Data Protection Policy

This policy applies to all employees, elected members, and the council's business partners.

The Data Protection Act 1998 (the Act) established a legal framework to regulate the processing of personal data and information regardless of the media upon which the data or information is processed: The regulatory framework comprises eight principles all of which must be complied with to legitimise the processing of the personal data or information.

Processing means doing something (e.g. using, moving, merging, deleting) and includes doing nothing (e.g. storing) with the personal data or information. Personal data processing must not commence unless a condition in Schedule 2 is satisfied. Processing of sensitive personal information must not commence unless a condition is Schedule 3 is also satisfied.

In our planning to process personal information we must pay due regard to data subjects' rights. These include (but are not limited to) advising them of the purposes for which we collect their information and their right to have access to it personal data or information is that which identifies a living individual, or when taken together with any other information in our possession, or likely to come into our possession, allows a living individual to be identified. Because of this latter point, virtually all people related information processed by the council is caught by the Act.

Each business unit manager is responsible for their business unit's compliance with this policy and the Act. Staff must receive adequate training to enable them to function within the legal framework. To organise training refer to Human Resources.

Any processing performed by a third party on behalf of the council must only be done in compliance with this policy. The responsibility and liability for any processing undertaken by a third party rests with the council. Under no circumstances should third parties be engaged to deliver services (no matter how trivial) involving personal data or information until and unless suitable data protection clauses are included in the contract covering the work. Business unit managers are responsible for ensuring that such agreements are in place prior to any processing beginning. Assistance is available from the council's Data Protection Officer.

The Act makes provision for data subjects (living individuals) to obtain access to the information we hold about them. Such requests are known as Subject Access Requests. In accordance with the provisions of the Act, we charge £10 for these. The Act allows 40 calendar days to process such requests. Upon receipt of a request the Data Protection Officer must be informed without undue delay.

Data protection matters can be closely linked and therefore have the potential to be confused with, or by, our Freedom of Information Act 2000 obligations. When dealing with information requests that include both personal and non-personal information, our Freedom of Information Policy must also be complied with. Under such circumstances the council's Information Management Officer must be consulted.

Failure to comply with this policy may lead to disciplinary action.

How do you rate this information/service?