Policies – Cherry Willingham Parish Council

Data Protection and Confidentially Policy

Cherry Willingham Parish Council (CWPC)

Data protection and Confidentiality Policy

1.0 Policy Statement

We uphold people's privacy rights and meet our legal and contractual obligations, while

making effective use of personal data.

We comply with the Data Protection Act 2018, the UK General Data Protection

We take a risk-based approach to data protection decision making and follow the recommended

best practice.

Definitions of the terms and words used in this policy can be found in Appendix 1.

2.0 Scope

This policy and procedure sets out processes that comply with data protection

regulations and make sure that individuals’ rights to privacy are protected. It applies to all

employees, volunteers, contractors and Councillors.

3.0 Responsibilities

• Full Council must make sure plans to protect personal data are in place.

This is delegated to the Clerk to the Council.

• Full Council must make sure this policy and related procedures are followed and implemented.

• The Clerk to the Council must make sure policies and procedures are compliant

with data protection law, that they receive suitable training, and that associated risks

are monitored.

• All employees, volunteers, contractors and Councillors, must follow this data

protection policy and all related procedures.

• The Clerk to the Council is responsible for maintaining the Information Asset Register and making

sure our IT systems are secure.

4.0 UK General Data Protection Regulation (UK GDPR)

The UK General Data Protection Regulation, tailored by the Data Protection Act 2018,

sets out principles of data protection and the rights of data subjects. A data subject is a

living person who we hold personal information about. Personal information is anything

that can identify a person. This includes hard copy and electronic records, images,

videos, stories and biometric data (e.g. fingerprints to enter some premises). We record

our lawful basis for using any personal information, and also when using any special

categories of data. Special categories of data include race, religion, biometric data and

sexual orientation. This is set out in our Record of Processing Activities, maintained by

the Clerk to the Council. Appendix 1 has more information.

5.0 Caldicott Principles

The Caldicott Principles ensure that people’s information is kept confidential and used

appropriately.

Whilst the Data Protection Act and the UK GDPR only apply to living individuals, the Caldicott

Principles also apply to records and information regarding the deceased.

6.0 Collection, storage and use of personal information

Employees, volunteers, contractors and Councillors must comply with the

law when processing personal information. To comply with the law such personal data

must be collected and used fairly, stored safely, not disclosed to any other persons

without consent or a legal basis for doing so, and:

Is only used for the purpose it was collected

Do not use the personal information for another purpose. For example, marketing

material may not be sent to someone because we hold their address for another reason.

Contains only what is needed

Do not collect information you do not need.

You may need to justify the information you keep.

Is accurate and kept up to date

Review records on a regular basis and update when needed.

Kept only for as long as needed

Do not keep records which you no longer need.

Kept safe and secure

Store hard copy files in secure lockable cabinets. When physically transporting, keep records safe.

Keep electronic records securely

Save in a networked folder and do not share log-ons. When transferring via email use

encryption. Only use IT issued USB devices if absolutely necessary, and make sure they are

encrypted.

The Clerk to the Council responsible for the personal data (the information asset owner) is

responsible for making sure that all personal information processing:

Has a legal basis

• Consent (used for marketing purposes)

• Contract (employee and support/tenancy contract)

• Legal obligation (to meet a legal need)

• Vital interests (in the interests of the people’s health and safety)

• Public task (used by public bodies)

• Legitimate interests (evidenced by an assessment)

7.0 Rights of data subjects

The rights of data subjects are:

Right to be informed (to be told of their rights, what information is held on them and how

it is processed):

• Employees and volunteers.

• External contacts; The website will publish the privacy notice on its page.

• People making an enquiry or signing up to receive a newsletter will be asked to

confirm they have read our privacy notice

• We will ask people to consent for us to use their photo, story or video’s . However, there may be

circumstances where we will use a ‘legitimate interest’ for processing their information, which is

recorded, assessed and agreed with the Clerk to the Council.

The Clerk to the Council will make sure privacy notices are available.

Right of access (to have access to the information we hold about them):

• When people ask for their data (known as a data subject access request), we will

respond to requests within one month, or a further two months in exceptional

circumstances. We do not charge a fee for this, except where we can justify (for

example a large amount of photocopying).

• Employees and volunteers asking to access their data should contact their

Manager in the first instance. We must allow access to all information held on the person.

Right to rectification (to ask to change their data if it is not correct or not complete)

• Employees and volunteers who disagree with any record held on file should contact

The Clerk to the Council. If it is agreed the record is inaccurate, it may be removed or

changed once this has been agreed by the Clerk to the Council.

• If the Clerk to the Council considers the record to be accurate, the objection will

be recorded on file and the record itself will remain.

• Requests from employees and volunteers to have their data deleted must go to the

Clerk to the Council. It may not be possible to delete records for these people under

the terms of their contracts (for employees) or volunteering arrangements.

• People who have given their consent for us to use their personal information for

marketing or fundraising purposes must contact the Clerk to the Council. We will meet these

requests unless we are unable to for legal purposes.

Right to object (to object to the processing of their personal data):

Complaints received about the use of someone’s personal information should be sent to

the Clerk to the Council. We may not be able to address the objections of some

people, due to legal reasons.

Right to data portability (to ask for information in a machine-readable format or for it to

be sent to another organisation for their own reasons)

Right to restrict processing (to ask to us to stop processing personal information).

As in ‘erasure’ it may not be possible to stop processing personal information of some

people.

Rights in automated decision making (to object to decisions made without human

involvement).

We do not use any automated decision-making processes.

8.0 National data opt out

Confidential information

We hold records for tenants and these records contain a type of data

called confidential information. We do not use or provide this information for any

research or planning purposes. Should we decide to do so in the future we will give

individual’s the choice to opt out in line with the national data opt out policy.

9.0 Use of multi-media (photographs, audio, stories or videos of the person)

General rule

Employees, volunteers, contractors, tenants and Councillors will not use multi-media of tenants,

employees, volunteers, contractors or Councillors without their consent.

Consent for the use of a child’s multi-media must be given by their parent or guardian. If

a child is of an age where they can make informed decisions, we will tell them about the

multi-media use and get their agreement before using their multi-media.

Consent must be in writing. All multi-media used for marketing purposes will be recorded and dated.

We will keep a central record of all consent obtained. We will delete the multi-media as agreed on

the consent form or when it is no longer needed for the purpose consented to.

For external use:

Multi-media must not include any personal or sensitive information unless the person’s

consent has been given or it is in their best interests. We will use first names only or

anonymise. We will make sure the multi-media is accurate and represents people

positively. We will get the person to agree their story before using it. Contracts with

external agencies commissioned by us to take the multi-media will contain a data

protection clause so that they do not publish, re-use, share or sell the multi-media, and

Events

We will tell people attending our events if we will be taking photographs or videos for use in

marketing media. We will:

• give advanced notice of photography or filming (and the purposes for which it will be

used) when individuals are signing up to an event.

• have clear signage at the event itself where photos or video footage will be taken, the

purposes for which they will be used and details of how to opt out of being photographed or filmed.

• put notices on social media if appropriate.

• tell people when taking photos or video footage how it will be used.

Storing multi-media

When taking a piece of multi-media using council phones or cameras or on personal

phones, the multi-media must be removed from the device at the earliest convenience

and stored safely on our ICT systems. Employees and Councillors must not post any

multi-media to their social networking sites and must not use the multi-media for their

personal use without the consent from the person.

Withdrawing consent

People may withdraw their consent at any time. We will not remove the multi-media

where it has already been published (for example Facebook posts, printed literature or

videos on YouTube). We will remove the multi-media from sources that are feasible (for

example photographs on our website). We will then make sure we do not use that multi-

media in future (for example when reprinting the leaflet or in presentations) by deleting it.

Where the person appears in a group photograph or video, we will make every effort to

remove the person from the multi-media.

10.0 Audio recordings

We must respect the privacy of others in the workplace. If you want to record conversations

you should seek to do so by acquiring the consent of the person you are going to have a

conversation with.

Before you make any audio recording, you must:

• Inform anyone you record about the specific purpose of the recording

• Get their specific consent.

11.0 Use of violent warning markers

We have a duty of care to employees to protect them in the workplace and violent

warning markers identify and record individuals who pose, or could pose, a risk to

employees. Violent warning markers should only be used for people who pose a genuine

risk and the decision should be made by Chair to the Council. The decision should be

reviewed at least annually.

When deciding, the Chair to the Council should take into account:

• the nature of the threat

• the degree of violence used or threatened, and

• whether or not the incident indicates a credible risk of violence to staff.

The person should be informed as soon as possible after you make the decision to add a

marker to their record unless you believe that informing them would in itself create a

substantial risk of a violent reaction from them.

You should record when and what the person was informed with the marker or

why you believe that by informing them of the marker there would be a substantial risk of

further threatening behaviour.

12.0 Use of CCTV (Closed circuit television)

CCTV has been installed the Cherry Willingham Parish Office to provide protection for staff and visitors.

We will keep images secure. The siting of CCTVs, what is to be recorded,

how the images should be used and to whom they may be disclosed should meet the

CCTV Code of Practice available on the Information Commissioner’s Office website.

Please see our CCTV – Camera Policy

13.0 Data protection impact assessment

Data protection by design and default is an approach that promotes privacy and protects

data from the start. If you are planning a new project, system or process you must

assess the need for a data protection impact assessment (DPIA). Instructions on how to

complete a DPIA are in our Data protection impact assessment procedure.

A DPIA should be completed whenever there is a change in risk to our data subjects. In

practice this means that any time we change our systems or processes relating to

personal information we will perform a review. We will also put in place a schedule to

review our completed DPIAs regularly.

14.0 Suppliers and contracts

We use standard data processor contract clauses for suppliers and contractors who are

acting as data processors on our behalf as the Data Controller. Where there is no contract with an

organisation and processing of personal information takes place, for example in software systems

we use for e-newsletters, we check their privacy policies to make sure they comply with GDPR.

15.0 Transfer of personal data

We minimise the transfer of personal data outside of the European Economic Area

(EEA). Where this is the case, we make sure data is not transferred without a valid

condition for processing and appropriate safeguards for the rights and freedoms of the

data subjects. Any employee who receives a request to transfer personal data outside of

the EEA will contact the Clerk to the Council in the first instance for advice.

16.0 Breaches of personal data

All breaches of personal information must be dealt with immediately. If you become

aware of a breach, notify the Clerk to the Council. Some breaches must be reported to the

Information Commissioners Office within 72 hours, so it is important to act quickly.

If a data breach is likely to result in high risk to rights and freedoms of an individual, we

must also communicate the breach to people affected without undue delay. Our Data

breach procedure outlines the process for investigating, reporting and responding to

information security incidents. If a data breach occurs please complete a “Breach of DATA

reporting form (Appendix 1)

17.0 Data protection training and awareness

LALC provide training and awareness.

18.0 Related documents

Data breach policy and procedure (DP2)

Sharing personal information policy and procedure (DP3)

Data storage and destruction of criminal disclosures policy and procedure (DP4)

Data protection impact assessment policy and procedure (DP5)

Keeping and destroying documents policy and procedure (DP6)

Information governance policy and procedure (DP7)

CCTV – installing and using policy and procedure (DP8)

Information risk management policy and procedure (DP9)

Data quality and record keeping policy and procedure (DP10)

Multi-media consent form (DP1-F1)

Subject Access Request (DP1 – G1)

Handling personal information (DP1 – G2)

Data protection privacy notices

19.0 Related legislation

UK General Data Protection Regulation

Data Protection Act 2018

Equality Act 2010

Mental Capacity Act 2005

PECR - Privacy and Electronic Communications (EC Directive) Regulations 2003

The Employment Practices Data Protection code

20.0 Review

This policy and procedure will be reviewed as legislation or our own policies change and

at least every 2 years

Appendix 1 - Definitions

UK GDPR

UK General Data Protection Regulation was published in January 2021 following our exit

from the EU. It sits alongside an amended version of the DPA 2018. The key principles,

rights and obligations remain the same. However, there are implications for the rules on

transfers of personal data between the UK and the EEA.

Data Controller

A person, public authority or agency who determines the purposes and means of

the processing of personal data. CWPC is a Data Controller in all areas

of our data processing activities.

Data Processor

A body which processes personal data on behalf of the controller.

Data Subject

A living person who is the subject of processing of their personal information.

Personally Identifiable Information (Data)

Any information relating to an identified or identifiable natural (living) person. If you can

identify an individual from the data held, then the data is Personal Information and falls

within the scope of UK GDPR. This Includes documents, records (hard copy and

electronic), biometric data (fingerprints for access to premises for example) images,

videos, and stories.

Processing

Obtaining, recording, or holding the information or data or carrying out any operation or

set of operations on the information or data.

This includes:

• Manipulating data in some way

• Organising and retrieving data

• Adaptation, alteration, or modification of the data

• Use of the information or data

• Transmitting the data and making the data available

• Destroying, blocking, or erasing the data.

Record of Processing Activities (ROPA)

A full record of all personal data we process, which includes our legal basis for processing

personal information and further legal basis for processing special categories of personal

information.

Information Asset Register

A spreadsheet containing details of our electronic systems which hold personal information.

Third party

An individual linked in some way to the data subject, or organisation who is sent personal

information.

ICO (Information Commissioners Office)

The national body who enforces the UK GDPR.

Lawful basis for processing

The types of lawful basis for processing are set out in Article 6 of the UK GDPR. At least one

of these must apply when we process personal data:

• Consent

• Contract

• Legal obligation

• Vital interests

• Public task

• Legitimate interests

Special categories of data

A further lawful basis (set out in Article 9 of the UK GDPR) must be applied

when processing special categories of data:

• Racial or ethnic origin

• Political opinion/affiliation

• Religious or political beliefs

• Trade Union membership

• Genetic/biometric data

• Health related

• Sex life/sexual orientation

Caldicott principles

• Justify the purpose(s) for using confidential information

• Use confidential information only when it is necessary

• Use the minimum necessary confidential information

• Access to confidential information should be on a strict need-to-know basis

• Everyone with access to confidential information should be aware of their responsibilities

• Comply with the law

• The duty to share information for individual care is as important as the duty to protect

patient confidentiality

• Inform people about how their confidential information is used

Appendix 1

Breach of DATA reporting form

Date and time of Notification of Breach……………………………………………………

Notification of Breach to whom, Name……………………………………………………..

Contact details………………………………………………………………………………..

Details of Breach…………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………………….

Nature and content of Data involved……………………………………………………….

…………………………………………………………………………………………………..

Number of individuals involved………………………………………………………………

Name of person investigating Breach, Name……………………………………………...

Job Title………………………………………………………………………………………..

Contact details………………………………………………………………………………..

Email…………………………………………………………………………………………..

Phone number…………………………………………………………………………………

Address………………………………………………………………………………………...

Information Commissioner informed

Date and method of contact…………………………………………………………………

https://report.ioc.org.uk/security-breach/

Police informed (if relevant) Time and method…………………………………………….

Name of person contacted…………………………………………………………………..

Contact details………………………………………………………………………………..

Individuals contacted………………………………………………………………………..

How many individuals contacted……………………………………………………………

Method of contact…………………………………………………………………………….

What are the potential consequences and adverse effects on those individuals

…………………………………………………………………………………………………

………………………………………………………………………………………………….

Confirm that details of the nature of the risk to the individuals affected , any measures they can take to safeguard against it and the likely cost to them of taking those measures is relayed to the individuals involved …………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………………….

Staff briefed

…………………………………………………………………………………………………

Assessment of ongoing risk …………………………………………………………………………………………………

…………………………………………………………………………………………………

………………………………………………………………………………………………….

Containment Actions: technical and organisational security measures have you applied (or were to be applied) to the affected personal data,

…………………………………………………………………………………………………

Recovery Plan

…………………………………………………………………………………………………

Evaluation and response

…………………………………………………………………………………………………

………………………………………………………………………………………………….