{"id":654,"date":"2019-09-14T11:51:01","date_gmt":"2019-09-14T11:51:01","guid":{"rendered":"https:\/\/www.spoonerrow.cc\/?page_id=654"},"modified":"2019-10-28T17:31:07","modified_gmt":"2019-10-28T17:31:07","slug":"data-protection","status":"publish","type":"page","link":"https:\/\/www.spoonerrow.cc\/?page_id=654","title":{"rendered":"Data Protection"},"content":{"rendered":"\n

General Data Protection Regulation Policy<\/strong><\/p>\n\n\n\n

The following policy explains to councillors, staff and the public about GDPR. Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for as long as is necessary for processing and be processed in a manner that ensures its security. This policy updates any previous data protection policy and procedures to include the additional requirements of GDPR which apply in the UK from May 2018. The Government have confirmed that despite the UK leaving the EU, GDPR will still be a legal requirement. This policy explains the duties and responsibilities of the council and it identifies the means by which the council will meet its obligations<\/p>\n\n\n\n

Identifying the roles and minimising risk<\/strong><\/p>\n\n\n\n

GDPR requires that everyone within the council must understand the implications of GDPR and that roles and duties must be assigned. The Council is the data controller and the RFO is the Data Protection Officer (DPO). (There are no data processors working under the DPO.) It is the DPO\u2019s duty to undertake an information audit and to manage the information collected by the Council, the issuing of privacy statements, dealing with requests and complaints raised and also the safe disposal of information. <\/p>\n\n\n\n

In appointing the RFO as the DPO the RFO must avaoid potential conflicts of interest, in that the DPO should not determine the purposes or manner of processing personal data. <\/p>\n\n\n\n

Due to the size of the Council (7 councillors) there will be no separate committee to consider data protection issues. All requirements in relation to data protection and GDPR will be discussed and considered by the whole Parish Council, as data controller. <\/p>\n\n\n\n

GDPR requires continued care by everyone within the Council, councillors and staff, in the sharing of information about individuals, whether as a hard copy or electronically. A breach of the regulations could result in the council facing a fine from the Information Commissioner\u2019s Office (ICO) for the breach itself and also to compensate the individual(s) who could be adversely affected. Therefore, the handling of information is seen as high \/ medium risk to the Council (both financially and reputationally) and one which must be included in the Risk Management Policy of the Council. Such risk can be minimised by undertaking an information audit, issuing privacy statements, maintaining privacy impact assessments (an audit of potential data protection risks with new projects), minimising who holds data protected information and the council undertaking training in data protection awareness.<\/p>\n\n\n\n

Data Breaches<\/strong><\/p>\n\n\n\n

One of the duties assigned to the DPO is the investigation of any breaches. Personal data breaches should be reported to the DPO for investigation. The DPO will conduct this with the support of the Parish Council. Investigations must be undertaken within one month of the report of a breach. Procedures are in place to detect, report and investigate a personal data breach. The ICO will be advised of a breach (within 3 days) where it is likely to result in a risk to the rights and freedoms of individuals \u2013 if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the DPO will also have to notify those concerned directly.<\/p>\n\n\n\n

It is unacceptable for non-authorised users to access IT using employees\u2019 log-in passwords or to use equipment while logged on. It is unacceptable for employees, volunteers and members to use IT in any way that may cause problems for the Council, for example the discussion of internal council matters on social media sites could result in reputational damage for the Council and to individuals.<\/p>\n\n\n\n

The Council currently utilises Twitter and WhatsApp, alongside that of its website.  Owner and supervisor rights will be maintained by the Clerk, Councillor Foster and Councillor Ward.  These 3 individuals will have access to post to these platforms.   Additional access rights may be granted on a temporary basis to the Councils IT staff.<\/p>\n\n\n\n

Privacy Notices<\/strong><\/p>\n\n\n\n

Being transparent and providing accessible information to individuals about how the Council uses personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice. This is a notice to inform individuals about what a council does with their personal information. A privacy notice will contain the name and contact details of the data controller and Data Protection Officer, the purpose for which the information is to be used and the length of time for its use. It should be written clearly and should advise the individual that they can, at any time, withdraw their agreement for the use of this information. Issuing of a privacy notice must be detailed on the Information Audit kept by the Council. The Council will adopt a privacy notice to use, although some changes could be needed depending on the situation, for example where children are involved. All privacy notices must be verifiable.<\/p>\n\n\n\n

Information Audit<\/strong><\/p>\n\n\n\n

The DPO must undertake an information audit which details the personal data held, where it came from, the purpose for holding that information and with whom the council will share that information. This will include information held electronically or as a hard copy. Information held could change from year to year with different activities, and so the information audit will be reviewed at least annually or when the council undertakes a new activity. The information audit review should be conducted ahead of the review of this policy and the reviews should be minuted.<\/p>\n\n\n\n

Individuals\u2019 Rights<\/strong><\/p>\n\n\n\n

GDPR gives individuals rights with some enhancements to those rights already in place: <\/p>\n\n\n\n

\u2022 the right to be informed<\/p>\n\n\n\n

\u2022 the right of access<\/p>\n\n\n\n

\u2022 the right to rectification<\/p>\n\n\n\n

\u2022 the right to erasure<\/p>\n\n\n\n

\u2022 the right to restrict processing<\/p>\n\n\n\n

The two enhancements of GDPR are that individuals now have a right to have their personal data erased (sometime known as the \u2018right to be forgotten\u2019) where their personal data is no longer necessary in relation to the purpose for which it was originally collected and data portability must be done free of charge. Data portability refers to the ability to move, copy or transfer data easily between different computers.<\/p>\n\n\n\n

If a request is received to delete information, then the DPO must respond to this request within<\/em> a month. The DPO has the delegated authority from the Council to delete information.<\/p>\n\n\n\n

If a request is considered to be manifestly unfounded then the request could be refused or a charge may apply. The charge will be as detailed in the Council\u2019s Freedom of Information Publication Scheme. The Parish Council will be informed of such requests.<\/p>\n\n\n\n

Children<\/strong><\/p>\n\n\n\n

There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the council requires consent from young people under 13, the Council must obtain a parent or guardian\u2019s consent in order to process the personal data lawfully. Consent forms for children age 13 plus, must be written in language that they will understand.<\/p>\n\n\n\n

Summary<\/strong><\/p>\n\n\n\n

The main actions arising from this policy are:<\/p>\n\n\n\n

\u2022 The Council must be registered with the ICO. <\/p>\n\n\n\n

\u2022 A copy of this policy will be available on the Council\u2019s website. The policy will be considered as a core policy for the Council. <\/p>\n\n\n\n

\u2022 An information audit will be conducted and reviewed at least annually or when projects and services change. <\/p>\n\n\n\n

\u2022 Privacy notices must be issued. <\/p>\n\n\n\n

\u2022 Data Protection will be included on the Council\u2019s Risk Management Policy.<\/p>\n\n\n\n

This policy document is written with current information and advice. It will be reviewed at least annually or when further advice is issued by the ICO.<\/p>\n\n\n\n

All employees, volunteers and councillors are expected to comply with this policy at all times to protect privacy, confidentiality and the interests of the Council<\/p>\n\n\n\n

If you have any questions about this policy you can contact us by emailing; clerk@spoonerrow.cc<\/p>\n\n\n\n

Published:        21st April 2019 <\/p>\n\n\n\n

Adopted:           26th September 2019                  <\/p>\n\n\n\n

Review Date:    September 2020<\/p>\n","protected":false},"excerpt":{"rendered":"

General Data Protection Regulation Policy The following policy explains to councillors, staff and the public about GDPR. Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for […]<\/p>\n","protected":false},"author":2,"featured_media":799,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/www.spoonerrow.cc\/index.php?rest_route=\/wp\/v2\/pages\/654"}],"collection":[{"href":"https:\/\/www.spoonerrow.cc\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.spoonerrow.cc\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.spoonerrow.cc\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spoonerrow.cc\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=654"}],"version-history":[{"count":5,"href":"https:\/\/www.spoonerrow.cc\/index.php?rest_route=\/wp\/v2\/pages\/654\/revisions"}],"predecessor-version":[{"id":1359,"href":"https:\/\/www.spoonerrow.cc\/index.php?rest_route=\/wp\/v2\/pages\/654\/revisions\/1359"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.spoonerrow.cc\/index.php?rest_route=\/wp\/v2\/media\/799"}],"wp:attachment":[{"href":"https:\/\/www.spoonerrow.cc\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}