General Data Protection Regulations (GDPR)
The law is complex, but there are a number of underlying principles, including that personal data:
- will be processed lawfully, fairly and transparently.
- is only used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.
- collected on a data subject should be “adequate, relevant and limited.” i.e. only the minimum amount of data should be kept for specific processing.
- must be “accurate and where necessary kept up to date”
- should not be stored for longer than is necessary, and that storage is safe and secure.
The GDPR is a Europe wide law – as a public authority ALL parish councils come within its remit. The GDPR’s main concepts and principles are very similar to those in the current DPA and the Information Commissioners Office (ICO) will still be the organisation in charge of data protection and privacy issues. Therefore, as we are complying with the DPA, much of what we do will still apply.
CFPC has to appoint a Data Protection Officer (DPO) (as at 27 April 2017, but due to be removed as a requirement by an ammendment). The appointed DPO is the Clerk, with technical support from our IT contractor Coleman Bryant.
CFPC is both the Data Controller and Data Processor. [N.B. our cloud provider is also a joint processor of our data)
(“Data Controller” means a person who (either alone or jointly or in common with other persons [such as a body corporate]) determines the purposes for which and the manner in which any personal data are, or are to be processed. “Data Processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.)
The legal basis for the Parish Council to collect data is ‘Public Task’ – i.e. the processing is necessary for CFPC to perform a task in the public interest or for the council’s official functions, and the task or function has a clear basis in law.
Parish Councillors do not (in law) exist outside of meetings unless they have a delegated authority due to being an official of the council (i.e. Chair/Vice Chair of the council/a committee under fin reg 4.1). Therefore, parish councillors should not be undertaking any ‘ward work’. If they do and they collect data then the GDPR guidance states: -
“If individual Councillors are acting as a representative of the residents of their ward (e.g. taking forward complaints made by their local residents) then they would be a data controller in their own right and would not be covered by the local authority’s registration. Therefore, they would need to pay the new fee.”
The Parish Council collects the following information about individuals (with their consent) Name, Address, Telephone No(s), and email address. It does not collect, store or process any information about children.
It processes this data to carry out its public tasks such as administering allotments (and associated waiting lists), tennis court membership/usage, and room/facility lettings.
Most frequently the data is stored on a single computer (and in the cloud), although invoices and tenancy agreements etc are also stored in the office in files, with the electoral roll kept in the locked safe. The office is kept locked when not occupied and has security shutters. Desk drawers and filing cabinets are lockable.
The computers and systems are password protected, with separate passwords for access to the cloud storage, and protected by a firewall. The officers’ wired and wireless communications are on a separate clean network, hidden behind the firewall. System security was set up by an expert and is maintained under an annual service contract.
As a general matter the parish council does not share or transport this information and it doesn’t hold any sensitive data (sexuality, political beliefs etc). Therefore, a Data Protection Impact Assessment is not required by law.
The GDPR requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means that individuals should be told what you are going to do with their personal data before you use it and consent to such use;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are used;
(d) accurate and, where necessary, kept up to date. Personal data that is found to be inaccurate should be deleted or corrected without delay. All personal data should be periodically checked to make sure that it remains up to date and relevant;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for
the purposes for which the personal data are processed. For instance, records of pastoral care discussions should not be kept for a number of years without justification. Records could be kept, for instance, if all identification features were removed, referred to as “anonymisation”; and
(f) kept securely. Personal data storage should be safe and secure – in lockable filing cabinets or in password protected computer files. Names and addresses of individuals should not be left unattended.
Individuals who have data collected about them have the following rights:
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision making including profiling
CFPC has to publish a data privacy notice which is reproduced below.
DATA PRIVACY NOTICE
CHANDLER’S FORD PARISH COUNCIL
1. Your personal data – what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
2. Who are we?
Chandler’s Ford Parish Council (CFPC) is the data controller (contact details below) and data processor. This means it decides how your personal data is processed and for what purposes and undertakes the processing of that data.
3. How do we process your personal data?
CFPC complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes: -
• to enable us to provide a service for the benefit of the public in a particular geographical area as defined by the Electoral Commission;
• to administer financial records of the hiring of our chargeable facilities;
• to manage our employees and volunteers;
• to maintain our own accounts and records;
• to inform you of news, events, activities being run by the parish council;
4. What is the legal basis for processing your personal data?
• Public Task is the legal basis of our data handling.
• Processing is necessary for carrying out legal obligations in relation to managing the letting of our facilities or under employment, social security or a collective agreement.
• There is no disclosure to a third party without consent.
5. Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared with other officers of the council in order to carry out a function or for purposes connected with the council. We will only share your data with third parties outside of the parish council with your consent.
6. How long do we keep your personal data?
We keep data in accordance with the requirements of HMRC for invoices, and for as long as required (as a tenant or on the waiting list) for allotments.
Specifically, we retain electoral roll data while it is still current; hiring records and associated paperwork for up to 7 years after the calendar year to which they relate.
7. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: -
• The right to request a copy of your personal data which CFPC holds about you;
• The right to request that CFPC corrects any personal data if it is found to be inaccurate or out of date;
• The right to request your personal data is erased where it is no longer necessary for CFPC to retain such data;
• The right to withdraw your consent to the processing at any time
• The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability), (where applicable) [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means].
• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
• The right to object to the processing of personal data, (where applicable) [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics]
• The right to lodge a complaint with the Information Commissioners Office.
8. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
9. Contact Details
To exercise all relevant rights, queries of complaints please in the first instance contact the Parish Clerk on email@example.com or on 023 8026 6612.
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.