Data Protection Policy
This policy describes our approach to protecting personal data, in line with the Data Protection laws.
Version:
|
Version 5
|
Date:
|
02/06/2023
|
Author/s:
|
Corporate Information Governance Manager
|
Consultee/s:
|
Corporate Management Team; Senior Information Risk Owner; Legal Services; Information Governance Project Team
|
Approved by:
|
Cabinet
|
Review frequency:
|
Every 2 years
|
Next review date:
|
2025
|
Policy objective
Administration and delivery of quality services involves processing personal data about people. The Council is committed to managing personal data effectively and legally to maintain confidence between those with whom we deal and the Council.
This policy describes Caerphilly County Borough Council’s approach to personal data.
Scope and definitions
This policy covers the Council’s obligations under all legislation applicable in the UK covering data protection and privacy and references the definitions in the UK General Data Protection Regulation 2016 (“UK GDPR”) and Data Protection Act 2018.
‘Personal data’ is defined as “any information relating to an identified or identifiable natural person” who can be identified either directly or indirectly from information about that individual [Article 4(1), UK GDPR]. Certain categories of data are subject to additional protections, and includes:
- Racial or ethnic origin
- Religious or other beliefs of a similar nature
- Political opinion
- Physical or mental health or condition
- Genetic data
- Biometric data (where used for identification purposes)
- Sexual life or orientation
- Trade union membership
- Criminal allegations, proceedings, outcomes and sentences
‘Processing’ personal data means “any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination)”; or otherwise making personal data available when necessary and ensuring the erasure and/or disposal of that information when no longer required [Article 4(2), UK GDPR].
The policy applies to all employees, elected members, and other individuals/organisations acting on behalf of the Council who have access to personal information that the Council is responsible for.
Detailed procedures accompany this policy to direct the processing of personal information in a fair, lawful and transparent manner.
Data protection principles
Personal data of all stakeholders – current, former, and prospective service users, employees, suppliers, and others - will only be processed in compliance with laws on privacy and data protection, specifically adhering to the UK GDPR principles that personal data must be:
- processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes (‘purpose limitation’);
- adequate, relevant, and limited to what is necessary (‘data minimisation’);
- accurate and, where necessary, kept up to date (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than necessary (‘storage limitation’); and
- processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
There is also an overarching principle of accountability which requires each organisation to demonstrate their compliance with the above principles (‘accountability’).
The Council will demonstrate accountability in adhering to the rights of individuals set out in data protection law, including their right:
- to be informed how personal data is collected, stored, managed, protected, and processed.
- of access (“subject access”) to request a copy of personal data held about yourself. However, please be aware that information can sometimes be legitimately withheld.
- to rectification (“right to correction”) of inaccurate or incomplete personal data.
- to erasure (“right to be forgotten”) where you have the right to have your personal data erased in certain circumstances. This does not include any personal data that must be retained by law.
- to restriction, which allows you to limit the way we use your personal data in some circumstances.
- to portability gives an individual the right to receive copies of data provided to a controller in a portable format.
- to object to the processing of one’s personal data; and
- in relation to automated decision making and profiling whereby an individual has the right not to be subject to a decision based solely on automated processing (including profiling) that results in legal effects concerning them or significantly affects them.
Accountability and monitoring
A Statutory Data Protection Officer (DPO) is designated to oversee the management of personal information Council-wide, reporting to the Council’s Senior Information Risk Owner (SIRO).
Heads of Service as Information Asset Owners adhere to the Council’s Information Risk Management Policy, supported by Service Area Information Governance Stewards.
Data Protection Impact Assessments (DPIAs) will be carried out where a type of processing “is likely to result in a high risk to the rights and freedoms” of individuals [Article 35(1)]. These must take into account:
- “the nature, scope, context and purposes of the processing”; and
- the potential impact of the envisaged processing on the protection of personal data involved.
A DPIA is, therefore, used as a form of risk assessment that helps to identify and minimise the data protection risks of a project.
A record of personal data processing activities is maintained by each Service Area, and the way that the information is managed is regularly evaluated using Privacy Impact Assessments where appropriate.
Clear and timely privacy notices are communicated that enable the subject of the data to understand how their personal data is being used.
Sharing of personal data is carried out in compliance with approved protocols, including:
- the Wales Accord on Sharing Personal Information (WASPI) framework for regular or one-way data sharing with partner organisations, such as the NHS, the police, or the fire service; and
- Data Processing Agreements with Council suppliers to outline the liabilities and responsibilities of both parties entering into a contract.
Caerphilly CBC may also receive ad hoc requests for information from external agencies, such as the police, Home Office, and Department for Work and Pensions. The Corporate Information Governance Unit (CIGU) considers these requests and will disclose personal data only where the law allows.
Disposal of personal data will be strictly in line with the Council’s Records Retention and Disposal Procedure.
Everyone processing personal information is aware of their responsibilities and receives appropriate information to support them, including annual training.
Complaints and data security incidents
Failure to comply with the law on data protection may result in:
- Serious consequences for individuals that the data relates to, including embarrassment, distress, financial loss,
- Irreparable damage to the Council’s reputation and loss of confidence in the Council’s ability to manage information properly,
- Monetary penalties and compensation claims,
- Enforcement action from the Information Commissioner, and
- Personal accountability for certain criminal offences and for breaching the Employee or the Elected Member
Code of Conduct
Complaints or concerns can be made to the Council’s Data Protection Officer and will be dealt with in accordance with the Council’s Information Governance Complaints Procedure.
Related policies and resources
This policy should be read in conjunction with the following Council policies:
- Records Management Policy
- Information Risk Management Policy
- Access to Unpublished Information Policy
- IT Security Policy
Additional guidance and resources:
- For the public - see the Council’s website.
- For employees - the Council’s Information Governance intranet pages.
Further Information
Further Information is available from the Data Protection Officer and Corporate Information Governance Unit: 01443 864322 / dataprotection@caerphilly.gov.uk