect current processing activities.
  12. Data Protection Officer
    Councils are exempt from the requirement to appoint a Data Protection Officer.
  13. Data protection compliance
    The Clerk is the Parish Council’s appointed compliance officer in respect of its data protection
    activities. The Clerk can be contacted at email bandf.pc@outlook.com

CODE OF CONDUCT

Downloadd PDF

Bressingham and Fersfield Parish Council

Members’ Code of Conduct

  1. You are a member or co-opted member of Bressingham and Fersfield
    Parish Council and hence you shall have regard to the following
    principles:
    i. selflessness,
    ii. integrity,
    iii. objectivity,
    iv. accountability,
    v. openness,
    vi. honesty, and
    vii. leadership.
  2. Accordingly, when acting in your capacity as a member or co-opted member:
    2.1. You must act solely in the public interest and should never improperly confer an advantage or disadvantage on any person or act to gain financial or other material benefits for yourself, your family, a friend or close associate.
    2.2. You must not place yourself under a financial or other obligation to outside individuals or organisations that might seek to influence you in the performance of your official duties.
    2.3. When carrying out your public duties you must make all choices, such as making public appointments, awarding contracts or recommending individuals for rewards or benefits, on merit.
    2.4. You are accountable for your decisions to the public and you must co-operate fully with whatever scrutiny is appropriate to your office.
    2.5. You must be as open as possible about your decisions and actions and the decisions and actions of your authority and should be prepared to give reasons for those decisions and actions.
    2.6. You must declare any private interests, both pecuniary and non-pecuniary, that relate to your public duties and must take steps to resolve any conflicts arising in a way that protects the public interest, including registering and declaring interests in a manner conforming with the procedures set out in paragraph 3 below.
    2.7. You must, when using or authorising the use by others of the resources of your authority, ensure that such resources are not used improperly for political purposes (including party political purposes) and you must have regard to any applicable Local
    Authority Code of Publicity made under the Local Government Act 1986.2.8. You must promote and support high standards of conduct when serving in your public post, in particular as characterised by the above requirements, by leadership and example. Registering and declaring pecuniary and non-pecuniary interests
    3.1. You must, within 28 days of taking office as a member or co-opted member, notify your authority’s monitoring officer of any disclosable pecuniary interest as defined by regulations made by the Secretary of State, where the pecuniary interest is yours, your spouse’s or civil partner’s, or is the pecuniary interest of somebody with whom you are living with as a husband or wife, or as if you were civil partners.
    3.2. In addition, you must, within 28 days of taking office as a member or co-opted member, notify your authority’s monitoring officer of any disclosable pecuniary or non-pecuniary interest which your authority has decided should be included in the register.
    3.3. If an interest has not been entered onto the authority’s register, then the member must disclose the interest to any meeting of the authority at which they are present, where they have a disclosable interest in any matter being considered and where the matter is not a sensitive interest.
    3.4. Following any disclosure of an interest not on the authority’s register or the subject of pending notification, you must notify the monitoring officer of the interest within 28 days beginning with the date of disclosure.
    3.5. Unless dispensation has been granted, you may not participate in any discussion of, vote on, or discharge any function related to any matter in which you have a pecuniary interest as defined by regulations made by the Secretary of State. Additionally, your must observe the restrictions your authority places on your involvement in matters where you have a pecuniary or non pecuniary interest as defined by your authority.
    3.6. A sensitive interest is described in the Localism Act 2011 as a member or co-opted member of an authority having an interest, and the nature of the interest being such that the member or co-opted member, and the authority’s monitoring officer, consider that disclosure of the details of the interest could lead to the member or co-opted member, or a person connected with the member or co-opted member, being subject to violence or intimidation.

GDPR PRIVACY NOTICE

Download PDF


Bressingham and Fersfield Parish Council
PRIVACY NOTICE FOR PARISH COUNCILLORS AND ROLE HOLDERS*

Version Control

ReviewedDateActionsStatus
1st October 2020 2020.01 New document Draft
ReviewedDateActionsStatus

Contents

  1. Personal data
  2. Who we are
  3. Who we work with
  4. How we use personal data
  5. The legal basis for processing your personal data
  6. Sharing your personal data
  7. How long do we keep your personal data?
  8. Your rights and responsibilities and your personal data
  9. Transfer of Data Abroad
  10. Further processing
  11. Changes to this notice
  12. Contact Information

*Includes, Clerk to the Parish Council, volunteers, contractors, agents, and other role holders within the Parish
Council including former staff and former councillors. This also includes applicants or candidates for any of these
roles.

  1. Personal data.
    The processing of personal data is governed by legislation relating to personal data which applies in
    the United Kingdom including the General Data Protection Regulation (the “GDPR”) and other
    legislation relating to personal data and rights such as the Human Rights Act.
    “Personal data” is any information about a living individual which allows them to be identified from
    that data e.g. a name, photographs, videos, email address, or address.
    Identification can be directly using the data itself or by combining it with other information which
    helps to identify a living individual (e.g. a list of staff may contain personnel ID numbers rather than
    names but if you use a separate list of the ID numbers which give the corresponding names to identify
    the staff in the first list then the first list will also be treated as personal data).
  2. Who we are.
    This Privacy Notice is provided to you by Bressingham and Fersfield Parish Council (the Parish Council).
    Website: https://bressinghamandfersfield.org
    Address: Bressingham and Fersfield Parish Council, c/o The Clerk to the Parish Council.
    Email: bandf.pc@outlook.com
    The Parish Council complies with Data Protection Law.
    We are a “data controller”
    2
    for the data that we process about you.
    We will always take account of your interests and rights if we process your data.
  3. Who we work with.
    The Parish Council works with:
    • Local authorities, public authorities, central government and agencies such as HMRC and
    DVLA.
    • Former and prospective employers.
    • DBS services suppliers.
    • Payroll services providers.
    • Recruitment Agencies.
    • Credit reference agencies.
    We may need to share personal data we hold with them so that they can carry out their responsibilities
    to the Parish Council and our community.
    The organisations referred to above will sometimes be “joint data controllers”. This means we are all
    responsible to you for how we process your data where for example two or more data controllers are
    working together for a joint purpose.
    If there is no joint purpose, or collaboration, then the data controllers will be independent and will be
    individually responsible to you.
    2 Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with
    others, determines the purposes and means of the processing of personal data.3
  4. How we use personal data.
    This Privacy Notice sets out your rights and the Parish Council’s obligations to you.
  5. Data Protection Law says that the personal data we hold about you must be:
    • Used lawfully, fairly and in a transparent way.
    • Collected only for valid purposes that we have clearly explained to you and not used in any
    way that is incompatible with those purposes.
    • Relevant to the purposes we have told you about and limited only to those purposes.
    • Accurate and kept up to date.
    • Kept only for as long as is necessary for the purposes we have told you about.
    • Kept and destroyed securely, including ensuring that appropriate technical and security
    measures are in place to protect your personal data to protect personal data from loss,
    misuse, unauthorised access and disclosure.
  6. What data do we process?
    We need the categories of personal data in the following list primarily to allow us to perform our
    contract with you and to enable us to comply with legal obligations. We only hold the data about
    you from categories in the list that are relevant to our contract with you, your role with us and/or
    our legal obligations.
    • Names, titles, and aliases, photographs.
    • Start date / leaving date
    • Contact details such as telephone numbers, addresses, and email addresses.
    • Where they are relevant to our legal obligations, or where you provide them to us, we may
    process information such as gender, age, date of birth, marital status, nationality,
    education/work history, academic/professional qualifications, employment details, hobbies,
    family composition, and dependents.
    • Non-financial identifiers such as passport numbers, driving licence numbers, vehicle
    registration numbers, taxpayer identification numbers, staff identification numbers, tax
    reference codes, and national insurance numbers.
    • Financial identifiers such as bank account numbers, payment card numbers,
    payment/transaction identifiers, policy numbers, and claim numbers.
    • Financial information such as National Insurance number, pay and pay records, tax code, tax
    and benefits contributions, expenses claimed.
    • Other operational personal data created, obtained, or otherwise processed in the course of
    carrying out our activities, including but not limited to, CCTV footage, recordings of telephone
    conversations, IP addresses and website visit histories, logs of visitors, and logs of accidents,
    injuries and insurance claims.4
    • Next of kin and emergency contact information
    • Recruitment information (including copies of right to work documentation, references and
    other information included in a CV or cover letter or as part of the application process and
    referral source (e.g. agency, staff referral))
    • Location of employment or workplace.
    • Other staff data (not covered above) including level, performance management information,
    languages and proficiency; licences/certificates, immigration status; employment status;
    information for disciplinary and grievance proceedings; and personal biographies.
    • CCTV footage and other information obtained through electronic means.
    • Information about your use of our information.
  7. How we use your personal data.
    We will only use your personal data when the law allows us to. Most commonly, we will use your
    personal data in the following circumstances:
    • Where we need to perform the contract that we have entered into with you.
    • Where we need to comply with a legal obligation.
    We may also use your personal data for other reasons, which include, where relevant:
    • Making a decision about your recruitment or appointment.
    • Determining the terms on which you work for us.
    • Checking you are legally entitled to work in the UK.
    • Paying you and, if you are an employee, deducting tax and National Insurancecontributions.
    • Providing any contractual benefits to you
    • Liaising with your pension provider.
    • Administering the contract we have entered into with you.
    • Management and planning, including accounting and auditing.
    • Conducting performance reviews, managing performance and determining
    performance requirements.
    • Making decisions about salary reviews and compensation.
    • Assessing qualifications for a particular job or task.
    • Conducting grievance or disciplinary proceedings.
    • Making decisions about your continued employment or engagement.
    • Making arrangements for the termination of our working relationship.5
    • Education, training and developmentrequirements.
    • Dealing with legal disputes involving you, including accidents at work.
    • Ascertaining your fitness to work.
    • Managing sickness absence.
    • Complying with health and safety obligations.
    • To prevent fraud.
    • To monitor your use of our information and communication systems to ensure
    compliance with our IT policies.
    • To ensure network and information security, including preventing unauthorised access to
    our computer and electronic communications systems and preventing malicious software
    distribution.
    • To conduct data analytics studies to review and better understand employee
    retention and attrition rates.
    • Equal opportunities monitoring.
    • To undertake activity consistent with our statutory functions and powers including any
    delegated functions.
    • To maintain our own accounts and records.
    • To seek your views or comments.
    • To process a job application.
    • To administer Councillors’ interests.
    • To provide a reference.
    Our processing may also include the use of CCTV systems for monitoring purposes.
    Some of the above grounds for processing will overlap and there may be several grounds which justify
    our use of your personal data.
    We may also use your personal data in the following situations, which are likely to be rare:
    • Where we need to protect your interests or someone else’sinterests.
    • Where it is needed in the public interest or for official purposes.
  8. Sensitive and Special Categories of Data
    The personal data we process may include sensitive or other special categories of personal data such as
    criminal convictions, racial or ethnic origin, mental and physical health, details of injuries, medication
    or treatment received, political beliefs, trade union affiliation, genetic data, biometric data, data
    concerning and sexual life or orientation.
    These types of data are described in the GDPR as “Special categories of data” and require higher levels6
    of protection. We need to have further justification for collecting, storing and using this type of
    personal data.
    We may process special categories of personal data in the following circumstances:
    • In limited circumstances, with your explicit written consent.
    • Where we need to carry out our legal obligations.
    • Where it is needed in the public interest.
    Including, as appropriate:
    • information about your physical or mental health or condition to take decisions on your fitness
    to take part in activities that we may offer you.
    • your racial or ethnic origin or religious or similar information, to monitor compliance with
    equal opportunities legislation.
    • To comply with legal requirements and obligations to third parties.
    Less commonly, we may process this type of personal data where it is needed in relation to legal
    claims or where it is needed to protect your interests (or someone else’s interests) and you are not
    capable of giving your consent, or where you have already made the information public.
    Your consent to process your sensitive personal data
    We do not need your consent if we use your sensitive personal data in accordance with our rights and
    obligations in the field of employment and social security law.
    In limited circumstances, we may approach you for your written consent to allow us to process
    certain sensitive personal data. If we do so, we will provide you with full details of the personal data
    that we would like and the reason we need it, so that you can carefully consider whether you wish to
    consent.
    You should be aware that it is not a condition of your contract with us that you agree to any request
    for consent from us.
    Information about criminal convictions
    We may only use personal data relating to criminal convictions where the law allows us to do so. This
    will usually be where such processing is necessary to carry out our obligations and provided we do so
    in line with our data protection policy.
    Less commonly, we may use personal data relating to criminal convictions where it is necessary in
    relation to legal claims, where it is necessary to protect your interests (or someone else’s interests)
    and you are not capable of giving your consent, or where you have already made the information
    public.
    We will only collect personal data about criminal convictions if it is appropriate given the nature of
    the role and where we are legally able to do so. Where appropriate, we will collect personal data about
    criminal convictions as part of the recruitment process or we may be notified of such personal data
    directly by you in the course of you working for us.
  9. The legal basis for processing your personal data.
    Some of our processing is necessary for compliance with a legal obligation.
    We may also process data if it is necessary for the performance of a contract with you, or to take 7
    steps to enter a contract.
    We will also process your data to assist you in fulfilling your role in the Parish Council including
    administrative support or if processing is necessary for compliance with a legal obligation.
  10. Sharing your personal data.
    This section provides information about the third parties with whom the Parish Council may share
    your personal data.
    These third parties have an obligation to put in place appropriate security measures and will be
    responsible to you directly for the way in which they process and protect your personal data.
    It is likely that we will need to share your data with some, or all, of the following but we will do so
    only where necessary:
    Your personal data will only be shared with third parties including other data controllers where it is
    necessary for the performance of the data controllers’ tasks or where you first give us your prior
    consent. It is likely that we will need to share your data with:
    • Our agents, suppliers and contractors. For example, we may ask a commercial provider to
    manage our HR/ payroll functions, or to maintain our database software;
    • Other persons or organisations operating within local community.
    • Other data controllers, such as local authorities, public authorities, central government and
    agencies such as HMRC and DVLA
    • Staff pension providers
    • Former and prospective employers
    • DBS services suppliers
    • Payroll services providers
    • Recruitment Agencies
    • Credit reference agencies
    • Professional advisors
    • Trade unions or employee representatives
  11. How long do we keep your personal data?
    In general, we keep data only for as long as we need it. This means that we will delete it when it is no
    longer needed.
    Exceptions:
    • We will keep some records permanently if we are legally required to do so.
    • We may keep some other records for an extended period. For example, it is currently best
    practice to keep financial records for a minimum period of 8 years to support HMRC audits or
    provide tax information.
    • We may have legal obligations to retain some data in connection with our statutory obligations
    as a public authority. 8
    • The Parish Council is permitted to retain data to defend or pursue claims. In some cases, the
    law imposes a time limit for such claims (for example 3 years for personal injury claims or 6
    years for contract claims). We will retain some personal data for this purpose for as long as we
    believe it is necessary to be able to defend or pursue a claim.
  12. Your rights and responsibilities and your personal data
    Your responsibilities
    It is important that the personal data we hold about you is accurate and current. You must keep us
    informed if your personal data changes during your working relationship with us and as stated in your
    contract of employment failure to do so will be considered grossmisconduct.
    You have the following rights with respect to your personal data.
    When exercising any of the rights listed below, we may need to verify your identity for your security
    before processing your request. In such cases we will need you to respond with proof of your identity
    before you can exercise these rights.
  13. The right to access personal data we hold on you.
    • At any point you can contact us to request the personal data we hold on you as well as why we
    have that personal data, who has access to the personal data and where we obtained the
    personal data from. Once we have received your request, we will respond within one month.
    • There are no fees or charges for the first request but additional requests for the same personal
    data or requests which are manifestly unfounded or excessive may be subject to an
    administrative fee.
  14. The right to correct and update the personal data we hold on you.
    • If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your
    data will be updated.
  15. The right to have your personal data erased.
    • If you feel that we should no longer be using your personal data or that we are unlawfully using
    your personal data, you can request that we erase the personal data we hold.
    • When we receive your request, we will confirm whether the personal data has been deleted or
    the reason why it cannot be deleted (for example because we need it for to comply with a legal
    obligation).
  16. The right to object to processing of your personal data or to restrict it to certain purposes
    only.
    • You have the right to request that we stop processing your personal data or ask us to restrict
    processing.
    • Upon receiving the request, we will contact you and let you know if we are able to comply or if
    we have a legal obligation to continue to process your data.
  17. The right to dataportability
    • You have the right to request that we transfer some of your data to another controller. We will
    comply with your request, where it is feasible to do so, within one month of receiving your
    request.9
    • The right to withdraw your consent to the processing at any time for any processing of data to
    which consent was obtained.
    • You can withdraw your consent easily by telephone, email, or by post (see Section 12 Contact
    Details).
  18. The right to lodge a complaint with the Information Commissioner’s Office.
    • You can contact the Information Commissioners Office on 0303 123 1113 or via email
    https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office,
    Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
  19. Transfer of Data Abroad
    Any personal data transferred to countries or territories outside the European Economic Area (“EEA”)
    will only be placed on systems complying with measures giving equivalent protection of personal
    rights either through international agreements or contracts approved by the European Union. Our
    website is also accessible from overseas so on occasion some personal data (for example in a
    newsletter) may be accessed from overseas.
  20. Further processing
    If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we
    will provide you with a new notice explaining this new use prior to commencing the processing and
    setting out the relevant purposes and processing conditions. Where and whenever necessary, we will
    seek your prior consent to the new processing.
  21. Changes to this notice
    This Privacy Notice is reviewed regularly. The current version is available on this website:
    https://bressinghamandfersfield.org/
  22. Contact Information
    Please contact us if you have any questions about this General Privacy Notice or the personal data we
    hold about you, or to exercise all relevant rights, or make queries or complaints at:
    Email: bandf.pc@outlook.co