Breckland District Council

Data Protection Act Policy

July 2014

Democratic Services

DocumentControlandHistory

VersionControl
IssueNo. / Author / IssueDate / ReasonsforIssue
1 / SusanAllen / July2014 / Toup-datethecurrentPolicy
Approvalofdraftandfinalapprovalprocess
IssueNo. / ApprovalProcess / Name / SignatureandDate

CONTENTS

Introduction...... 4

Scope – Policy Aim...... 4

Legislation or Executive Summary...... 4

Policy Consultation and Consideration...... 4

Policy Statement...... 5

Implementation...... 8

Management Control and Organisation...... 9

Monitoring...... 9

Related Policies and Strategies...... 9

Appendices...... 9

Introduction

BrecklandDistrictCounciliscommittedtoprotectingtherightsandprivacyofallpeoplewith regardto the processingofpersonaldata.Duringthe courseofouractivitieswewillcollect,store andprocesspersonalinformationaboutourstaff,customers,suppliersandother thirdparties.We recognisetheneedtotreatitinanappropriateandlawfulmannerandall processingwillbeconductedinaccordancewith the DataProtectionAct1998andanysubsequentamendmentsandeveryone’srightswithregardtohowtheirpersonalinformationis handled.

ThePolicyappliestoallemployeesandmembersofBrecklandDistrictCouncil.Any breachoftheDataProtectionAct 1998andany subsequentamendmentsoftheCouncil’s DataProtectionPolicywill betakenseriouslyandmay beconsideredtobeabreachof theMembers’ Codeof Conduct orthe staff disciplinaryprocedures.As amatterof good practice,otheragenciesandindividuals workingwiththeCouncil,whohaveaccesstopersonalinformation,will beexpectedto readand complywiththis Policy.

ThisPolicyis opentoall internalandexternalstakeholders andis availabletoviewontheCouncil’swebsite:

Scope–Policy Aim

Thetypesof informationthatwemay be requiredtohandleincludedetailsofcurrent, pastandprospective employees, suppliers, residentsandothers thatwe communicate with.The information,whichmay beheldonpaperoronacomputeror othermedia, issubject tocertainlegal safeguardsspecifiedin theData ProtectionAct1998andany subsequentamendments(theAct) andotherregulations.TheActimposesrestrictions onhow we may usethatinformation.

ThisPolicyhasbeenapprovedbyBrecklandDistrictCouncil.Itsetsouttherulesondataprotectionandthelegalconditionsthatmust be satisfiedinrelationtotheobtaining,handling,processing,storage,transportationanddestructionofpersonalinformation.

ThisPolicydoes notform partof any employee’s contractofemploymentandmay beamendedatanytime.

Ifyou consider thatthePolicy has not beenfollowed in respect ofpersonaldataaboutyourselforothersyou should raise the matterwith yourlinemanagerorthe Monitoring Officer.The Monitoring Officer is: Vicky Thomson,AssistantDirector–DemocraticServices,e-mail:.

Any questions or concernsaboutthe operation of thisPolicyshouldbereferred tothe Monitoring Officer or theLegalServices Coordinator.

Legislation or Executive Summary

The DataProtectionAct1998andany subsequentamendments (referred toelsewherein thispolicyas ‘theAct’) regulates the way inwhich personalinformationaboutindividualsisobtainedstored,usedanddisclosed.Individuals have the righttosee the datastored aboutthem,to requiremodificationsof thedataifitiswrongandincertain cases, tocompensation.Itapplies todataheldoncomputeror in amanualfiling system.TheActprovides conditionsforthe processing of anypersonaldataand makes adistinctionbetweenpersonaldataand‘sensitive’personaldata(seeGlossaryof Terms).

PolicyConsultationandConsideration

CorporateManagementTeam;Portfolio Holder;andCabinet.

PolicyStatement

1.1Definition of Data Protection Terms

Datais informationwhichisstoredelectronically, on a computer, or incertainpaper-basedfilingsystems.

DataSubjectforthepurposeofthisPolicyincludesalllivingindividualsaboutwhomwe hold personaldata.A datasubjectneednotbe aUK nationalorresident.All datasubjectshavelegalrights inrelation totheir personaldata.

Personaldatameansdatarelatingtoalivingindividualwhocanbeidentifiedfromthatdata(orfromthatdataandotherinformationinourpossession). Personaldatacanbe factual (suchasa name,addressor dateof birth) oritcanbeanopinion(such asa performanceappraisal).

Datacontrollersarethepeoplewhoororganisationswhichdeterminethepurposesfor which, andthe mannerin which,anypersonal dataisprocessed.They havea responsibility to establishpractices andpoliciesin linewith theAct. BrecklandCouncilis thedata controllerofall personal datausedin ourbusiness.

Datausersincludeemployeeswhoseworkinvolvesusingpersonaldata.Data usershaveaduty to protecttheinformation they handle byfollowingourdataprotectionand security policiesat alltimes.

Dataprocessorsincludeanypersonwhoprocessespersonaldataonbehalfof a datacontroller. Employeesofdata controllers areexcluded fromthisdefinition but itcould includesuppliers whichhandlepersonaldata on ourbehalf.

Processingisanyactivitythatinvolvesuseofthedata. Itincludesobtaining,recording or holding the data,or carrying outany operationor setofoperationson thedataincluding organising,amending,retrieving, using,disclosing,erasingor destroyingit.Processingalsoincludestransferringpersonaldatatothird parties.

Sensitivepersonaldataincludesinformationaboutaperson'sracialorethnicorigin,politicalopinions,religiousorsimilar beliefs,tradeunionmembership,physicalormental healthor conditionor sexuallife,or about thecommission of,orproceedingsfor,anyoffencecommitted orallegedtohavebeen committed by that person,thedisposalofsuch proceedings or thesentenceof any courtinsuchproceedings.Sensitivepersonal datacanonlybeprocessedunderstrict conditions,andwillusuallyrequiretheexpressconsentofthepersonconcerned.

1.2Data Protection Principles

TheaimofthispolicyistoensurethatBrecklandDistrictCouncilcomplieswiththeeightenforceableprinciplesofgoodpracticewhenprocessingpersonaldata. These provide that personaldata must be:

  • Processedfairlyandlawfully;
  • Processedfor limitedpurposesandinanappropriate way;
  • Adequate,relevantand not excessiveforthepurpose;
  • Accurate;
  • Notkeptlongerthannecessaryforthepurpose;
  • Processedinlinewithdatasubjects’rights;
  • Secure;and
  • Nottransferredtopeopleororganisationssituatedincountrieswithoutadequateprotection.

1.3Fair and Lawful Processing

The Actisintendednot to prevent theprocessing ofpersonal data,buttoensurethat it is donefairly and withoutadversely affecting the rights ofthedatasubject. The datasubject must be toldwhothedata controlleris (inthiscaseBrecklandDistrictCouncil),whothedatacontroller'srepresentativeis(inthis casethe MonitoringOfficer),thepurposefor whichthedataistobeprocessed,andtheidentitiesofanyone towhomthedatamay bedisclosedor transferred.

Forpersonal datatobe processed lawfully,certainconditions have to be met.Thesemayinclude,amongother things,requirements thatthedatasubjecthas consentedtothe processing,or that theprocessing isnecessaryforthelegitimateinterest ofthedatacontrollerorthepartytowhomthe dataisdisclosed.Whensensitive personal dataisbeingprocessed,morethanoneconditionmustbe met.Inmostcasesthedata subject's explicitconsentto theprocessingof suchdata will be required.

Dataaboutstaff maybeprocessed forlegal, personnel,administrativeandmanagementpurposesandtoenablethedatacontrollertomeetitslegalobligationsasanemployer, forexampleto paystaff,monitortheirperformanceandtoconferbenefitsinconnectionwiththeiremployment.

Examplesof whensensitivepersonal dataof staff islikelytobeprocessedaresetoutbelow:

  • Informationaboutanemployee'sphysicalormental health or conditionin ordertomonitorsickleave and takedecisions astotheemployee'sfitnessfor work;
  • The employee'sracialor ethnicoriginor religiousorsimilarinformationin order to monitor compliancewith equal opportunities legislation;
  • Inorder to comply with legalrequirementsand obligationstothirdparties

1.4Processing for limited purposes

Personal datawill onlybe processedfor the specificpurposesnotified tothedatasubjectwhenthedatawas first collectedorfor any otherpurposesspecifically permitted bythe Act.This meansthatpersonaldata will not becollectedforone purposeandthen usedfor another.If itbecomes necessaryto change the purposefor whichthedata is processed, thedatasubjectwillbeinformedof thenewpurpose beforeany processingoccurs.

1.5Adequate, Relevant and Non-Excessive Processing

Personal data will onlybe collectedtotheextent thatit is requiredforthespecificpurposenotified tothedata subject. Anydata whichis not necessaryfor thatpurpose will not be collectedinthefirstplace.

1.6Accurate Data

Personal data will beaccurate andkeptup todate. Information whichisincorrect ormisleading is notaccurate and stepswill thereforebetakentochecktheaccuracy of any personaldataat thepointof collectionand atregularintervalsafterwards.Inaccurateorout-of-datedatawillbedestroyed.

1.7Data Retention

Personal datawill notbe keptlonger than isnecessaryfor thepurpose.Thismeans thatdata will bedestroyedor erasedfromour systemswhenit is nolongerrequired.

1.8Processing in line with Data Subject’s Rights

Datawill be processedin line withdata subjects’ rights. Data subjects havearightto:

  • Request accesstoany dataheld aboutthembya data controller;
  • Preventtheprocessingoftheir data fordirect-marketingpurposes;
  • Asktohave inaccuratedataamended;
  • Prevent processing that is likelyto causeunwarranted substantialdamage or distresstothemselvesoranyoneelse;and
  • Object to any decisionthat significantly affects them beingtaken solelybya computer or otherautomatedprocess.

1.9Data Security

We will ensurethatappropriatesecuritymeasuresaretaken againstunlawfulor unauthorisedprocessingofpersonaldata,andagainst theaccidental lossof, ordamageto,personaldata.

The Actrequires us toput inplaceprocedures andtechnologiesto maintainthesecurity ofall personaldatafromthepointofcollectiontothepointofdestruction.Personal datamay onlybetransferredtoa third-partydataprocessorif heagreesto complywith thoseprocedures andpolicies,or ifheputs in placeadequate measureshimself.

Maintainingdatasecuritymeansguaranteeingtheconfidentiality,integrity andavailabilityofthe personaldata,definedasfollows:

  • Confidentialitymeansthatonlypeoplewhoareauthorisedtousethedatacanaccessit.
  • Integritymeansthatpersonaldatashouldbeaccurateandsuitableforthepurposefor whichit is processed.
  • Availabilitymeansthatauthorisedusersshouldbeabletoaccessthedataifthey needit forauthorisedpurposes.Personaldatashouldthereforebestoredonour centralcomputersysteminstead ofindividualPCs.

Securityproceduresinclude:

  • Entrycontrols.Anystrangerseeninentry-controlledareasshouldbereported.
  • Securelockabledesksandcupboards.Desksandcupboardsshouldbe keptlockedif theyholdconfidentialinformation of anykind.(Personal informationis alwaysconsideredconfidential.)
  • Methodsofdisposal.Paperdocumentsshouldbeshredded.Floppydisks,memorysticksandCD-ROMsshouldbephysicallydestroyedwhenthey areno longerrequired.
  • Equipment.Datausersshouldensurethatindividualmonitorsdonotshowconfidential information topassers-byand thattheylog off fromtheirPCwhenitisleftunattended.

2.0Subject Access Requests

Aformalrequestfromadatasubjectforinformationthat the Councilholdsaboutthemmustbemadeinwriting.A£10.00fee is payable bythedatasubjectforprovisionofthis information.Anymemberof staffwhoreceivesawrittenrequestshouldforwardittotheDemocraticServicesOfficerimmediately.

2.1Providing Information to Third Parties

Anymember ofstaff dealing with enquiries fromthirdpartiesshouldbe carefulabout disclosingany personalinformationheld by us.Inparticulartheyshould:

  • Check the identity ofthe personmakingthe enquiryand whethertheyare legally entitledto receive the information they have requested.
  • Suggest thatthe thirdpartyput theirrequirement in writingso the thirdparty’sidentityandentitlementto theinformationmay be verified.

3.0Implementation

Responsibilities under the Data Protection Act

OverallresponsibilityforcompliancewiththeActlieswiththeMonitoringOfficer in conjunctionwith the LegalServices Coordinator.TheMonitoringOfficerwill:

  • Assess theunderstanding ofthe obligations ofBrecklandCouncilundertheAct;
  • Beaware oftheauthority’s currentcompliancestatus;
  • Identifyandmonitorproblemareas and risks,andrecommendsolutions;
  • Promoteclearandeffectiveproceduresandofferguidancetostaff ondataprotection;
  • Developbestpracticeguidelines;and
  • Carry out compliance checks to ensureadherencewith the Actthroughouttheauthority.

Daytoday responsibilityfor compliance withthisPolicy isdelegatedto theCouncil’s Corporate ManagementTeam (CMT).CMT will ensurethat theLegalServicesCoordinator is informedof all computerandmanualsystemswithintherespectiveserviceareasthat containpersonal data.

The administration,day-to-day matters andthe registrationof systems andSubjectAccessRequestsisdelegatedtotheLegalServicesCoordinatorinconjunctionwiththeDemocraticServicesOfficer.

Allstaffareresponsible forensuringthat:

  • Allpersonaldatathey hold,whetherelectronicallyor manually,iskeptsecure; and
  • Personal information isnotdiscloseddeliberatelyor accidentallyeitherelectronically,orallyorinwritingtoanyunauthorisedthirdparty.

Memberscanbe regardedasData Controllersintheirownrightif theyprocesspersonal dataeithermanuallyorbycomputer,whetheron theirownequipmentor onequipment providedto themby theCouncil.Inthiscase,members must notifytheInformationCommissionerof all purposesforwhichthey holdandprocesspersonaldata.

Whereholding andprocessingpersonaldataabout individualsinthecourse ofundertakingCouncilbusiness,thememberwill be coveredbyBrecklandDistrictCouncil’sNotification,andhavethesameresponsibilitiesinrespectofdataprotectionasanemployeeof theauthority.

4.0Management Control and Organisation

BrecklandDistrictCouncilwillprovidesuitablemanagementandcontrolarrangementsfor allelements coveredbytheDataProtectionAct 1998.TheMonitoringOfficer, theLegalServices CoordinatorandtheMemberServicesTeamwillplayapartintheCouncil'sarrangementsfordealingwithaspectsof theAct.The Councilwillseeklegal advice ifandwhenrequired.

5.0Monitoring

Thispolicywillbereviewedeverytwoyearstoensureitisachievingitsstatedobjectives.AreviewmayberequiredearlieriflegislationchangesrequirethePolicytobeupdated.

6.0RelatedPoliciesandStrategies

Freedom ofInformationPolicy andData Subject Access RequestForm

7.0Appendices

None.

Data Protection Act Policy - July 2014Page 1 of 9