Data Protection Policy

Policy effective from: 11 September 2023

Date for next review: October 2024


Purpose
Definitions
Data protection principles
Processing
Individual rights
Data security
[Training]


Purpose

The council is committed to being transparent about how it collects and uses the personal data of staff, and to meeting our data protection obligations. This policy sets out the council's commitment to data protection, and your rights and obligations in relation to personal data in line with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

This policy applies to the personal data of current and former job applicants, employees, workers, contractors, and former employees, referred to as HR-related personal data. This policy does not apply to the personal data relating to members of the public or other personal data processed for council business.

The council has appointed [name and job title] as the person with responsibility for data protection compliance within the council. Questions about this policy, or requests for further information, should be directed to them.

Definitions

"Personal data" is any information that relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information. It includes both automated personal data and manual filing systems where personal data are accessible according to specific criteria. It does not include anonymised data.

“Processing” is any use that is made of data, including collecting, recording, organising, consulting, storing, amending, disclosing or destroying it.

"Special categories of personal data" means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic or biometric data as well as criminal convictions and offences.

"Criminal records data" means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.

Data protection principles

The council processes HR-related personal data in accordance with the following data protection principles the council:

•   processes personal data lawfully, fairly and in a transparent manner
•   collects personal data only for specified, explicit and legitimate purposes
•   processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing
•   keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay
•   keeps personal data only for the period necessary for processing
•   adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage

The council will tell you of the personal data it processes, the reasons for processing your personal data, how we use such data, how long we retain the data, and the legal basis for processing in our privacy notices.

The council will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it. The council will not process your personal data if it does not have a legal basis for processing.

The council keeps a record of our processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

Processing 

Personal data

The council will process your personal data (that is not classed as special categories of personal data) for one or more of the following reasons:
•   it is necessary for the performance of a contract, e.g., your contract of employment (or services); and/or
•   it is necessary to comply with any legal obligation; and/or
•   it is necessary for the council’s legitimate interests (or for the legitimate interests of a third party), unless there is a good reason to protect your personal data which overrides those legitimate interests; and/or
•   it is necessary to protect the vital interests of a data subject or another person; and/or
•   it is necessary for the performance if a task carried out in the public interest or in the exercise of official authority vested in the controller.

If the council processes your personal data (excluding special categories of personal data) in line with one of the above bases, it does not require your consent. Otherwise, the council is required to gain your consent to process your personal data. If the council asks for your consent to process personal data, then we will explain the reason for the request. You do not need to consent or can withdraw consent later.

The council will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.

Personal data gathered during the employment is held in your personnel file in hard copy and electronic format on HR and IT systems and servers. The periods for which the council holds your HR-related personal data are contained in our privacy notices to individuals.

Sometimes the council will share your personal data with contractors and agents to carry out our obligations under a contract with the individual or for our legitimate interests. We require those individuals or companies to keep your personal data confidential and secure and to protect it in accordance with Data Protection law and our policies. They are only permitted to process that data for the lawful purpose for which it has been shared and in accordance with our instructions.

The council will update HR-related personal data promptly if you advise that your information has changed or is inaccurate. You may be required to provide documentary evidence in some circumstances.

The council keeps a record of our processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

Special categories of data

The council will only process special categories of your personal data (see above) on the following basis in accordance with legislation:

•   where it is necessary for carrying out rights and obligations under employment law or a collective agreement;
•   where it is necessary to protect your vital interests or those of another person where you are physically or legally incapable of giving consent;
•   where you have made the data public;
•   where it is necessary for the establishment, exercise or defence of legal claims;
•   where it is necessary for the purposes of occupational medicine or for the assessment of your working capacity;
•   where it is carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates to only members or former members provided there is no disclosure to a third party without consent;
•   where it is necessary for reasons for substantial public interest on the basis of law which is proportionate to the aim pursued and which contains appropriate safeguards;
•   where is it necessary for reasons of public interest in the area of public health; and
•   where is it necessary for archiving purposes in the public interest or scientific and historical research purposes.

If the council processes special categories of your personal data in line with one of the above bases, it does not require your consent. In other cases, the council is required to gain your consent to process your special categories of personal data. If the council asks for your consent to process a special category of personal data, then we will explain the reason for the request. You do not have to consent or can withdraw consent later.

Individual rights

As a data subject, you have a number of rights in relation to your personal data.

Subject access requests

You have the right to make a subject access request. If you make a subject access request, the council will tell you:

•   whether or not your data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from yourself;
•   to whom your data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
•   for how long your personal data is stored (or how that period is decided);
•   your rights to rectification or erasure of data, or to restrict or object to processing;
•   your right to complain to the Information Commissioner if you think the council has failed to comply with your data protection rights; and
•   whether or not the council carries out automated decision-making and the logic involved in any such decision-making.

The council will also provide you with a copy of your personal data undergoing processing. This will normally be in electronic form if you have made a request electronically, unless you agree otherwise.

If you want additional copies, the council may charge a fee, which will be based on the administrative cost to the council of providing the additional copies.

To make a subject access request, you should send the request to the Clerk or Chairman of the Council. In some cases, the council may need to ask for proof of identification before the request can be processed. The council will inform you if we need to verify your identity and the documents we require.

The council will normally respond to a request within a period of one month from the date it is received.  Where the council processes large amounts of your data, this may not be possible within one month. The council will write to you within one month of receiving the original request to tell you if this is the case.

If a subject access request is manifestly unfounded or excessive, the council is not obliged to comply with it. Alternatively, the council can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the council has already responded. If you submit a request that is unfounded or excessive, the council will notify you that this is the case and whether or not we will respond to it.

Other rights

You have a number of other rights in relation to your personal data. You can require the council to:

•   rectify inaccurate data;
•   stop processing or erase data that is no longer necessary for the purposes of processing;
•   stop processing or erase data if your interests override the council's legitimate grounds for processing data (where the council relies on our legitimate interests as a reason for processing data);
•   stop processing or erase data if processing is unlawful; and
•   stop processing data for a period if data is inaccurate or if there is a dispute about whether or not your interests override the council's legitimate grounds for processing data.
•   complain to the Information Commissioner. You can do this by contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk).

To ask the council to take any of these steps, you should send the request to the Clerk or Chairman of the Council.

Data security

The council takes the security of HR-related personal data seriously. The council has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.

Where the council engages third parties to process personal data on our behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

[Impact assessments

Some of the processing that the council carries out may result in risks to privacy (such as monitoring of public areas via CCTV). Where processing would result in a high risk to your rights and freedoms, the council will carry out a data protection impact assessment (DPIA) to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for yourself and the measures that can be put in place to mitigate those risks.]

Data breaches

The council have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur the council must take notes and keep evidence of that breach.

If you are aware of a data breach you must contact the Clerk or Chairman of the Council immediately and keep any evidence, you have in relation to the breach.

If the council discovers that there has been a breach of HR-related personal data that poses a risk to the rights and freedoms of yourself, we will report it to the Information Commissioner within 72 hours of discovery. The council will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will tell you that there has been a breach and provide you with information about its likely consequences and the mitigation measures we have taken.

International data transfers

The council will not transfer HR-related personal data to countries outside the EEA.

Individual responsibilities

You are responsible for helping the council keep your personal data up to date. You should let the council know if data provided to the council changes, for example if you move to a new house or change your bank details.

Everyone who works for, or on behalf of, the council has some responsibility for ensuring data is collected, stored and handled appropriately, in line with the council’s policies.

You may have access to the personal data of other individuals and of members of the public in the course of your work with the council. Where this is the case, the council relies on you to help meet our data protection obligations to staff and members of the public.  Individuals who have access to personal data are required:

•   to access only data that you have authority to access and only for authorised purposes;
•   not to disclose data except to individuals (whether inside or outside the council) who have appropriate authorisation;
•   to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, locking computer screens when away from desk, and secure file storage and destruction including locking drawers and cabinets, not leaving documents on desk whilst unattended);
•   not to remove personal data, or devices containing or that can be used to access personal data, from the council's premises without prior authorisation and without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
•   not to store personal data on local drives or on personal devices that are used for work purposes.
•   to never transfer personal data outside the European Economic Area except in compliance with the law and with express authorisation from the Clerk or Chair of the Council 
•   to ask for help from the council’s data protection lead if unsure about data protection or if you notice a potential breach or any areas of data protection or security that can be improved upon. 

Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the council's disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing personal data without authorisation or a legitimate reason to do so or concealing or destroying personal data as part of a subject access request, may constitute gross misconduct and could lead to dismissal without notice.

[Training

The council provides training to all individuals about their data protection responsibilities.

If your roles require you to have regular access to personal data, or you are responsible for implementing this policy or responding to subject access requests under this policy, you will receive additional training to help you understand your duties and how to comply with them.]

This is a non-contractual policy and procedure which will be reviewed from time to time.


This is an example policy that should be adjusted to reflect the procedures and policy of the council.  

1.   Data audit

It is important that the council’s policy reflects current practice.  Any policy must be based on a data audit to ensure that the council understands what data is collected, where it is stored, who has access to the data and the measures taken to ensure it is secure.  For more information on implementing a Data Protection Policy, please refer to the Information Commissioner website.

2.   Relevance

The council must ensure that any commitment made in their policy is relevant and up-to-date. 

3.   Data Protection Officer

The policy assumes that the council has a Data Protection lead rather than appointed a Data Protection Officer (DPO). The role of DPO is set out in legislation and infers specific obligations. Parish councils in England and community councils in Wales and Scotland are exempt from having to appoint a DPO (https://ico.org.uk/for-organisations/in-your-sector/local-government/local-gov-gdpr-faqs/) but are still subject to data protection legislation and must ensure sufficient resources to meet the obligations under the GDPR.

4.   Data storage within the EU

You need to take account of where your data is stored including servers, on the cloud, and where your suppliers might hold their data including on their server.

Guidance

Where there is text in [square brackets] this part may be updated or be deleted if not relevant. An alternative option may have been provided.

Important notice

This is an example of an employment policy designed for a small council adhering to statutory minimum requirements and does not constitute legal advice. As with all policies it should be consistent with your terms and conditions of employment.

This document was commissioned by the National Association of Local Councils (NALC) in 2019 for the purpose of its member councils and county associations. Every effort has been made to ensure that the contents of this document are correct at time of publication. NALC cannot accept responsibility for errors, omissions and changes to information subsequent to publication.

This document has been written by the HR Services Partnership – a company that provides HR advice and guidance to town and parish councils. Please contact them on 01403 240 205 for information about their services.