Ewyas Harold Group Parish Council is fully committed to compliance with the requirements of the Data Protection Act 1998 (“the Act”), which came into force on the 1st March 2000.
The council will therefore follow procedures that aim to ensure that all employees, elected members, contractors, agents, consultants, partners or other servants of the council who have access to any personal data held by or on behalf of the council, are fully aware of and abide by their duties and responsibilities under the Act.
Statement of policy
In order to operate efficiently, the Parish Council has to collect and use information about people with whom it works. These may include members of the public, current, past and prospective employees, clients and customers, and suppliers. In addition, it may be required by law to collect and use information in order to comply with the requirements of central government. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means.
The Parish Council regards the lawful and correct treatment of personal information as very important to its successful operations and to maintaining confidence between the council and those with whom it carries out business. The council will ensure that it treats personal information lawfully and correctly. To this end the council fully endorses and adheres to the Principles of Data Protection as set out in the Data Protection Act 1998.
What does the Act cover?
The Act provides conditions for the processing of any personal data. It also makes a distinction between personal data and “sensitive” personal data.
Personal data is defined as data relating to a living individual who can be identified from:
- That data;
- That data and other information which is in the possession of, or is likely to come into the
possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.
Sensitive personal data is defined as personal data consisting of information as to:
- Racial or ethnic origin;
- Political opinion;
- Religious or other beliefs;
- Trade union membership;
- Physical or mental health or condition;
- Sexual life;
- Criminal proceedings or convictions.
The Act gives individuals (data subjects) certain rights. It also requires those who record and use personal information (data controllers) to be open about their use of that information and to follow sound and proper practices (the Data Protection Principles). Data controllers are those who control the purpose for which and the manner in which personal data is processed. Data subjects are the individuals to whom the personal data relate.
The principles of data protection
The Act stipulates that anyone processing personal data must comply with Eight Principles of good practice. These Principles are legally enforceable.
The Principles require that personal information:
- Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met; Information should be ‘fairly processed’ i.e. when you collect the information from individuals you should be honest and open about why you want it.
- Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes; You must have a legitimate reason for processing the data. You should explain (in most cases in writing): who you (the data controller) are – giving the name of your Council; what you intend to use the information for and to whom you intend to give the personal data. This may be a specific third party, or a may be a more general description such as “other Councils’ etc
- Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed; Data users should monitor the quantities of data held and ensure that they hold neither too much nor too little. Hold only the data which you actually need.
- Shall be accurate and where necessary, kept up to date; Personal data should be accurate. If it is not, it must be corrected.
- Shall not be kept for longer than is necessary for that purpose or those purposes; Only in exceptional circumstances should data be kept indefinitely. In order to comply with the principle you should have a system for the removal of different categories of data from your system after certain periods, for instance, when the information is no longer required for audit purposes
- Shall be processed in accordance with the rights of data subjects under the Act; This means that individuals must be informed, upon request, of all the information held about them.
- Shall be kept secure i.e. protected by an appropriate degree of security; Data controllers should ensure that they provide adequate security for the data taking into account the nature of the data, and the harm to the data subject which could arise from disclosure or loss of the data. A system of passwords should be in use to ensure that only staff who are authorised can gain access to personal data. Passwords should be changed fairly frequently.
- Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.
Handling of personal/sensitive information
The Parish Council will, through appropriate management and the use of criteria and controls:-
- Observe fully conditions regarding the fair collection and use of personal information;
- Meet its legal obligations to specify the purpose for which information is used;
- Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
- Ensure the quality of information used;
- Apply checks to determine the length of time information is held;
- Take appropriate measures to safeguard personal information;
- Councillors from time to time receive personal data for the purpose of usual parish council business and should ensure that the data they receive is managed appropriately and in line with these criteria and controls. They are aware that there may be circumstances when a request is made and relevant information may be held on their personal computer and in these instances, councillors agree to provide this information in order for the request to be dealt with.
- Ensure that the rights of people about whom the information is held can be fully exercised under the Act.
- The right to be informed that processing is being undertaken;
- The right of access to one’s personal information within the statutory 40 days;
- The right to correct, rectify, block or erase information regarded as wrong information.
The Clerk of Ewyas Harold Group Parish Council is responsible for ensuring adherence with the Data Protection Act.
Dealing with subject access requests
If we receive a written subject access request, we must deal with it promptly, and in any case within 40 days from the date of receipt. If we need further information, the 40 days will begin when we receive this further information. We are entitled, if we wish, to ask for a fee of not more than £10 and the 40 days does not begin until this is received.
In response to a subject access request individuals are entitled to a copy of the information held about them, both on computer and as part of a relevant filing system. They also have the right to receive a description of why their information is processed, anyone it may be disclosed to, and any information available about the source of the data.
Notification to the Information Commissioner
The Information Commissioner is responsible for administering and enforcing the Data Protection Act and maintains a public register of data controllers. The Parish Council is registered as such.
The Data Protection Act 1998 requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis.
The Information Officer will review the Data Protection Register annually, prior to notification to the Information Commissioner.
Any changes to the register must be notified to the Information Commissioner, within 28 days.
To this end, any changes made between reviews will be brought to the attention of the Information Officer immediately.
Adopted at the parish council meeting on 14th June 2016