South Petherton Parish Council
Data Protection Policy
Adopted and Approved at the Meeting of the Parish Council on Monday 2nd November 2015
1.1 The Data Protection Act 1998 came into effect on 1st March 2000. The Act regulates the use of personal data relating to living data subjects. The purpose of The Act is to regulate the way that personal information about living individuals, (no matter how that information is held) is obtained, stored, used and disclosed. The legislation grants rights to individuals, to see data stored about them and to require modification if the data are incorrect, and, in certain cases, to compensation. These provisions amount to a right of privacy for the individual.
1.2 The Act requires that all processing of personal data must be notified to the Information Commissioner and that personal data must be kept and used in accordance with the provisions of the Act. South Petherton Parish Council is registered with the Information Commissioner under the Data Protection Act. The Council is required to notify to the Office of the Information Commissioner on a yearly basis. This notification is facilitated by the clerk and the notification details the main processing activities of the council.
1.3 The purpose of this Policy Statement is to formalise the position of the Parish Council and to state its commitment to maintaining the strictest level of confidentiality of personal data within its record system in accordance with the provisions of the Act.
2.1 The obligations contained in this policy apply equally to councillors and employees of the Parish Council.
2.2 The clerk to the parish council is the Data Controller appointed by the Parish Council and has the responsibility to administer the Parish Council’s day to day compliance with the Act. Overall responsibility to ensure the Data Protection Policy is understood and enforced remains with the Parish Council.
2.3 Disclosure of personal data within South Petherton Parish Council to councillors or officers will be on the basis of a need to know.
2.4 The Act applies to records held in a relevant filing system, which includes structured and, in the case of public bodies, unstructured files where personal data relating to an individual is readily accessible.
3.1 Personal Data is any data that relates to a living individual who can be identified from that data. This includes any expression of opinion about the individual and any indication of the intentions of the Parish Council in respect of the individual.
3.2 Processing, in relation to information or data, means obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data, including retrieval disclosure of that information or data.
3.3 Data Subject is an individual who is the subject of Personal data.
3.4 Sensitive Personal Data is defined in the Act defines by eight categories of information about the Data Subject relating to;
1) racial or ethnic origins
2) political opinions
3) religious or similar beliefs
4) membership of a trade union
5) physical or mental health
6) sexual life
7) the commission or alleged commission of any offence, or
8) any proceedings relating to any offence or alleged offence, the disposal of such proceedings or the sentence of any court in such proceedings.
3.5 Data Controller is a person who, either alone or jointly with others, determines the purposes for which, and the manner in which, personal data is, or will be, processed. The Data Controller for South Petherton Parish Council is the clerk.
3.6 Person relates to a legal person and thus includes a corporate body such as the Parish Council.
3.7 Information Commissioners Office (ICO) is the organisation responsible for administering and enforcing the Data Protection Act 1998 nationally.
3.8 The eight principles of data protection are as follows;
1) Personal data shall be processed fairly and lawfully, and in accordance with at least one of the conditions set out in Schedule 2 to the Act and, in the case of Sensitive Personal data, at least one of the conditions set out in Schedule 3 to the Act.
2) Personal data shall be obtained and held only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes.
3) Personal data shall be relevant, adequate and not excessive in relation to the purpose(s) for which it is processed.
4) Personal data shall be accurate and up to date, any inaccuracies will be corrected without undue delay.
5) Personal data shall not be kept for longer than is necessary for the stated purposes.
6) Personal data shall be processed in accordance with the rights of Data Subjects under the Act.
7) Security precautions shall be put in place to prevent the loss, destruction or unauthorised disclosure of personal data. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of Personal data and to prevent accidental loss or destruction of, or damage to, Personal data.
8) Personal data shall not be transferred to any country or territory outside of the European Economic Area, unless that country or territory has an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal data.
4. DATA PROTECTION POLICY
4.1 South Petherton Parish Council will hold the minimum personal data necessary to enable it to
perform its functions. The data will be deleted in accordance with the Retention and Destruction Policy of the Council. Every effort will be made to ensure that data is accurate and up to date, and that inaccuracies are corrected quickly.
4.2 South Petherton Parish Council will design IT and manual systems to comply with the eight principles of the Data Protection Act. The Council ensures that personal data is treated as confidential, ensuring that access to personal data can be restricted to identifiable system users.
4.3 South Petherton Parish Council is committed in its aim that all appropriate staff will be properly trained, fully informed of their obligations under the Act, and made aware of their personal liabilities. The Council expects all of its staff and members to comply fully with this Policy and the Data Protection Principles.
4.4 It is the duty of the clerk as Data Controller to comply with the data protection principles and to ensure individuals are informed if their personal data is to be processed by way of a fair processing notice, unless an exemption applies.
4.5 The Council must fulfil a request for access to personal data within 40 calendar days. It is currently the policy of South Petherton Parish Council not to make a financial charge for this service.
4.6 South Petherton Parish Council will provide to any individual who makes a written request for their personal data with;
- A reply stating whether or not we hold personal data about them.
- A copy of that information, in clear language, unless specific legal exemptions apply.
GDPR Privacy Notice
South Petherton Parish Council is committed to protecting your privacy when you use our services. The Privacy Notice below explains how we use information about you and how we protect your privacy.
If you have any concerns or questions about how we look after your personal information, please contact Parish Clerk, at email@example.com or by calling 07712 524347 and asking to speak to the Parish Clerk.
Why we use personal information
Do you know what personal information is?
Personal information can be anything that identifies and relates to a living person. This can include information that, when put together with other information, can then identify a person. For example, this could be your name and contact details.
Did you know that some of your personal information might be ‘special’?
Some information is ‘special’ and needs more protection due to its sensitivity. It’s often information you would not want widely known and is very personal to you. This is likely to include anything that can reveal your:
sexuality and sexual health; religious or philosophical beliefs; ethnicity’ physical or mental health; trade union membership; political opinion; genetic/biometric data; criminal history.
Why do we need your personal information?
We may need to use some information about you to:
deliver services and support to you; manage those services we provide to you; train and manage the employment of our workers who deliver those services; help investigate any worries or complaints you have about your services; keep track of spending on services; check the quality of services; and to help with research and planning of new services.
How the law allows us to use your personal information
There are a number of legal reasons why we need to collect and use your personal information.
Each privacy notice from the menu on the left explains for each service which legal reason is being used. Generally we collect and use personal information in the where:
you, or your legal representative, have given consent you have entered into a contract with us it is necessary to perform our statutory duties it is necessary to protect someone in an emergency it is required by law it is necessary for employment purposes you have made your information publicly available it is necessary for legal cases it is to the benefit of society as a whole it is necessary to protect public health it is necessary for archiving, research, or statistical purposes
If we have consent to use your personal information, you have the right to remove it at any time. If you want to remove your consent, please contact firstname.lastname@example.org and tell us which service you’re using so we can deal with your request.
We only use what we need!
Where we can, we’ll only collect and use personal information if we need it to deliver a service or meet a requirement.
If we don’t need personal information we’ll either keep you anonymous if we already have it for something else or we won’t ask you for it. For example in a survey we may not need your contact details we’ll only collect your survey responses.
If we use your personal information for research and analysis, we’ll always keep you anonymous or use a different name unless you’ve agreed that your personal information can be used for that research.
We don’t sell your personal information to anyone else.
Who do we share your information with?
We may share your personal information across the Council and with other partner organisations, where this is necessary, e.g. to provide a service. We will never share your personal information with a third party unless we have a lawful reason to do. We sometimes share your information when we feel there’s a good reason that’s more important that protecting your privacy. This doesn’t happen often but we may share your information:
in order to find and stop crime and fraud; or if there are serious risks to the public, our staff or to other professionals; to protect a child; or to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.
We use a range of organisations to either store personal information or help deliver our services to you. Where we have these arrangements there is always an agreement in in place to make sure that the organisation complies with data protection law.
We’ll often complete a privacy impact assessment (PIA) before we share personal information to make sure we protect your privacy and comply with the law.
Where your information is shared, we’ll make sure that we record what information we share and our reasons for doing so. We’ll let you know what we’ve done and why if we think it is safe to do so, unless we are not required to do so. For example if a person is under investigation for fraud, letting them know that an investigation is taking place may disrupt the investigation so we would not need to tell them.
Will I be contacted for marketing purposes?
We do not make your personal details available to third parties for marketing purposes and South Petherton Parish Council will only send you marketing emails and otherwise contact you for marketing purposes if you sign up to a mailing list, for example, to the Octagon Theatre so you could be kept informed of forthcoming shows, or otherwise asked to be kept informed.
If you wish to have your name removed from a mailing list or have any questions please contact email@example.com.
National Fraud Initiative
The Local Authorities and the Registered Providers are under a duty to protect the public funds it administers, and to this end may use the information you have provided on this form for the prevention and detection of fraud. It may also share this information with other bodies responsible for auditing or administering public funds for these purposes.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
The partner Local Authorities and the Registered Providers participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud and are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.
What you can do with your information
The law gives you a number of rights to control what personal information is used by us and how it is used by us.
You can ask for access to the information we hold on you
You have the right to ask for all the information we have about you and the services you receive from us. When we receive a request from you in writing, we must give you access to everything we’ve recorded about you.
However, we can’t let you see any parts of your record which contain:
confidential information about other people; or data a professional thinks will cause serious harm to you or someone else’s physical or mental wellbeing; or if we think that giving you the information may stop us or another organisation from preventing or detecting a crime.
This applies to personal information that is in both paper and electronic records. If you ask us, we’ll also let others see your record (except if one of the points above applies).
You can ask to change information you think is inaccurate
You should let us know if you disagree with something written on your file.
We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.
You can ask to delete information (right to be forgotten)
In some circumstances you can ask for your personal information to be deleted, for example:
where your personal data is no longer needed for the reasons why it was collected in the first place; where you have removed your consent for us to use your information (where there is no other legal reason for us to use it); where there is no legal reason for the use of your information; where deleting the information is a legal requirement.
Where your personal information has been shared with others, we’ll do what we can to make sure those using your personal information comply with your request for deletion.
Please not that we can’t delete your information where:
we’re required to have it by law; it is used for freedom of expression; it is used for public health purposes; it is for, scientific or historical research, or statistical purposes where it would make information unusable; or it is necessary for legal claims.
You can ask to limit what we use your personal data for
You have the right to ask us to restrict what we use your personal information for where:
you have identified inaccurate information, and have told us of it; where we have no legal reason to use that information but you want us to restrict what we use it for rather than delete the information altogether.
When information is restricted is can’t be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interests of the UK.
Where restriction of use has been granted, we’ll inform you before we carry on using your personal information.
You have the right to ask us to stop using your personal information for any Homefinder Somerset service. However, if this request is approved this may cause delays or prevent us delivering that service.
Were possible we’ll seek to comply with your request, but we many need to hold or use information because we are required to by law.
You can ask to have your information moved to another provider (data portability)
You have the right to ask for your personal data to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.
However, this only applies if we’re using your personal information with consent (not if we’re required to by law) and if decision were made by a computer and not a human being.
It is likely that data portability won’t apply to most of the services you receive from the council.
You can ask to have any computer made decisions explained to you, and details of how we may have ‘risk profiled’ you
You have the right to questions decisions made about you by a computer, unless it’s required for any contract you have entered into, required by law, or you’ve consented to it.
You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information, e.g. your health conditions.
If and when the Homefinder Somerset Partnership uses your personal information to profile you, in order to deliver the most appropriate services to you, you will be informed.
How do we protect your information?
We’ll do what we can to make sure we hold records about you (on paper and electronically) in a secure way, and we’ll only make them available to those who have a right to see them. Examples of our security include:
Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’. Pseudonymisation, meaning that we’ll use a different name so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours. Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong. Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches).
Where in the world is your information?
The majority of personal information is stored on our systems in the UK. But there are some occasions where your information may leave the UK either in order to get to another organisation or if it’s stored in a system outside of the EU.
We have additional protections on your information if it leaves the UK ranging from secure ways of transferring data to ensuring we have a robust contract in place with that third party.
We’ll take all practical steps to make sure your personal information is not sent to a country that is not seen as ‘safe’ either by the UK or EU Governments.
If we need to send your information to an ‘unsafe’ location we’ll always seek advice from the Information Commissioner first.
How long do we keep your personal information?
There’s often a legal reason for keeping your personal information for a set period of time, we try to include all of these in our retention schedule.
For each service the schedule lists how long your information may be kept for. This ranges from months for some records to decades for more sensitive records.
Where can I get advice?
If you have any worries or questions about how your personal information is handled please contact firstname.lastname@example.org or by calling 07712 524347 and asking for the Parish Clerk.
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:
Information Commissioner's Office
Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Alternatively, visit ico.org.uk or email email@example.com.
To Download this full Notice click HERE