Data Protection Policy

Purpose of the policy and background

This policy explains the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) to councillors, employees, and the public. Personal data must be:

  • processed lawfully, fairly and transparently
  • collected for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary for processing
  • accurate and kept up to date
  • kept only for as long as is necessary
  • processed in a manner that ensures its security

This policy updates any previous data protection policy and procedures to include the requirements of UK GDPR and the DPA 2018.

Identifying the roles and minimising risk

The Council is the Data Controller and must appoint a Data Protection Officer (DPO). The DPO will undertake an information audit and manage the council’s personal data.

All councillors, staff and volunteers must comply with data protection requirements. Breaches may result in enforcement action by the Information Commissioner’s Office (ICO). Handling of information is therefore considered a medium/high risk to the council and will be included in the Risk Management Policy. Risks are minimised by:

  • conducting an information audit
  • issuing privacy notices
  • carrying out Data Protection Impact Assessments (DPIAs) where processing is high-risk
  • ensuring data is only held by those who need it
  • providing regular data protection training
  • applying the principle of data protection by design and default

Lawful basis for processing

The Council will ensure that all personal data is processed on a lawful basis as defined by the UK GDPR (e.g., public task, legal obligation, consent, legitimate interest). The lawful basis for each processing category will be documented in the information audit.

Data processors and third parties

Where the Council engages third-party suppliers or contractors who process personal data on its behalf, written contracts will be in place that meet the requirements of Article 28 UK GDPR. These contracts will set out the processor’s obligations for confidentiality, security, and assisting the Council with compliance.

Data breaches

Any personal data breaches must be reported to the DPO immediately. The DPO will investigate and, where required, notify the ICO within 72 hours. Where there is a high risk to individuals’ rights and freedoms, those affected will also be notified.

Councillors, staff and volunteers must not misuse IT systems or discuss confidential council business on social media.

Privacy Notices

Individuals will be informed about how their personal data is used via clear and accessible privacy notices. These will include:

  • the name and contact details of the Council and DPO
  • the lawful basis and purpose for processing
  • retention periods
  • details of individuals’ rights
  • who data may be shared with

Where consent is relied on, individuals have the right to withdraw consent at any time.

Information Audit

The DPO will maintain an annual information audit detailing:

  • the personal data held
  • the source of the data
  • the lawful basis for processing
  • who it is shared with
  • retention periods

The audit will be reviewed annually and whenever new projects or services are introduced.

Individuals’ Rights

The Council will uphold the following rights under UK GDPR:

  • right to be informed
  • right of access (Subject Access Requests will be fulfilled within one month)
  • right to rectification
  • right to erasure (where applicable)
  • right to restrict processing
  • right to data portability (where applicable)
  • right to object
  • rights in relation to automated decision-making and profiling

Children

Special protection applies to children’s data. The age of consent is 13. For under-13s, parental or guardian consent must be obtained. Consent forms will be drafted in language appropriate for children.

Retention and disposal

The Council will adopt and maintain a data retention and disposal schedule, based on ICO and NALC/SLCC guidance. Data will be securely deleted or destroyed when no longer required.

Councillor responsibilities

Councillors using personal devices or personal email accounts for council business must apply appropriate safeguards, including password protection, encryption where available, and regular security updates. Where possible, council-provided accounts should be used.

Summary of actions

  • Council must remain registered with the ICO.
  • This policy will be published on the Council’s website.
  • An annual information audit will be maintained.
  • Privacy notices must be issued and kept under review.
  • A data retention and disposal schedule will be maintained.
  • Contracts with data processors will be required.
  • Data Protection will remain a standing item in the Council’s Risk Management Policy.

This policy will be reviewed annually or when updated ICO guidance is issued.

All employees, volunteers and councillors must comply with this policy to protect privacy, confidentiality and the Council’s reputation.