Data protection policy
Everyone has rights under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act of 2018 with regards to personal information held about them by the council.
Your rights on your personal information, some of which are conditional, include:
- the right to be informed
- to ask us to update incorrect or incomplete details
- to object to or restrict processing of it
- to ask us to delete your information
- to ask us to share it with another party
- to make a complaint
All personal information held by us will be treated in confidence. It will be held and used only in accordance with the terms of the act and other applicable legislation.
- wherever possible, seek to do more than the minimum required by law, attempting to comply with the spirit of the legislation as well as the letter at all times
- be open about the type and extent of personal data we hold
- keep the minimum amount of personal information needed to perform our duties
- hold that information securely, use it only for appropriate purposes, not disclose it without proper authority and when it’s no longer required for the purpose it was obtained we will securely destroy the information
We expect all of our employees to comply fully with this policy and the principles of the data protection legislation. We will provide training and advice necessary to enable our employees to do this.
Deliberate breaches of this policy will be considered as gross misconduct and will render the employee liable to disciplinary action up to and including dismissal. Individuals, as well as the council, can also be prosecuted for breaches of the data protection legislation.
Our data protection officer (DPO) is responsible for informing and advising the council, its employees, and elected members of our obligations to ensure compliance with the data protection legislation.
The DPO will also monitor our compliance with data protection legislation and our policies, including where required the assignment of responsibilities, awareness-raising and training of staff involved in processing personal information and the related audits.
It is however the responsibility of each elected member and every employee to be aware of their individual and collective responsibilities under the data protection legislation and to make sure they comply with its provisions.
The DPO will on behalf of the council also:
- ensure the council, its other relevant functions and elected members are registered with the Information Commissioner’s Office as data controllers according to the data protection legislation
- ensure the council has created and maintains an adequate record of its personal data processing activities
- provide advice where requested regarding the data protection impact assessment (DPIA) process and monitor our performance against the process
- be our contact point for the Information Commissioner’s Office and cooperate with them regarding the reporting and investigation of serious data breaches, the prior consultation regarding high risk processing identified by a DPIA or with regard to any other matter
We will provide any person requesting it in the proper manner, a response stating:
- whether or not the council holds personal information about that individual and
- if so, the opportunity to see the information and to have it corrected, completed or deleted if appropriate
The person may also choose to request that our processing of the information is restricted, ask us to share it with another party or to make a complaint.
Persons may only request details about themselves and no other person. Should the request be considered frivolous or otherwise a deliberate waste of council resources, the request may be refused.