Data Protection Policy - re-adopted 26/01/2023
FENTON AND TORKSEY LOCK PARISH COUNCIL
Data Protection Policy
Introduction
Fenton and Torksey Lock Parish Council (FTLPC) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on our work. This personal information must be collected and dealt with appropriately– whether on paper, in a computer, or recorded on other material - and there are safeguards to ensure this under the Data Protection Act 1998.
The following list below of definitions of the technical terms we have used and is intended to aid understanding of this policy.
Definitions
Data Controller – Fenton and Torksey Lock Parish Council (FTLPC), as a Corporate Body, is the data controller under the Act, and is ultimately responsible for implementation. Information and advice about the holding and processing of personal information is available from the Clerk
FTLPC determines what purposes personal information held will be used for.
Data Protection Act 1998 – The UK legislation that provides a framework for responsible behaviour by those using personal information.
Data Protection Officer – The person(s) responsible for ensuring that it follows its data protection policy and complies with the Data Protection Act 1998
Data Subject/Service User – The individual whose personal information is being held or processed by FTLPC for example: a client, an employee, a supporter, contractors, suppliers, contacts, referees, friends or family members.)
‘Explicit’ consent – is a freely given, specific and informed agreement by a Data Subject to the ‘processing’ of ‘personal information’ about her/him. Explicit consent is needed for processing ‘sensitive data’
Notification – Notifying the Information Commissioner about the data processing activities of FTLPC, as certain activities may be exempt from notification.
Information Commissioner – The UK Information Commissioner responsible for implementing and overseeing the Data Protection Act 1998.
Processing – any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.
Personal Information – Information about living individuals that enables them to be identified – e.g. name and address. It does not apply to information about organisations, companies and agencies but applies to named persons, such as individual volunteers or employees within FTLPC.
Sensitive Data - means data about:
1. Racial or ethnic origin
2. Political opinions
3. Religious or similar beliefs
4. Trade union membership
5. Physical or mental health
6. Sexual life
7. Criminal record
8. Criminal proceedings relating to a Data Subject’s offences
Staff, Councillors, residents and customers and other data subjects may include past, present and potential members of those groups.
Disclosure – FTLPC may share data with other agencies such as the local authority, funding bodies and other voluntary agencies.
The Data Subject will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law allows Fenton and Torksey Lock Parish Council to disclose data (including sensitive data) without the data subject’s consent. These are:
1. Carrying out a legal duty or as authorised by the Secretary of State
2. Protecting vital interests of a Data Subject or other person
3. The Data Subject has already made the information public
4. Conducting any legal proceedings, obtaining legal advice or defending any legal rights
5. Monitoring for equal opportunities purposes – i.e. race, disability or religion
6. Providing a confidential service where the Data Subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Data Subjects to provide consent signatures.
Treatment of Information
FTLPC regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.
FTLPC intends to ensure that personal information is treated lawfully and correctly.
To this end, FTLPC will adhere to the Principles of Data Protection, as detailed in the Data Protection Act 1998.
Specifically, the Principles require that personal information:
1. Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met
2. Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes
3. Shall be adequate, relevant and not excessive in relation to those purpose(s)
4. Shall be accurate and, where necessary, kept up to date
5. Shall not be kept for longer than is necessary
6. Shall be processed in accordance with the rights of data subjects under the Act
7. Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information
8. Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.
Management of Information
FTLPC will, through appropriate management, strict application of criteria and controls:
1. Observe fully conditions regarding the fair collection and use of information
2. Meet its legal obligations to specify the purposes for which information is used
3. Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements
4. Ensure the quality of information used
5. Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:
a. The right to be informed that processing is being undertaken
b. The right of access to one’s personal information
c. The right to prevent processing in certain circumstance
d. The right to correct, rectify, block or erase information which is regarded as wrong information
6. Take appropriate technical and organisational security measures to safeguard personal information
7. Ensure that personal information is not transferred abroad without suitable safeguards
8. Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information
9. Set out clear procedures for responding to requests for information
Data collection
Informed consent
Informed consent is when
1. A Data Subject clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data
2. and then gives their consent
Subject understanding
FTLPC will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.
When collecting data, FTLPC will ensure that the Data Subject:
1. Clearly understands why the information is needed
2. Understands what it will be used for and what the consequences are should the Data Subject decide not to give consent to processing
3. As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
4. Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
5. Has received sufficient information on why their data is needed and how it will be used
Sensitive Information
FTLPC may process sensitive information about a person’s health, disabilities, criminal convictions, race or ethnic origin, or trade union membership. For example, some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18, and the FTLPC has a duty under the Children Act 1989 and other enactments to ensure that members of staff are suitable for the job.
Staff Responsibilities
All staff shall:
1. ensure that all personal information which they provide to the FTLPC in connection with their employment is accurate and up-to-date
2. inform FTLPC of any changes to information, for example, changes of address;
3. check the information which FTLPC shall make available from time to time, in written or automated form, and inform FTLPC of any errors or, where appropriate, follow procedures for up-dating entries on computer forms.
FTLPC shall not be held responsible for errors of which it has not been informed.
When staff hold or process information about Councillors, residents and customers, colleagues or other Data Subjects (for example, Councillors, residents and customers’ course work, pastoral files, references to other academic institutions, or details of personal circumstances), they should comply with Data Protection Guidelines.
Staff shall ensure that:
1. all personal information is kept securely (paper files locked in secure cabinet in locked office and computer files password protected)
2. personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party.
Unauthorised disclosure may be a disciplinary matter, and may be considered gross misconduct in some cases.
When members of staff supervise Councillors, residents and customers doing work which involves the processing of personal information, they must ensure that those Councillors, residents and customers are aware of the Data Protection Principles, in particular, the requirement to obtain the Data Subject’s consent where appropriate.
Councillor and other Data Subjects Responsibilities
All Councillors, residents and customers shall:
1. ensure that all personal information which they provide to FTLPC is accurate and up-to-date
2. inform FTLPC of any changes to that information, for example, changes of address
3. check the information which FTLPC shall make available from time to time, in written or automated form, and inform FTLPC of any errors or, where appropriate, follow procedures for up-dating entries on computer forms.
FTLPC shall not be held responsible for errors of which it has not been informed.
Data Storage
Information and records relating to service users will be stored securely and will only be accessible to authorised staff and volunteers.
Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately.
It is FTLPC responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.
Data access and accuracy
All Data Subjects have the right to access the information FTLPC holds about them. FTLPC will also take reasonable steps ensure that this information is kept up to date by asking Data Subjects whether there have been any changes.
In addition, FTLPC will ensure that:
1. It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection
2. Everyone processing personal information understands that they are contractually responsible for following good data protection practice
3. Everyone processing personal information is appropriately trained to do so
4. Everyone processing personal information is appropriately supervised
5. Anybody wanting to make enquiries about handling personal information knows what to do
6. It deals promptly and courteously with any enquiries about handling personal information
7. It describes clearly how it handles personal information
8. It will regularly review and audit the ways it holds, manages and uses personal information
9. It regularly assesses and evaluates its methods and performance in relation to handling personal information
10. All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them
Compliance
Compliance with the Act is the responsibility of all Councillors, residents and customers and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Clerk.
Any individual, who considers that the policy has not been followed in respect of personal data about him or herself, should raise the matter with the designated Data Controller initially. If the matter is not resolved it should be referred to the staff grievance or complaints procedure.
Disclosure of personal information
Disclosures to councillors representing local residents
A local authority does not generally have to get the express consent of an individual to disclose their personal information to an elected member, as long as:
1. the elected member represents the ward in which the individual lives
2. the elected member makes it clear that they are representing the individual in any request for their personal information to the local authority; and
3. the information is necessary to respond to the individual’s complaint.
In these circumstances, the individual has provided implied consent to the processing of their personal data that is reasonably necessary to pursue the complaint.
There are different requirements when dealing with sensitive personal data, which is defined in the DPA as information about an individual’s:
1. Racial or ethnic origin
2. Political opinions
3. Religious or similar beliefs
4. Trade union membership
5. Physical or mental health
6. Sexual life
7. Criminal record
8. Criminal proceedings relating to a data subject’s offences
There may be occasions when it is advisable to get an individual’s signed consent. However, in most cases, the individual would reasonably expect their sensitive personal data to be disclosed in order to respond to their complaint. The Data Protection (Processing of Sensitive Personal Data)(elected Representatives) Order 2002 No. 2905 covers this, as it provides a basis for:
1. the processing of sensitive personal data by elected representatives in connection with their function as a representative, including the disclosure of such information where necessary
2. the disclosure of sensitive personal data by organisations responding to elected representatives acting on behalf of individual constituents.
When providing personal information to the elected member, the data is provided only to help the individual and must not be used for any other purpose.
Disclosures to the councillor as a member of the FTLPC
Personal information can be disclosed to a councillor if they need to access and use the information to carry out official duties. However, the councillor will only be given access to the personal information they need to carry out their duties.
Before a Councillor can access any sensitive personal information, they would need consent to do this from the Clerk. This can be done by completing a data access request form (Appendix 2). Dependent on the data being requested, the information may be given in an electronic format, hard paper copy or may only be available to view within the office in the presence of the Clerk or RFO. Lone access to paper or computer records within the Parish Council office by a Councillor will not be permitted.
Data should never be used for political reasons unless the Data Subjects have consented.
Rights to Access Information
Staff, Councillors, residents and customers and other data subjects in the Parish Council have the right to access any personal data that is being kept about them, and only them, either on computer medium or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the Clerk.
FTLPC will make a charge of £10 for each official Subject Access Request under the Act.
FTLPC aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing by the Parish Clerk to the data subject making the request.
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.
In case of any queries or questions in relation to this policy please contact the Fenton and Torksey Lock Parish Council Data Protection Officer:
The Clerk – Ms Ruth Keillar
The Wesleyan Chapel
Blind Lane
Coleby
LN5 0AL
01522 811730
clerk@fentorkpc@btinternet.com
Appendix 1
Complete details of FTLPC current entry on the Data Protection Register can be found on the notification section of the Information Commissioner's web site: www.ico.org.uk, Registration reference ZA110105
Expiry date is 12/04/2017
The following is a broad description of the way Fenton and Torksey Lock Parish Council processes personal information.
Reasons/purposes for processing information
We process personal information to enable us to carry out our statutory duties. We also process personal information to promote our services; undertake fundraising; maintain our accounts and records; manage and support our employees.
Type/classes of information processed
We process information relevant to the above reasons/purposes. This may include:
* personal details
* family details
* lifestyle and social circumstances
* education and employment details
* financial details
* goods and services
We also process sensitive classes of information that may include: physical or mental health details; racial or ethnic origin.
Who the information is processed about
We process personal information about:
* employees
* suppliers
* complainants, enquirers
* business contacts
* professional advisers and consultants
* residents of the parish
* elected representatives and holders of public office
* members of the parish council
Who the information may be shared with
We sometimes need to share the personal information we process with the individual themself and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with:
* educators and examining bodies
* suppliers and service providers
* persons making an enquiry or complaint
* local government
* press and the media
* family, associates and representatives of the person whose personal data we are processing
* current, past and prospective employers
* financial organisations
Transfers
It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.
Statement of exempt processing:
Fenton and Torksey Lock Group Parish Council also process personal data which is exempt from notification.
This policy supersedes the previous Data ProtectionPolicy adopted by the Parish Council at meeting held on 9 March 2017, minute no. 132.
Signed………………………………G.Newton………………………
Chairman
Adopted on Date………………18-01-2018………………………..
Document Review History
Date of Review
Signed
Date of Review
Signed
21/02/19
G. Newton
20/02/20
G. Newton
Appendix 2
DATA ACCESS REQUEST FORM
Please provide the following details about yourself:
Full name …………………………………………………………………………………………….
Address ……………………………………………………………………………………………………………………………
…………………………………………………………………………………………………………………………………..…....
Tel No ………………………………………….…………………………………………..
Email: ………………………………………….......................
Please describe the information you seek together with any other relevant information to help us identify the information you require.
…………………………………………………………………………………………………………………………........…………..
……………………………………………………………………………………………………………………………………………..
……………………………………………………………………………………………………………………………………………..
……………………………………………………………………………………………………………………………………………..
……………………………………………………………………………………………………………………………………………..
……………………………………………………………………………………………………………………………………………..
Please explain the reason for requesting this information.
……………………………………………………………………………………………………………………………………………..
……………………………………………………………………………………………………………………………………………..
……………………………………………………………………………………………………………………………………………..
……………………………………………………………………………………………………………………………………………..
ALL APPLICANTS MUST COMPLETE THIS SECTION [Please note that any attempt to mislead may result in prosecution].
I …………………………………………………………….…….. confirm that the information given on this application form to Fenton and Torksey Lock Parish Council is true, and I have read and agree to Fenton and Torksey Lock Parish Council's Data Protection Policy.
Signature: ………………………………………………………….
Date: ………………………………………………………….
Please return the completed form to the Parish Clerk.
For completion by the Parish Clerk
Data Access Request: Permitted / Denied (delete as appropriate) Reason permitted/denied:
.............................................................................................................................................................
.............................................................................................................................................................
.............................................................................................................................................................
.............................................................................................................................................................
.............................................................................................................................................................
Information provided and in what format:
.............................................................................................................................................................
.............................................................................................................................................................
.............................................................................................................................................................
.............................................................................................................................................................
Date Provided:.....................................................
Signature: ................................................................
Name:................................................................................................................