Data Protection Policy

6.1      The Council will take measures to ensure that there is accountability when processing personal information in line with legislation and ICO guidance.

6.2      The Council is a registered fee payer with the ICO and renews this registration annually. The Council’s ICO registration is Z5912220. Additionally, the Council’s electoral registration officer and returning officer are registered with the ICO under Z6813548.

6.3      Where personal information is processed routinely, it will be recorded in the Council’s Register of Processing Activity (ROPA). This will contain details such as, but not exclusively: the responsible team, the type of personal information being processed, the purpose for processing, the lawful basis for processing, whether a DPIA/PIA exists and its reference number, retention periods, and whether any third parties are involved or processing on the Council’s behalf. A copy of the ROPA will be published alongside the Privacy Notice Statement.

6.4      Please see the Council’s Personal Information Risk Assessment Procedure for details on how the Council assesses the risks associated with processing personal information and how best to mitigate any identified risks using a data protection impact assessment or a privacy impact assessment.

6.5      Where the Council and a third party intend to develop a data sharing relationship, the Council will either create and agree a data sharing agreement or have a contract in place that specifies what information is being shared, what responsibilities both parties have, how long information will be held, and what steps have been taken to process information securely.

6.6      In circumstances where a suspected data breach has been reported to the Governance team via dataprotection@welhat.gov.uk, an assessment will be conducted to confirm whether a breach has occurred. If a breach has occurred, a Data Breach Assessment form will be completed. The details of all suspected data breaches will be recorded in the Data Breach Register. Further information can be found in the Data Breach Procedure.

6.7      Council staff undergo mandatory annual data protection training. If a need to retake the mandatory training has been identified, such as in the situation of a data breach, Council staff may be required to undertake the training again in advance of 1 year and will be required to retake training at the year mark.