Information and Data Protection Policy
Date Change Made
Changes Made By (initial)
Approved at MTC 10 11 15 Agenda Item 8.5
Reviewed at MTC 19.3.2018 Agenda item 17.4
Updated for GDPR
Reviewed at MTC 7.10.2019
Agenda Item 11.7
Replaced references from EU GDPR to Data Protection Act 2018/UK GDPR as approved at Full Council 06/12/21
Reviewed and updated for FC 13/06/2022
Minor grammar and numbering changes and insertion of 3.4.8
1.1 The purpose of this policy is to ensure that information used to deliver Macclesfield Town Council’s services is treated with appropriate security by Councillors, Officers and agency staff.
1.2 The processing of personal data is essential to many of the services and functions carried out by local authorities. Macclesfield Town Council recognises that compliance with data protection legislation (Data Protection Act 2018/UK GDPR) will ensure that such processing is carried out fairly, lawfully and transparently.
1.3 This Policy is linked to the Council’s Quality Policy, which will ensure information considerations are central to the ethos of the organisation, and to the Council’s ICT Policy.
2.1 The purpose of this policy is to ensure that the provisions of the UK GDPR and Data Protection Act 2018 are adhered to whilst protecting the rights and privacy of living individuals; ensuring their personal data is not processed without their knowledge.
2.2 This policy applies to the collection, use, sharing and other processing of all personal data held by the Council, in any format including paper, electronic, audio and visual.
2.3 In particular, this policy will:
- Assist the Council to comply with all requirements of the UK GDPR and Data Protection Act 2018,
- Ensure that personal data is readily available on request and that requests from data subjects are dealt with in a timely manner
- Ensure adequate consideration is given to whether or not personal information should be disclosed.
- Document the rights of data subjects in respect of their personal data.
2.4 In addition, the Council will promote openness, provide increased transparency of data processing and build public trust and confidence in the way that the councils manage information.
3. Data protection
This section applies to the processing of personal data.
3.1.1 The Council will comply with the principles relating to the processing of personal data set out in the UK GDPR by putting in place processes to ensure that personal data is:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. (Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes)(‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; (personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of the data subject)(‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
3.1.2 The Council shall be responsible for, and be able to demonstrate compliance with, the above principles (‘accountability’).
3.2 Personal data processed by the Council
3.2.1 The Council processes personal data for many reasons, including in relation to the services it provides and in its role as an employer. In most instances the Council will be the data controller (usually alone, but sometimes jointly) in respect of the personal data it processes (i.e. it will determine the purpose and means of the processing). On occasion it may act as a data processor on behalf of another data controller.
3.2.2 Whether acting as a data controller in its own right, or on another’s behalf as data processor, the Council will maintain a record of its processing activities and make this available to the Office of the Information Commissioner (‘ICO’) upon request. Information concerning the processing of personal data, in respect of which the Council is a data controller, will be communicated by the Council to data subjects by means of appropriate privacy notices.
3.3.1 The Council will ensure that its processing of all personal data fulfils the appropriate general conditions for processing outlined in the UK GDPR.
3.3.2 Where a ‘special category’ of personal data is processed (this includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of identifying an individual, physical or mental health, sex life or sexual orientation), the Council will ensure that one of the additional conditions set out in relation to special category personal data in the UK GDPR is also met, along with any further requirements regarding the processing of sensitive personal data set out in other data protection legislation.
3.4 Individuals’ rights
3.4.1 Subject to some legal exceptions, individuals have the rights set out below:
- The right to be provided with specified information about the Council’s processing of their personal data (‘the right to be informed’).
- The right to access their personal data and certain supplementary information (‘the right of access’).
- The right to have their personal data rectified, if it is inaccurate or incomplete (‘the right of rectification’).
- The right to have, in certain circumstances, their personal data deleted or removed (‘the right of erasure’, sometimes knowns as ‘the right to be forgotten’).
- The right, in certain circumstances, to restrict the processing of their personal data (‘the right to restrict processing’).
- The right, in certain circumstances, to move personal data the individual has provided to the Council to another organisation (‘the right of data portability’).
- The right, in certain circumstances, to object to the processing of their personal data and, potentially, require the Council to stop processing that data (‘the right to object’).
- The right, in relevant circumstances, to not be subject to decision-making based solely on automated processing (‘Rights related to automated decision making, including profiling’).
3.4.2 In relation to ‘the right to be informed’ in general the Council will provide the data subject with the privacy notice information, at the time the personal data is collected.
3.4.3 It is to be noted that there are limited specified circumstances in which the right to be informed will not apply.
3.4.4 Where an individual exercises one of the other rights listed above, the Council will respond without undue delay and in any event within one calendar month, subject to the following two exceptions:
- Where further time is necessary, taking into account the complexity and the number of the request(s) from the data subject, the period for responding will be extended by up to two further calendar months. Where such an extension is required the Council will notify the data subject that this is the case within one calendar month of receiving their request.
- Where the request(s) from a data subject are manifestly unfounded or excessive (in particular because of their repetitive character) the Council will ordinarily refuse the request(s). In exceptional cases the Council may instead exercise its alternative right in such circumstances to charge a reasonable fee that takes into account the administrative cost of complying with the request.
3.4.5 The Council recognises the fundamental nature of the individual rights provided by data protection legislation. The Council will ensure that all valid requests from individuals to exercise those rights are dealt with as quickly as possible and by no later than the timescales allowed in the legislation.
3.4.6 To minimise delays, and to help ensure that the Council properly understands the request being made, all requests from data subjects to exercise data subject rights should preferably be made in writing. Ideally, a written request should be made by email to firstname.lastname@example.org.
3.4.7 Additionally, all requests from data subjects to exercise their data subject rights must:
- Be accompanied by, where necessary, proof of the identity of the data subject and, where applicable, the written authorisation of the data subject (if the request is being made on their behalf by a legal or lawfully appointed representative or authorised agent).
- Specify clearly and simply how the data subject wishes to exercise their rights – this does not mean that an individual needs to refer specifically to a particular right by name or legislative provision (for example, “I would like a copy of my employee file” is sufficiently clear to indicate that the right of access is being engaged).
- Give adequate information to enable the Council to determine whether the right is engaged and to comply (subject to any exemption(s)) if it is.
- Make it clear where the response should be sent.
- Where relevant specify the preferred format in which any information disclosed to the data subject should be provided in.
3.4.8. For information on Subject Access Requests (SAR’s), refer to the Council’s Subject Access Request Policy
3.4.9. Data Protection Law allows exemptions from complying with data subject rights in specific and limited circumstances. The Council will normally apply the exemptions where they are engaged, unless it is satisfied that it is appropriate or reasonable not to do so.
3.4.10. If a data subject exercising one or more of their data subject rights is dissatisfied with the response received from the Council, they may ask for the matter to be dealt with under the Council’s complaints procedure.
3.4.11. A data subject also has the right to complain to the ICO if they believe that there has been an infringement by the Council of data protection legislation in relation to the data subject’s personal data. A data subject may also pursue a legal remedy via the courts.
3.4.12. Further information on the rights of data subjects is available from the ICO’s website.
3.5 Further legal requirements
3.5.1 The Council may be required to disclose personal data to a person or organisation other than the data subject by virtue of a court order, or to comply with other legal requirements, including those relating to the prevention or detection of crime or the apprehension/prosecution of an offender.
3.5.2 The Council may also, in appropriate circumstances, make discretionary disclosures of personal data to a person or organisation other than the data subject where it is permitted to do so by law. When deciding whether to exercise its discretion to disclose personal data in such circumstances the Council will always give proper consideration to the data subject’s interests and their right to privacy.
3.5.3 External agencies, companies or individuals undertaking processing of personal data on behalf of the Council (“data processors”) must be required to demonstrate, via a written contractual agreement, that personal data belonging to the Council will be handled in compliance with data protection legislation and that appropriate technical and organisational security measures are in place to ensure this. Any contractual agreement between the Council and a data processor will contain all the elements specified in the UK GDPR.
3.5.4 Any sharing of Council-controlled personal data with other data controllers must comply with all statutory requirements. Where appropriate the Council will enter into a data sharing agreement before sharing personal data with another data controller, particularly where personal data is to be shared on a large scale and/or regularly. Any data sharing agreements entered into by the Council will be reviewed regularly.
3.5.5 The Council reserves the right to monitor telephone calls, e-mail and internet access in compliance with relevant legislation. This will be handled in line with guidance issued by the ICO.
3.6 Data security
3.6.1 The Council will process personal data in accordance with its ICT Policy(and other related Policies and Procedures). In order to ensure the security of personal data, the Council has appropriate physical, technical and organisational measures in place.
3.7.1 The Council recognises that data protection training is crucial so that all staff understand their responsibilities relating to data protection and the use of personal data. Failure to comply with data protection legislation could lead to serious consequences, and in some cases may result in significant fines or criminal prosecution.
3.7.2 It is the Council’s policy that all staff are required to complete the applicable data protection training course at least once every two years. The Council will monitor completion rates of data protection courses to ensure that all staff are appropriately trained.
3.8 Privacy by design and by default
3.8.1 The Council’s approach to compliance with data protection legislation will be underpinned by the principles of privacy by design and privacy by default.
3.8.2 ‘Privacy by design’means that Council will take into account privacy issues from the very outset of planning for an activity that might involve the processing of personal data. When undertaking a new activity, privacy considerations will be embedded throughout.
3.8.3 ‘Privacy by default’means that the Council will ensure that only personal data that is necessary for a specific purpose is processed. The Council will not collect more personal data than is needed for the purposes concerned, process it more than is necessary or store it longer than is needed.
3.9 Our commitment to data protection
3.9.1 The Council has appointed a Data Protection Officer (DPO). The DPO’s responsibilities include:
- Informing and advising the Council and its staff about their obligations to comply with data protection legislation.
- Monitoring compliance with data protection legislation, including managing internal data protection activities, advising on data protection impact assessments, training staff and conducting internal audits.
- Co-operating with and acting as the first point of contact for the ICO.
3.9.2 The Council will ensure that:
- The DPO operates independently and is not dismissed or penalised for performing their task.
3.9.3 The Council will ensure that individuals handling personal data will be trained to an appropriate level in the use and control of personal data.
3.9.4 The Council will ensure that all staff handling personal data know when and how to report any actual or suspected data breach, and that appropriately trained staff manage any breach correctly, lawfully and in a timely manner. Breaches will be reported to the ICO where such reporting is mandatory or otherwise appropriate and shall be done within the required timescales.
3.9.5 The Council will monitor and review its processing activities to ensure these are compliant with data protection legislation.
3.9.6 The Council will ensure that where there is any new or altered processing of personal data it will take appropriate steps (including where necessary a data protection impact assessment) to identify and assess the impact on data subjects’ privacy as a result of the processing of their personal data. The Council will also ensure that appropriate privacy notices are maintained to inform data subjects of how their data will be used and to provide other mandatory or relevant information.
3.9.7 The Council will review and supplement this policy to ensure it remains consistent with the law, and any compliance advice and codes of practice issued from time to time by the ICO.
3.10 Disciplinary action and criminal offences
3.10.1 Serious breaches by staff of this policy caused by deliberate, negligent or reckless behaviour could result in disciplinary action including dismissal and may even give rise to criminal offences.
4. Making Information Available
4.1 The Council is very open about its operations and works closely with public, community and voluntary organisations. Therefore, in the case of all information which is not personal or confidential, it will be prepared to make it available to partners and members of the Town’s communities.
4.2 Details of information which is available is contained in the Council’s Publication Scheme which is based on the statutory model publication scheme for local councils.
4.3 For reference the points below define the use of record:
- Record: papers, files, books, photographs, tapes, films, recordings or other documentary materials or any copies thereof, regardless of physical form, made, produced, executed or received by any employee in connection with the transaction of the Council’s business.
- Electronic record: any record which is created, received, maintained or stored on local workstations or central servers. Examples include, but are not limited to: email, word processing documents, spreadsheets and databases – including but not limited to file records, investigation reports, financial accounting records and payroll records.
- Official Records: are records maintained but not limited to Accounts (all financial records, VAT records, payroll records, bank accounts etc), electronic records, HR records (personnel records, insurance records etc) and Council Operation records (minutes, correspondence etc).
4.1 Information Availability
4.1.1 The Publication Scheme is a means by which the Council can make a significant amount of information available routinely, without waiting for someone to specifically request it. The scheme is intended to encourage local people to take an interest in the work of the Council and its role within the community.
4.1.2 In accordance with the provisions of the Freedom of Information Act 2000, this scheme specifies the classes of information which the Council publishes or intends to publish.
4.1.3 The aim is to make it easier for the public to access information.
4.1.3 The Council is willing to make special arrangements on request for persons who do not have English as their first language or those with hearing or sight difficulties.
4.2 Meeting notices
4.2.1 All formal meetings of Council and its committees are subject to statutory notice being given on notice boards and put on the website.
4.2.2 Meeting agendas will be published on the website, and if requested emailed by the Clerk to members of the public.
4.2.3 The Council publishes an annual programme in May each year.
4.2.4 All formal meetings, with the exception of the Personnel Committee, are open to the public and press and reports to those meetings and relevant background papers are available for the public to see. The Council welcomes public participation and has a public question session on each Council meeting.
4.3 Matters of confidentiality
4.3.1 Occasionally, Council or committees may need to consider matters in private. Examples of this are matters involving personal details of staff, or a particular member of the public, or where details of commercial sensitivity are to be discussed. This will only happen after a formal resolution has been passed to exclude the press and public and reasons for the decision are stated. Minutes from all formal meetings, including the confidential parts are public documents.
5. Data Retention
5.1 The Council will ensure that necessary records and documents are adequately protected and maintained and ensure that records which are no longer needed or of no value are discarded/destroyed at the appropriate time.
5.2 For further information, refer to the council’s Retention Policy.