The General Data Protection Regulation (GDPR)

Temple Cloud with Cameley Parish Council is registered with the Information Commissioner’s Office and recognises its responsibility to comply with the Data Protection Act 1998 and the General Data Protection Regulation (GDPR).

The General Data Protection Regulation comes into force on the 25th May 2018 this Act supersedes the Data Protection Act 1998. The Act applies to ‘personal data’ which is data relating to a living person who can be identified from that data. ‘Processing data’ means any operation performed on that personal data such as collection, recording or use. The Parish Council does have data that relates to living individuals and does process data in order to perform its role.

This page explains to Councillors, staff and members of the public about the General Data Protection Regulation.

When dealing with personal data, Temple Cloud with Cameley Parish Council staff and Councillors must ensure that:

  • DATA IS PROCESSED FAIRLY AND LAWFULLY
    Staff, Councillors and Volunteers will be open and honest about why information is required.
  • DATA IS PROCESSED FOR SPECIFIED PURPOSES ONLY
  • DATA IS RELEVANT TO WHAT IT IS NEEDED FOR
    Data will be monitored so that too much or too little is not kept; only data that is needed will be held.
  • DATA IS ACCURATE AND KEPT UP TO DATE
    Only accurate personal data will be kept. Inaccurate data will be corrected.
  • DATA IS NOT KEPT LONGER THAN IT IS NEEDED
  • IT IS PROCESSED IN ACCORDANCE WITH THE RIGHTS OF INDIVIDUALS
    Individuals will be informed, upon request, of all the information held about them.
  • IT IS KEPT SECURELY
    Only staff or Councillors will be able to access the data. Data will be stored securely so it cannot be accessed by members of the public.

Information Audit

The type of information the Council holds tends to be limited to name, address, telephone number and email address. More detailed information is held for employees. In the normal course of business, the Parish Council will receive personal data in connection with the following council activities:

  • Administration of Parish Council Meetings
  • Administration of the Village Hall
  • Administration of employment matters
  • Managing Councillor membership
  • Receiving and dealing with correspondence
  • Contractual matters
  • Receiving and processing grant applications
  • Creating Volunteer lists for specific activities
  • Responding to contact made via the Parish Council Facebook page / contact us function on the Parish Council website.

The Clerk is also provided with a copy of the electoral roll with updates through the year. Data Protection associated with the electoral roll is predominately the responsibility of Bath and North East Somerset Council to manage. The Parish Council holds a copy but does not permit any third party to view the document.

Services relating to children – There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the Council requires consent from young people under 13, the Council will obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children age 13 plus, will be written in language that they will understand. At present, the council does not have any services that directly relate to children. The Council’s Social Media presence is set to only accept information from accounts where the account holder is over the age of 13 years.

Sensitive data

The Act requires ‘sensitive data’ to be treated differently. Categories of sensitive data includes racial or ethnic origins, political opinions, religious beliefs, health issues. The Parish Council does not collect such data.

Where the Council carries out future village – wide surveys, the responses should be anonymous and questions are not generally asked on a topic that is classified as sensitive.

Storage of data

All Council paper documents are stored in a secure filing cabinet.

All computer records are stored on a password protected computer with anti-virus software and are not available for members of the public to access.

Once data is not needed anymore, if it is out of date or has served its purpose and falls outside the minimum retention time of the council’s retention policy, it will be shredded or deleted from the computer.

How the data is used

Data will be used only for the purpose for which it has been supplied. Data will not be passed to a third party without the express consent of the data subject. The Council will not share or sell data.

If a Councillor needs to access information to help carry out their duties, they may only access as much information as is necessary for the particular task and it will be used only for that specific purpose. Information will not be released without the prior knowledge or consent of the Parish Clerk. Data will never be used for political reasons unless the data subjects have consented.

Subject access requests

A request for a copy of information held by the Council can be made in writing to the Data Protection Officer (DPO) and a response shall be made within one month as prescribed in the General Data Protection Regulations.

Data eradication request

Individuals have a right to have their personal data erased (sometime known as the ‘right to be forgotten’) where their personal data is no longer necessary in relation to the purpose for which it was originally collected and data portability must be done free of charge. Data portability refers to the ability to move, copy or transfer data easily between different computers.

If a request is received to delete information, then the Council’s DPO will respond to this request within one month. The DPO has the delegated authority from the Council to delete information.

If a request is considered to be manifestly unfounded then it may be refused, or a charge may apply. The charge will be as detailed in the Council’s Publication Scheme. The Parish Council will be informed of such requests.

Data Protection Officer

The Data Protection Officer (DPO) role has been contracted to an independent third party / professional service provider. The council have appointed the Local Council Public Advisory Service to undertake this role for 2018.

Data breaches

If a data breach is identified the Information Commissioner’s Office (ICO) will be informed and an investigation will be conducted by the DPO.

Personal data breaches that are identified by the Council or referred to it will be reported to the DPO for investigation. The DPO will conduct an investigation with the support of the Parish Council. Investigations will be undertaken within one month of the report of a breach.

Procedures will be put in place by the DPO to detect, report and investigate a personal data breach. The ICO will be advised of a breach (within 72 hours or 3 days) where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the DPO will also notify those concerned directly.

Confidentiality

When complaints or queries are made, they must remain confidential unless the subject gives permission otherwise. When handling personal data, this must also remain confidential.

Privacy Notices

Being transparent and providing accessible information to individuals about how the Council uses personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice which will inform individuals about what the Council does with their personal information; the Council has adopted this approach.

A privacy notice will also contain the name and contact details of the Parish Council and its Data Protection Officer, the purpose for which the information is to be used and the length of time for its use. It will be written clearly and will advise the individual that they can, at any time, withdraw their agreement for the use of this information. Issuing of a privacy notice will be detailed on the Information Audit kept by the Council and these will include: employees, Councillors, hirers of the Village Hall and residents or members of the public who make contact with the Parish Council.

Policy adoption and Review

The policies detailing how the Parish Council manages personal data were approved at the Annual Meeting of the Parish Council which took place on 9th May 2018. Policies will be reviewed annually or when further advice is issued or a need arises.

All Councillors, employees and volunteers are expected to comply with the policies set by the Parish Council to protect privacy, confidentiality and the interests of the Council.

Further Information

Privacy Notices

Policies