Read our policy
Version number: 1.0
Updated: June 2019
This data protection policy sets out Hinckley and Bosworth Borough Council’s approach to handling personal information in accordance with the Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR) and provides a framework for understanding the requirements of the legislation.
In the course of its everyday business, Hinckley & Bosworth Borough Council (“the council”) collects and process relevant personal data regarding members of staff, volunteers, applicants, contractors and customers as part of its operation and to take all reasonable steps to do so in accordance with this policy. This policy applies in all cases where the council is the data controller or a data processor of personal data. The policy applies in these cases regardless of who created the data, where it is held, or the ownership of the equipment used.
The policy provides an overview of the main obligations for officers and elected members in dealing with personal information so they can comply with the transparency, accountability, data processing, and other principles established under this legislation and the exercise of the individual rights.
2 General statement of the council's duties and scope
The council is committed through its policy, procedures and guidelines and the Data Protection Officer to ensure that its will:
- Comply with both the law and good practice
- Respects individual rights
- Be open and honest with individuals whose data is held
At the heart of the act is the need to protect personal information (otherwise known as personal data) and put additional protection in place for the special categories of sensitive personal data.
Personal data means any data that is considered as personal data under the Data Protection Regulation, specifically information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A data controller is any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A data processor is any natural or legal person, public authority, agency or other body which processes personal data on behalf of a data controller.
A data subject is any identified or identifiable natural person from whom personal data is collected.
Processing or processed means every operation or set of operations which is performed with regard to personal data, including without limitation the collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, combining, linking to other data, blocking, erasure or destruction of personal data.
General Data Protection Regulation or GDPR is the UK Data Protection Act 2018 (DPA) and EU General Data Protection Regulation 2018 (GDPR)
Automated decision-making is a decision made without human intervention solely by algorithms, computer analysis or other automatic means.
Personal data breach or breach means any suspected or actual security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
4 Data protection principles
The GDPR places responsibilities on both the council as an organisation, but also on any individuals handling personal data. It is recognised that in the course of their authorised duties most elected members and staff will need to handle and/or process personal information. As a consequence, all elected members and staff should be aware of the data protection principles, which must be complied with at all times.
The GDPR sets out seven key principles:
4.1 Principle 1: Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The council, elected members and staff must tell the data subject what processing will occur. This is known as "transparency", the processing must match the description given to the data subject in order to meet the "fairness" requirement, and it must be for one of the purposes specified in the applicable legislation "lawfulness".
4.2 Principle 2: Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The council, elected members and staff must specify exactly what the personal data collected will be used for and limit the use of the data to the reason for it being collected.
4.3 Principle 3: Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The council, elected members and staff must not store any personal data beyond what is strictly required.
4.4 Principle 4: Accuracy
Personal data shall be accurate and kept up to date. The council, elected members and staff must have in place processes for identifying and addressing out-of-date, incorrect and redundant personal data.
4.5 Principle 5: Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. The council, elected members and staff must, wherever possible, store personal data in a way that limits or prevents identification of the data subject.
4.6 Principle 6: Integrity & confidentiality (security)
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage. The council, elected members and staff must use appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data is maintained at all times.
4.7 Principle 7: Accountability
Underpinning the above is the principle of accountability. The council shall be responsible for, and be able to demonstrate, compliance. All elected members and staff must demonstrate that the data protection principles, outlined above, are met for all personal data for which they are responsible.
The principles were adopted by the council on 25 May 2018 in order to govern its collection, use, retention, transfer, disclosure and disposal of personal data.
4.8 Sharing data: interpretation of the principles
There is an increasing demand and expectation that personal data will be shared with other public bodies. This often improves efficiency and service delivery within the council. In addition there is also a requirement to share information with other public bodies for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of a tax or duty or an imposition of a similar nature.
The Information Commissioner has offered the following advice on sharing data between different local authority departments or services, and other public bodies:
- The Information Commissioner's advice is that the first principle must be satisfied, particularly 'personal data shall be processed fairly and lawfully' but local authorities can process data if carrying out of a task in the public interest or in the exercise of official authority. The Information Commissioner does however state that to ensure the fair processing, the data subject should be made aware of any 'non- obvious' purposes for which the information may be used or disclosed
- Equally the Information Commissioner is concerned that in any data sharing, the second principle is properly considered. If data has been collected for a specified purpose, the council should not use that data for another purpose, unless the data subject has given consent, or there is another lawful reason allowing for the data to be used in the proposed manner
It will also be necessary to consider the legislation that supports any council activities that require data sharing. The legal considerations for data sharing are both complex and difficult. There is a requirement to interpret and exercise judgement on the principles of the act in light of the particular circumstances where the information is to be shared with another public body. If service managers have particular issues in this area, they should contact the council's Data Protection Officer.
The council will only share personal data with other organisations and third parties where the sharing is necessary to achieve a clear objective and it is fair and lawful to do so.
Routine sharing of data between organisations for an agreed lawful purpose will be undertaken in accordance legislation or with a signed and formal information sharing agreement.
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 provide a number of important safeguards and rights for personal data held about living individuals (natural persons).
These safeguards apply to:
- Personal data held in any organised filing system - the data can be held electronically or automatically processed by a computer or in manually maintained systems, for example case files, card indexes. The conditions of the GDPR apply if specific information about an individual is readily accessible
- Personal data means information which relates to an identified or identifiable living individual, including any opinions about them
- Processing personal data, including obtaining, recording, holding, organising, retrieving, using, disclosing and destroying information
6 Responsibilities of elected members and officers
6.1 Elected members
When members process personal data whilst acting as a representative of residents of their electoral ward and /or whilst representing a political party, they do so independently of the council’s registration with the Information Commissioner. However, where an elected member has access to and processes personal information on behalf of the council, the member does so under the council’s registration and must comply with this policy.
6.2 Chief Executive and directors
The Chief Executive and directors are responsible for implementing safe and sound data protection procedures within their services and the operation of those services and ensuring the proper security of information held. Directors should have regard to The Data Protection Policy, the Information Governance Framework and the Acceptable IT Use Policy when formulating any policies or procedures which make use of personal data.
6.3 Data Protection Officer
The council’s Constitution, through its scheme of delegation, ensures that a named individual has specific operational responsibility for data protection matters corporately. That person is the Data Protection Officer. The Data Protection Officer shall be accountable for:
- Reviewing and making recommendations for Data Protection and related policies
- Advising staff on Data Protection issues and the rules to ensure compliance with data protection laws with the assistance of legal Services as required. The Data Protection Officer shall report to the Chief Executive
6.4 Information Governance Officer
Within the Corporate Team there will be an Information Governance Officer with specific responsibility for data protection compliance and for advising and training on data protection matters. The Information Governance Officer shall report to the Data Protection Officer.
6.5 Senior Information Risk Owner
The Senior Information Risk Owner (SIRO) has overall strategic responsibility for governance in relation to data protection risk. The SIRO:
- Acts as advocate for information risk at the Corporate Leadership Team
- Oversees the reporting and management of information incidents
The SIRO will assist the organisation to consider the information risks associated with its business goals and how those risks will be managed.
The Senior Information Risk Owner for the council is Julie Kenny.
6.6 Information Security Manager
The Information Security Manager is responsible for creating, implementing and maintaining the council’s security policy and procedures to reflect changing local and national requirements. This includes requirements arising from legislation.
6.7 All staff
It is the responsibility of all staff to ensure that their working practices comply with the Data Protection principles and that information held by the council is accurate and up-to-date.
All new staff will receive basic training on the data protection as part of their induction. Managers should ensure all staff for whom the manager is responsible receive appropriate training on the Data Protection legislation, on the application of this policy and on their individual responsibilities.
7 Security of data
7.1 Information access
All staff are responsible for ensuring that personal data which they use or process is kept securely and is not disclosed to any unauthorised person or organisation.
Access to personal data should only be given to those who have and can show a need for access to the data for the purpose of their duties.
All staff and elected members have a responsibility to ensure that any personal data they see or hear is not disclosed to third parties unless there is clear and specific authority to do so. This includes personal data and information extracted from such data, for example, unauthorised disclosure of data might occur by passing information over the telephone, communicating information contained on a computer print-out or by allowing it to be read on a computer screen.
7.2 Acceptable IT use
The Data Protection Officer shall ensure that an acceptable IT use policy is in place that covers all aspects of activity and conduct. This is to ensure:
- Compliance with the council’s obligations in relation to electronically held information
- Such a Policy is kept up to date and drawn to the attention of all staff
All staff and elected members must read and comply with the Acceptable IT Use Policy, which must be signed as read by all staff before access to information containing personal data is permitted. The Acceptable IT Use Policy is permanently accessible on the council’s intranet.
7.3 Hard copy data
Personal data should not be left where it can be accessed by persons not authorised to see it or have access to it.
Procedures shall be put in place by the Director responsible for council buildings and facilities, relating to access to the council’s buildings so as to ensure the security of data. Procedures in regard to access to buildings and particular parts of buildings should be communicated to all staff and members and adhered to by all.
7.4 Data destruction
Personal data which is no longer required must be destroyed appropriately, for example, by shredding or, in the case of computer records, secure deletion. Computers must have all personal information securely deleted using the appropriate software tools. Personal data must be destroyed in accordance with the council’s retention schedule.
7.5 Working from home
Staff working from home must have particular regard to the need to ensure compliance with this policy, the Flexible Working Policy and the Acceptable IT Use Policy. The security and proper processing of data outside offices and usual places of work, and whilst travelling, must be ensured.
7.6 Data breaches
Personal data security breaches will be detected, reported and investigated in accordance with the data breach procedure. All staff must be aware of and follow the data breach procedure available on the council’s intranet and included in induction training for all new members of staff.
Serious breaches where there is a high risk to the rights of the individual must be reported to the Information Commissioner’s Office by the Data Protection Officer within 72 hours.
Staff and elected members must therefore report personal data breaches or potential breaches as soon as possible to the Information Governance Officer. The sooner action is taken; the greater the opportunity there is to limit any potential damage which might be caused by the incident.
The Data Protection Officer will decide whether it is necessary to report the personal data Breach to either the Information Commissioner’s Office, to the affected data subjects, or any involved third parties.
8 Data subjects’ rights
The GDPR contains data subject rights that the council must comply with. The council must respond to these requests within four weeks. The rights are as follows:
8.1 Right of access by the data subjects
Individuals have the right to request to see or receive copies of any information the council holds about them, and in certain circumstances to have that data provided in a structured, commonly used and machine readable format. It is a personal criminal offence for any elected member or member of staff employed by the council to delete relevant personal data after a subject access request has been received.
8.2 Right to rectification
Individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed. The Data Protection Officer is responsible for determining whether personal data is inaccurate before any rectification can be made to personal information held by the council.
8.3 Right to erasure (‘right to be forgotten’)
Individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. The Data Protection Officer is responsible for determining whether personal information held by the council can be legally removed.
8.4 Right to restriction of processing
Individuals have the right to request the restriction or suppression of their personal data. This means that an individual can limit the way that an organisation uses their information. This is an alternative to requesting the erasure of their data. The right to restriction is not an absolute right and only applies in certain circumstances. The Data Protection Officer is responsible for determining whether personal information held by the council can be legally restricted.
8.5 Right to data portability
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
8.6 Right to object
This gives individuals the right to object to the processing of their personal data. This effectively allows individuals to ask the council to stop processing their personal data.
The right to object only applies in certain circumstances. Whether it applies depends on the purposes for processing and the lawful basis for processing. The Data Protection Officer is responsible for determining whether an objection is valid before any further processing can be conducted using the personal information in question.
8.7 Automated individual decision-making, including profiling
The GDPR restricts the council from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals. If an individual requests that an automated decision be reviewed by a natural person, this is a request under Article 22 of the GDPR and must be relayed to the Data Protection Officer.
9 Conditions and lawfulness of processing information
9.1 Lawfulness of processing
In order to meet the ‘lawfulness’ requirement, processing personal data must meet at least one the following conditions:
- The data subject has given consent
- The processing is required due to a contract
- It is necessary due to a legal obligation
- It is necessary to protect someone’s vital interests (that is, life or death situation)
- It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
- It is necessary for the legitimate interests of the council or a third party
9.2 Processing of special categories of personal data
Special category data is personal data which is deemed more sensitive under GDPR, and so needs more protection. This covers information concerning racial or ethnic origin; political opinions; religious and philosophical beliefs; trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health and sex life and sexual orientation.
For special categories of personal data, at least one of the following conditions must also be met:
- The data subject has given explicit consent
- The processing is necessary for the purposes of employment, social security and social protection law
- The processing is necessary to protect someone’s vital interests
- The processing is carried out by a not-for-profit body
- The processing is manifestly made public by the data subject
- The processing is necessary for legal claims
- The processing is necessary for reasons of substantial public interest
- The processing is necessary for the purposes of medicine, the provision of health or social care or treatment or the management of health or social care systems and services
- The processing is necessary for public health
- The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to certain safeguards
10 Accountability and governance
10.1 Data subject notification (privacy notices)
Each service area will provide data subjects with information as to the purpose of the processing of their personal data, this is known as a privacy notice.
A mandatory privacy notice should be provided whenever the council is collecting and processing customer personal data.
Privacy notices explain to individual persons the purpose for collecting personal data and should contain the following information:
- The name and contact details of the Controller and Data Protection Officer
- The purpose and legal basis of processing the data
- Retention period for the data collected
- The identity of those with whom the data is shared
- The rights of the individual as in part 7 of this policy
- The existence of automated decision-making, including profiling
The council’s website will contain an over-arching top level corporate privacy notice which will cover processing activities and information rights. In addition to the online ‘privacy notice’ an online ‘cookie notice’ will be available, fulfilling the requirements of applicable law.
Any future changes to the corporate privacy, cookie and task based policies and notices, should be approved by the Data Protection Officer and or the Information Governance Officer, prior to online publication.
All privacy notices should be available in hard copy upon request.
10.2 Data protection by design and default
To ensure that all data protection requirements are identified and addressed when designing new systems and processes, or when reviewing or expanding existing systems or processes, an approval process must be undertaken before continuing. This process is called a data privacy impact assessment (DPIA).
The DPIA process helps identify and minimise the data protection risks of a project. A DPIA must be undertaken where processing information is likely to result in a high risk to individuals, but it is good practice for assessments to be carried out for any other major projects which require the processing of personal data.
A DPIA must:
- Describe the nature, scope, context and purposes of the processing
- Assess necessity, proportionality and compliance measures
- Identify and assess risks to individuals
- Identify any additional measures to mitigate those risks
Where applicable, the Information Technology (ICT) Team will cooperate with the Data Protection Officer and Information Governance Officer to assess the impact of any new technology uses on the security of personal data.
10.3 Records management
Good records management practice plays a pivotal role in ensuring that the council is able to meet its obligations to provide information, and to retain it, in a timely and effective manner in order to meet its legal requirements.
It is necessary to ensure that robust records management practices are in place which are understood and implemented by all staff dealing with records within the council.
It is the responsibility of all staff to ensure that they are familiar with the policies, procedures and schedules relating to records management within the council, including the Records Management Policy. All records should be retained and disposed of in accordance with the council’s retention schedules.
10.4 Compliance monitoring
To confirm that an adequate level of compliance is being achieved by services/departments in relation to this policy, the council will carry out regular data audits of service areas. Each audit will, as a minimum, assess compliance with Policy in relation to the protection of personal data, including:
- The assignment of responsibilities
- Raising awareness
- Training of employees
- The effectiveness of data protection related operational practices
- Personal data transfers
- Data Breach management
- Personal data complaints handling
- The level of understanding of data protection policies and privacy notices
- The currency of data protection policies and privacy notices
- The accuracy of personal data being stored
The audit will include the development of any remedial action plans and will be implemented by the service manager of the affected service area.
The risks of not ensuring adequate data protection compliance could be; incurring of monetary penalties if a breach of the Data Protection Act occurs; complaints from the community if their privacy rights are violated and loss of reputation through a lack of trust by the community in handling confidential information.
The corporate risk register monitors the requirement to ensure all staff are fully aware and trained in GDPR compliance. All service areas have risk registers which will include any specific data protection risks and actions taken to mitigate them.
The use of a customer’s information should always be considered from their perspective and whether the use will be within their expectations.
The council will process personal data in accordance with all applicable laws and applicable contractual obligations. More specifically, the council will not process personal data unless the requirements of this policy are met. The Information Governance Officer is responsible for the monitoring, revision and updating of this document on a three yearly basis or sooner if the need arises.
The first point of contact for data protection complaints will be required to be addressed to the data Protection Officer and sent to:
Hinckley & Bosworth Borough Council
Rugby Road, Hinckley
Under DPA the data subject has a specific right to complain to the ICO if they feel the council is not processing their data lawfully. Complaints can be sent to:
Information Commissioner’s Office
Alternatively visit the ICO website (ico.org.uk) or contact them on 03031231113.
Last updated: 11/11/2020 12:45