Data Protection Policy

Definitions of Commonly Used Terms

Personal Information

4.1      Personal information is any information relating to or identifying a living individual. If a piece of information can be used to directly or indirectly (in conjunction with other available information) to identify an individual, it is considered to be personal information. Additionally, if raw information that does not identify an individual is processed and held for purposes that may impact a specific targeted individual, it is considered to be personal information, even if information is pseudonymised. Personal information in the public domain is still considered to be personal information.

Examples of personal information in circumstances where an individual can be identified or the information affects a specific individual include names, nicknames, dates of birth, emails, telephone numbers, reference numbers, car registration numbers, national insurance numbers and addresses. Information that is not normally considered personal information can be personal information in specific circumstances where it identifies an individual (such as a dog’s name or a common phrase used by an individual).

Special Category Personal Information

4.2      Special category personal information is sensitive personal information relating to the following:

-           racial or ethnic origin;

-           political opinions;

-           religious or philosophical beliefs;

-           trade union membership;

-           genetic data;

-           biometric data (where used for identification purposes);

-           health;

-           sex life;

-           sexual orientation.

Personal information relating to criminal offence information should be handled as if it is special category personal information.

Processing

4.3      Processing is defined as utilising personal information. This includes the following actions: collecting, recording, organising, structuring, storing, adapting, altering, retrieving, disclosing, sharing, combining, restricting, or deleting.

Data Subject

4.4      A Data Subject is an individual whom personal information relates to.

Organisational Accountability

4.5      For the purposes of this policy, organisational accountability relates to procedures that the Council use to ensure and review compliance with data protection legislation. This includes: DPIA/PIAs, data breach assessments, data sharing agreements, annual data protection training, and the Register of Processing Activity.

Data Controller

4.6      A data controller is the organisation responsible for processing personal information and who has the identified purpose for processing. This organisation will make the final decision on how personal information is processed by processors in line with the agreed contract and/or data sharing agreement.

Processor

4.7      A processor has delegated authority from a data controller to process information on their behalf and in line with their identified purpose for processing. The processor will act in accordance with the controller’s instructions and will assist them in ensuring compliance with data protection legislation in line with the agreed contract and/or data sharing agreement.