Data Protection Policy

5.1      The GDPR and DPA outlines the requirements for an organisation to lawfully process personal information. This does not erase the Council’s obligations to other legislation, which may interact with data protection legislation to specify what information should be processed and may be released, whether into the public domain or to a prescribed body. Therefore, personal information may be handled differently to a minor extent depending on the purpose for processing, where the purpose is outlined in separate legislation.

Data Protection Principles

5.2      The Council must process all personal information in line with the following principles outlined in Article 5(1) of the GDPR:

a)        Lawfulness, fairness and transparency:

-           The Council must identify the specific Lawful Basis for Processing personal information and must not collect the information in a manner that is unlawful. Please see section 5.3 of this policy for further information.

-           The information must be collated for the specified purposes; the expectations of the data subject should be clearly communicated; and there should be a consideration of how processing personal information may negatively impact data subjects and be weighed against the purpose for processing. Please note that personal information may be processed for purposes that negatively impact a data subject, for example for the purpose of law enforcement.

-           There must be a clear communication of why personal information is being processed in an accessible and easy to understand manner; a clear communication of how this personal information will be used; who will process the personal information; for how long personal information will be held; and the rights that are available to the data subject.  

b)        Purpose limitation:

-           Personal information should only be processed for the purposes identified and communicated. Please note that exemptions exist within data protection legislation that allow for personal information to be processed for other specified purposes, such as legal advice or to detect/prevent crime. 

c)        Data minimisation:

-           The quantity and depth of personal information collated should be minimised to what is required to fulfil and relevant to the purpose of processing. There should be a justification of why personal information is required to be processed (this does not need to be in writing). Where information is no longer required to fulfil the purpose for processing, it should be deleted in line with retention schedules contained in the ROPA.

d)        Accuracy

-           Personal information should be accurate and routinely reviewed and/or amended to ensure accuracy is maintained.

e)        Storage limitation

-           Personal information should not be kept indefinitely and should be subject to pseudonymisation, anonymisation, or deletion after a specified time. When information is no longer necessary, information should be reformatted or deleted dependent on the Council’s purpose for processing and legal obligations.

f)          Integrity and confidentiality (security)

-           Personal information should be processed in a secure manner with  security measures implemented to reduce potential risks and threats. This includes behavioural, procedural, and technical measures.

g)        Accountability

-           The Council takes full responsibility for the personal information it processes and implements necessary procedures to ensure that information is processed in compliance with data protection legislation.

Organisational Accountability

5.3      The Council will maintain a firm understanding of the processing activity involved and produce a written record of the activity. This will include a description of processing, the potential risks, and any steps taken to mitigate risks. For further information on the measures taken to uphold a good standard of organisational accountability, please review section 6 of this policy.

Lawful basis for processing

5.4      The Council must have identified one of the following Lawful Basis for Processing outlined in Article 6 of the UK GDPR before processing personal information:

a)        Consent

b)        Contract

c)        Legal obligation

d)        Vital interests

e)        Public task

f)          Legitimate interest

5.5      The Council must have identified lawful basis for processing where it is processing special category personal information outlined in article 9 of the UK GDPR. This must be in addition to a standard lawful basis for processing as detailed in section 5.4 of this policy. The following are available lawful basis for processing for special category personal:

a)        Explicit consent

b)        Employment, social security and social protection (if authorised by law)

c)        Vital interests

d)        Not-for-profit bodies

e)        Made public by the data subject

f)          Legal claims or judicial acts

g)        Reasons of substantial public interest (with a basis in law)

h)        Health or social care (with a basis in law)

i)          Public health (with a basis in law)

j)          Archiving, research and statistics (with a basis in law)

5.6      For further information on lawful basis for processing, please see Appendix B of this policy.

Privacy Notice Statement

5.7      A copy of the Privacy Notice Statement will be made available to data subjects, who’s personal information is being processed, within a reasonable period and no longer than 1 month after information has been recorded. This will state the information being processed, the conditions involved, and further information on the rights available to the subject. All WHBC emails contain a privacy notice statement at the bottom, and a copy is available on the website.

5.8      The Council reserves the right to provide notice of processing in correspondence, instead of amending the Privacy Notice Statement, where processing is temporary or for a one-off purpose. Where this is used, the Council will communicate the purpose for processing, what information will be collated, who will have access, for how long information will be stored (or confirm it will be held in line with the Council’s retention schedule), and include a link to the privacy notice statement, where the subject’s rights are highlighted and contact details  provided.

5.9      In certain circumstances, and in line with ICO guidance, the Council reserves the right to not provide a privacy notice statement in the following circumstances:

-           The subject is already aware of the processing and the information contained in the privacy notice statement.

-           Providing a copy of the Privacy Notice Statement would be impossible. This may apply, for example, where no contact information has been provided, or where the provided contact information is no longer accurate or functioning.

-           Providing a copy of the privacy notice statement would involve a disproportionate effort balanced against the impact on the data subject. This could be applicable, for example, if information already held is being transitioned to a new system and it has no identified impact on the data subject.

-           Providing a copy of the privacy notice statement would seriously impair the purpose for processing. This would, for example, be applicable where information has been processed for enforcement activity.

-           The Council is required to process personal information to meet their legal obligations, and they have been provided by or disclosed this information to a third party or through means that do not involve the data subject providing the information directly. This would, for example, be applicable, where information has been processed for enforcement activity or the Police have submitted a personal information request to aid their enforcement activities.

-        Where a relevant exemption within the DPA has been identified and this removes the right to be informed.

Secure processing

5.10   Staff will follow the standards set out in the Data Protection Policy and the Acceptable Use Policy for Information and Communications Technology.

5.11   Where members of the public contact the Council to request personal information, the Council will take the necessary measures to prove the identity of the requester before disclosure or discussion of the personal information. If a third party is representing a data subject, the Council will request proof of consent and proof of identity of the represented data subject. Council officers do not have access to all information held by the organisation and therefore even frequent service users may be asked for proof of identity.

5.12   All requests for personal information from third party bodies should be sent to the dataprotection@welhat.gov.uk with confirmation of the DPA exemption being cited, and any necessary context and justifications (including other legislations where appropriate). The governance team will review the request and determine whether the Council, acting in its capacity as a controller, can disclose the information. Where the Council is acting in its capacity as a processor, it will refer this third party body to the data controller or act in accordance with its agreed contract and/or data sharing agreement.

5.13   Where the Council is required to request personal information from a third party, where a pre-existing data sharing relationship does not exist, they will submit their request to the third party using a Personal Information Request Form. The Governance team should be consulted via dataprotection@welhat.gov.uk when using this form to verify whether the request is compliant with data protection legislation. A member of the governance team will provide their approval once it is confirmed to be compliant. This form is contained in appendix C.

5.14   Where the Council is required to redact personal information in a digital file, Officers will use appropriate software that removes the text and metadata, such as Adobe Acrobat Pro’s redaction feature.

5.15   Where the Council is required to destroy personal information, it will only use appropriate and secure methods. When destroying paper records, staff will use confidential waste disposal bins.

5.16   Where representatives of the Council are processing personal information or in possession of personal information, they will ensure that steps are taken to ensure that it is securely handled, disposed of, and stored when not in use. For example, laptops and mobile devices will be locked and placed in secure locations that are only accessible to the responsible individual where possible.