Leven Parish Council
General Data Protection Regulation Policy
Agreed 2nd July 2024
Review July 2026
Introduction
The purpose of data protection legislation is to protect the ‘rights and freedom’ of living individuals. Data protection legislation applies to all data controllers within the UK, who process personal data in order to provide services.
The Information Commissioner oversees compliance and promotes good practice, regulating all organisations and individuals who process personal data. This policy applies to all personal data held by Leven Parish Council. The policy aims to ensure those individuals’ rights and freedoms are protected, preventing personal data being mistreated or used to deny access to services. The policy will be used to ensure that the personal data Leven Parish Council holds is used fairly and lawfully, in line with data protection legislation.
Roles
Whilst Parish Councils are not classed as public authorities under the UK General Data Protection Regulation (GDPR) and therefore there is no requirement to have a Data Protection Officer, as part of its commitment to comply with data protection legislation the Parish Clerk will be a point of contact for all data protection issues.
As the Parish Council is a data controller it is registered with the Information Commissioners Office (ICO). It is the responsibility of all staff and Councillors to comply with data protection legislation.
Data
Leven Parish Council collects and uses certain types of personal information about staff, councillors, residents and other individuals who come into contact with the Parish Council.
The Parish Council may be required by law to collect and use certain types of information to comply with statutory obligations related to employment, other information may be collected either by consent of the individual or to perform its public task (i.e. operate as a Parish Council).
The Parish Council has completed an Annual Assessment of the data it holds in support of this policy (Appendix One).
Principles
All processing of data by Leven Parish Council must be conducted in accordance with the data protection principles:
1. Personal data must be processed lawfully, fairly and transparently.
2. Personal data can only be collected for specific, explicit and legitimate purposes.
3. Personal data must be adequate, relevant and limited to what is necessary for processing
4. Personal data must be accurate and kept up to date with every effort to erase or rectify without delay
5. Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.
6. Personal data must be processed in a manner that ensures the appropriate security
7. The controller must be able to demonstrate compliance with the UK GDPR’s other principles (accountability)
Data Subjects Rights
Data subjects have the following rights regarding data processing, and the data that is recorded about them:
- To make subject access requests regarding the nature of information held and to whom it has been disclosed.
- To prevent processing likely to cause damage or distress.
- To prevent processing for purposes of direct marketing.
- To be informed about the mechanics of automated decision-taking process that will significantly affect them.
- To not have significant decisions that will affect them taken solely by automated process.
- To take action to rectify, block, erase, including the right to be forgotten, or destroy inaccurate data.
- To request the ICO to assess whether any provision of the data protection legislation has been contravened.
- To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller (ported).
- To object to any automated profiling that is occurring without consent.
The Parish Council makes every effort to ensure that data subjects may exercise these rights.
A data subject may make a Subject Access Request, which are under normal circumstances free of charge and will be dealt within one month (although they can be extended by two months in some circumstances).
Data subjects also have the right to complain to the Parish Council in relation to the processing or handling of their personal data. This will be done in line with the Councils’complaints policy and procedure.
Disclosure
The Parish Council ensures that personal data is not disclosed to unauthorised third parties which includes family members, friends, suppliers, government bodies and other public sector organisations. All employees or members of the Parish Council should exercise caution when asked to disclose personal data held on another individual to a third party.
Incidents and Breaches
The Parish Council will always treat any data protection incident/breach as a serious issue. In the event of a breach, or suspected breach (incident). An investigation will be undertaken and there is an obligation to report certain data protection breaches to the ICO within 72 hours of the Parish Council being made aware. If required, the Parish Council will also arrange for the affected data subjects to be notified.
GDPR Risk Assessment
The Parish Council has conducted a GDPR risk assessment with details of the management of risk in place and proposed further actions. This will be updated annually. (Appendix Two).