Somerset County Council

Somerset County Council

Policy document

Data Protection

March 2011

For further information contact the Information Governance Team

Email:

Jon Bazley

Information Governance Team

Client Services Team

Resources Directorate

County Hall

Taunton

Somerset

TA1 4DY

Tel: 01823-357194

Email:

Contents

1. Policy statement

2. Scope

3. Observing the Act

4. Related policies

5. Definition of terms used

6. Equalities statement

7. Information Governance Team: responsibilities and how to contact us

1.  Policy statement

1.1.  The aim of this policy document is to enable all staff to understand the legislation around the Data Protection Act 1998 (DPA), and to observe it while on Council duty.

1.2.  In order to work effectively Somerset County Council (SCC) needs to collect and use personal information about customers, staff and other people with whom it works. SCC directs that such information must be handled correctly according to the 8 DPA principles in whatever format it is held, and that it will be processed in accordance with the law and its policies.

1.3.  SCC is committed to meeting its obligations as a data controller under the DPA by ensuring proper procedures for the use of personal data.

1.4.  SCC will safeguard the rights of individuals in respect to their privacy and the use of their personal data by organisations

2.  Scope

2.1.  This policy applies to:

·  All SCC staff

·  All elected members acting in their capacity as Members of the Council

·  All SCC staff, including SCC secondees into SWOne

2.2.  The policy will also apply to information processed by contractors who provide services on behalf of SCC.

2.3.  The policy will also be a reference point for any data sharing agreements or contracts with external agencies.

2.4.  This policy applies to all transactions using any kind of Authority controlled personal information for any purpose. This includes the maintenance or support access; and, where personal content remains, generation and use of any analysis of the data (either alone or mixed with other data) any metadata or other related information in any format on any media; this includes voice, images, magnetic, optical, electronic and paper media, fiche, and all legacy and newly created information and knowledge derived from it.

3.  Observing the Act

3.1.  SCC will ensure that all staff comply with the 8 Data Protection principles of good information handling, when processing personal data; processing includes collecting, storing, handling, sharing, disclosing and destroying data.

3.2.  By maintaining legal compliance with the DPA through the standards found in the 8 principles, SCC will ensure that all personal data is:

·  Processed fairly and lawfully

·  Processed for specified and lawful purposes

·  Adequate, relevant and not excessive

·  Accurate, and where necessary kept up to date

·  Not kept longer than is necessary

·  Processed in accordance with the rights of the data subject

·  Kept secure

·  Transferred only to countries with adequate security

3.3.  When sharing data with partner organisations, SCC will ensure that appropriate and robust information sharing agreements are developed agreed and signed off by all parties; see 4.3.7 below.

3.4.  When transferring SCC personal data abroad, all appropriate security measures will be followed, as set out in 4.3.1 and 4.3.2.

3.5.  SCC will promote and provide secure email routes for staff when sending personal sensitive data, for example, Securesend, CJSM and GCSx.

3.6.  In conjunction with SWOne, SCC will develop its IT infrastructure in line with GovConnect standards.

3.7.  SCC will promote and use the new Government Protective Marking Scheme to protect all personal data processed by SCC.

4.  Related policies

4.1.  This policy and guidance is intended to work alongside several other key documents, either belonging to SCC or which it is party to.

4.2.  This also means that all these documents are subject to the Freedom Legislation unless exempt; for example, technical security details in the ISeC (see below) would be exempt.

4.3.  The main documents, which should be read alongside this one, are:

·  The Authority’s First and Second Tier Information Security Policies, particularly the Acceptable Use Policy and the Access Control Policy and the SWOne ISeC agreement

·  The Authority’s Information Control and Compliance Policy

·  The Authority’s Freedom of Information/Environmental Information Policy

·  The Authority’s Records Management Policy

·  The relevant parts of the Authority terms and conditions of employment and HR policies

·  The South West One joint venture with IBM and TDBC (and Avon and Somerset Constabulary) contract document set

·  SCC guidance documents on Information Sharing Agreements

4.4. Also relevant are:

·  The Authority’s information management strategy

·  The Information Management Intranet Site

·  The Authority’s other contracts where relevant

·  The RIPA policy and arrangements

5.  Definition of terms used

5.1.  Personal data: information which identifies a living individual. In the context of the County Council, personal data may be held about service users, staff, elected Members and contractors/suppliers.

5.2.  Sensitive personal data: information that may affect the privacy of an individual more significantly. Sensitive personal data constitutes information about racial or ethnic origin, physical or mental health, sexual life, political or similar beliefs, religious beliefs, trade union membership, offences, alleged offences and proceedings for any offence.

5.3.  Data Controller: SCC is a Data Controller within the meaning of the DPA; this means that we control the way in which personal data is handled and used within the organisation.

5.4.  Processing: processing of personal data in terms of the DPA includes any action carried out using personal data. This includes the collection, alteration, general use, disclosure or destruction of this data.

5.5.  Data subject: an individual who is the subject of personal data.

6.  Equalities statement

6.1.  Somerset County Council (SCC) will give everyone the same rights of access under the (DPA) and will provide responses to subject access requests in other formats if requested to increase access, for example by:

·  Translating information into Braille or onto tape where required

·  Translating information into other languages where required

·  SCC will assist applicants who are unable to put their request in writing wherever possible

7.  Information Governance Team: responsibilities and how to contact us

7.1.  The Information and Governance Team is part of the Client Services Team in the Resources Directorate.

7.2.  Its role is to:

·  Provide advice and guidance to staff, elected members and any staff providing services for the Council on the DPA

·  Notify, on an annual basis, the Information Commissioner’s Office (ICO)of all SCC processing of personal data

·  Advise staff, and members of the public, on all aspects of handling data subject access requests (DSARs)

·  The Information and Governance Team can be contacted by

o  email on:

o  phone on 01823-357194

Page 5 of 6