philip-edwards-west-harptree
WHPC 1
310-ProspectStyleRamblers-07-2022-2048x1333

Data Protection Policy

The data protection policy details how the council manages and protects personal data. The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and legal duties in accordance with data protection law.

Legal Duties

The Parish Council is registered with the Information Commissioner’s Office and recognises its responsibility to comply with the Data Protection Act 1998 and the UK General Data Protection Regulation (UK GDPR).

The UK General Data Protection Regulation sits alongside the Data Protection Act 1998. The Act applies to ‘personal data’ which is data relating to a living person who can be identified from that data. ‘Processing data’ means any operation performed on that personal data such as collection, recording or use. The Parish Council does have data that relates to living individuals and does process data in order to perform its role.

This page explains to Councillors, staff and members of the public about the General Data Protection Regulation.

When dealing with personal data, The Parish Council staff and Councillors must ensure that:

  • Data is processed fairly and lawfully – Staff, Councillors and Volunteers will be open and honest about why information is required.
  • Data is processed for specific purposes only
  • Data is relevant to what it is needed for – Data will be monitored so that too much or too little is not kept; only data that is needed will be held.
  • Data is accurate and kept up to date – Only accurate personal data will be kept. Inaccurate data will be corrected.
  • Data is not kept longer than it is needed
  • It is processed in accordance with the rights of individuals – Individuals will be informed, upon request, of all the information held about them.
  • It is kept securely – Data will be stored securely so it cannot be accessed by members of the public.

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply to process personal data:

  • (a) Consent: the individual has given clear consent to process their personal data for a specific purpose.
  • (b) Contract: the processing is necessary for a contract with the individual, or because they have asked you to take specific steps before entering into a contract.
  • (c) Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
  • (d) Vital interests: the processing is necessary to protect someone’s life.
  • (e) Public task: the processing is necessary to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.)

For further guidance, see: https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/

Information Audit

The Parish Council may need to retain certain information to carry out its day-to-day operations, to meet its objectives and to comply with legal obligations. The type of information the Council holds tends to be limited to name, address, telephone number and email address. More detailed information is held for employees. In the normal course of business, the Parish Council will receive personal data in connection with the following council activities:

  • Administration of Parish Council Meetings
  • Administration of facilities for hire
  • Administration of employment matters
  • Managing Councillor membership
  • Receiving and dealing with correspondence
  • Contractual matters
  • Receiving and processing grant applications
  • Creating Volunteer lists for specific activities
  • Responding to contact made via the Parish Council social media or Parish Council website.
  • Processing PAYE reporting to HMRC

The Clerk may also be provided with a copy of the electoral roll with updates throughout the year. Data Protection associated with the electoral roll is predominately the responsibility of Bath and North East Somerset Council and the policies of B&NES regarding use of the electoral roll must be observed. The Clerk or members of the council may independently request access with BANES, but they are not permitted to view or share the document with other council members or a third party. The Clerk may share certain details from the electoral roll where permitted by B&NES policies for the purpose of electoral activities such as verifying residents’ status to vote at the parish meeting or providing election candidates with details required for election forms.

Services relating to children

There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the Council requires consent from young people under 13, the Council will obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children age 13 plus, will be written in language that they will understand. At present, the council does not have any services that directly relate to children. The Council’s Social Media presence is set to only accept information from accounts where the account holder is over the age of 13 years.

Sensitive data

The Act requires ‘sensitive data’ to be treated differently. Categories of sensitive data includes racial or ethnic origins, political opinions, religious beliefs, health issues. The Parish Council does not collect such data.

Where the Council carries out future village-wide surveys, the responses should be anonymous and questions are not generally asked on a topic that is classified as sensitive.

Storage of data

All Council paper documents are stored in a secure location.

All computer records are stored on a password protected computer with anti-virus software and are not available for members of the public to access.

Once data is not needed anymore, if it is out of date or has served its purpose and falls outside the minimum retention time of the council’s retention policy, it will be destroyed or deleted from the computer.

How the data is used

Data will be used only for the purpose for which it has been supplied. Data will not be passed to a third party without the express consent of the data subject or where the Council is required to do so by law. The Council will not share or sell data.

If a Councillor needs to access information to help carry out their duties, they may only access as much information as is necessary for the particular task and it will be used only for that specific purpose. Information will not be released without the prior knowledge or consent of the Clerk. Data will never be used for political reasons unless the data subjects have consented.

Data Subject Rights

Anyone whose personal information is processed by the Parish Council has the right;

  • to know what information is held;
  • to know why the information is being held;
  • to know who has seen the information;
  • to know how to gain access to this information;
  • to know how it is kept up to date;
  • to know what is being done to comply with the GDPR;
  • to access certain personal data being kept about them;
  • to prevent processing of their personal information in some circumstances; and
  • to correct, rectify or erase personal information that is wrong.

Anyone wishing to know more about personal information held by the Parish Council, or to a request to correct, rectify or erase personal information that is wrong, should contact the Clerk by email. The Parish Council will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within one calendar month of receiving the written request.

A link for contact details for the Clerk are published in the footer of this website page.

Data eradication request

Individuals have a right to have their personal data erased (sometime known as the ‘right to be forgotten’) where their personal data is no longer necessary in relation to the purpose for which it was originally collected and data portability must be done free of charge. Data portability refers to the ability to move, copy or transfer data easily between different computers.

If a request is received to delete information, then the Council’s Clerk will respond to this request within one month. The Clerk has the delegated authority from the Council to delete information.

If a request is considered to be manifestly unfounded then it may be refused, or a charge may apply. The charge will be as detailed in the Council’s Publication Scheme. The Parish Council will be informed of such requests.

Data Protection Officer

The Clerk will perform the tasks required of a Data Protection Office. The GDPR does not define a parish council as a public authority therefore does not require it to appoint a Data Protection Officer.

Data breaches

If a data breach is identified an investigation will be conducted by the Clerk. Personal data breaches that are identified by the Council or referred to it will be reported to the Clerk for investigation. The Clerk will conduct an investigation with the support of the Parish Council. Investigations will be undertaken within one month of the report of a breach.

The ICO will be advised of a breach (within 72 hours or 3 days) where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the Clerk will also notify those concerned directly.

Procedures will be put in place by the Clerk to detect, report and investigate a personal data breach.

The Clerk may consider further action including:

  1. Isolate any affected computer or IT equipment
  2. Inform other Councillors
  3. Inform affected parties
  4. Seek external help to analyse the breach
  5. Report to the council, and decide on any necessary actions or policy reviews.

Further information: https://ico.org.uk/for-organisations/gdpr-resources/pdb/

Confidentiality

When complaints or queries are made, they must remain confidential unless the subject gives permission otherwise. When handling personal data, this must also remain confidential.

Policy adoption and Review

Policies will be reviewed annually or when further advice is issued or a need arises.

All Councillors, employees and volunteers are expected to comply with the policies set by the Parish Council to protect privacy, confidentiality and the interests of the Council.

Contact Details

A link to the contact details for the Clerk are published in the footer of this website page.


Revision Notes

May 2023 – v2

  • Additional information regarding lawful basis to process information
  • Updates to sharing of data internally, including access to the electoral roll.
  • Additional information added regarding sensitive data and services relating to children
  • Updates to data breach procedures
  • Posted: 5th May 2023
  • Adopted: 8th January 2019
  • Version: 2
  • Reviewed: 2023‑05
  • Next review: 2024-05