DATA PROTECTION POLICY

Transcription

1 DATA PROTECTION POLICY

2 DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary of approval, by Information Management Services Scope/Applicable to All elected members, employees and agents acting for and on behalf of Blaby District Council Introduction The Data Protection Act 1998 ( the Act ) established a framework of rights and duties designed to safeguard personal data. It balances the legitimate needs of organisations to collect and use personal data against the individuals right to respect for the privacy of their personal details. In order to provide services and adhere to legislative requirements the Council collects and processes personal information. The maintenance of individual privacy and the lawful and secure processing of personal data is important to the Council and it is fully committed to compliance with the Act. Blaby District Council is registered as a Data Controller with the Information Commissioner s Office and it is therefore the responsibility of every elected member, employee and agent of the Council to comply with the legislative obligations placed on the organisation by the Act and treat the personal data collected and processed with due care and respect. Blaby District Council requires its partners and contractors acting on its behalf to comply with the Act when providing services to, for and on behalf of Blaby District Council and when sharing information with Council it is the responsibility of agents of the Council liaising with these third parties to ensure that the necessary procedures are in place to maintain compliance with the Act.

3 Policy Statement The purpose of this policy is to ensure that all elected members, employees and agents acting for and on behalf of the Council are aware of their obligations and responsibilities with regards to the collection and processing of personal data under the provisions of the Data Protection Act 1998 and that it is the intention of the Council to comply with all aspects and requirements of the Act. The Council is committed to: Ensuring compliance with the provisions of the Act and the eight principles as detailed below. Ensuring all members, employees, etc. are aware of their responsibilities and consequences with respect to non compliance with this policy or breaches of the Data Protection Act Maintaining and updating the registration with the Information Commissioner s Office as appropriate. Providing ongoing data protection training and awareness programmes for all members, employees and agents of the Council in order to maintain high standards of data protection. Ensuring ongoing monitoring is undertaken to ensure compliance with this policy and the Data Protection Act Data Protection Principles 1) Personal data shall be processed fairly and lawfully Blaby District Council will be open and transparent with regard to the processing of personal data and will ensure that individuals whose personal information is held by the Council are aware, as far as is reasonably practicable, as to the reasons for the collection and use of the data, and are not misled in this regard. Assumptions regarding consent, intended use and disclosure must not be made. There are strict conditions within Schedules 2 and 3 of the Act that cover the processing of personal data which must be adhered to. Blaby District Council will not process personal data in any way that would breach the Act or contravene the notified purposes registered with the Information Commissioner s Office. 2) Personal data shall be obtained for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes Personal data collected from individuals should only be used for the purpose for which it has been collected, unless the data subject has been advised otherwise or they have given their consent. All reasonable steps 3

4 will be taken to ensure individuals are aware of how the personal data they provide will be used. Individuals are also entitled to know how the information is stored and disclosed. To this end service areas are required to provide fair processing notices on all forms and provide this notice verbally if the personal information is received by telephone. Fair processing notices inform individuals who we are, what we are going to do with their information and who it will be shared with. 3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed Personal data collected will be adequate for the purposes for which it is collected and additional or excessive information will not be collected. Only the information which is necessary to provide the service or comply with a statutory duty should be collected. Excessive information must be deleted. Information which becomes irrelevant over time must be treated as excessive and deleted. 4) Personal data shall be accurate and, where necessary, kept up to date Steps should be taken, as far as is reasonably practicable; to ensure that the personal data held is accurate and up to date. 5) Personal data shall not be kept for longer than is necessary Personal information should be held in accordance with the Council s approved Retention and Disposal Schedule, which is available on the Council s intranet, and measures put in place to ensure the correct retention periods are adhered to. Where long term storage of personal details is necessary this should be done in accordance with the Act and where possible records should be anonymised to reduce risks to the Council. The retention period for keeping the personal information must be decided before the information is collected. 6) Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act If the data collected will be processed by an automated decision making procedure e.g. where a score based decision is made by a software programme, the data subject has the right to know how the process works and their rights of appeal against the decision/s. The Council will respect the rights of data subjects and provide access to their information when requested. Access to information is covered in a separate policy. 4

5 7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data Blaby District Council has implemented appropriate physical and electronic security measures and these will be reviewed regularly and updated as necessary. Physical security measures include locked cabinets, offices and facilities. Electronic security measures include passwords, electronic audit facilities and encrypted mobile devices. 8) Personal data shall not be transferred to a country or territory outside the European Economic Area etc. Accountability and Responsibilities All elected members, employees and agents acting for and on behalf of Blaby District Council All individuals should take personal responsibility for ensuring that personal data that they collect and process is done so in accordance with the Data Protection Act 1998 and this policy. All due care and attention should be taken to ensure that the privacy of the data subject is maintained this must be treated as a matter of priority. Managers It is the responsibility of all line managers to ensure that this policy and any associated procedures are implemented in their service area. They should ensure team members have read and agreed to abide by the policy and are aware of the Data Protection Act Training needs should be identified and training arranged as necessary. This responsibility extends to ensuring the importance of protecting personal data is prioritised in partnership working and data sharing arrangements. Should it be necessary to share information with other organisations under the provisions of Section 29 of the Act the necessary forms should be completed and safeguards put in place to protect the data. If the purposes for which the data is processed change, managers should liaise with Information Management Services to update the registration with the Information Commissioner s Office (see below). Registration with the Information Commissioner s Office Blaby District Council is registered with the Information Commissioner s Office as a Data Controller. 5

6 This registration provides the Information Commissioner s Office with details about the purposes for which the Council processes personal information and the types of personal data collected. The registration is renewed annually in August and the Council will review and update it as required. Training and Awareness The Council is committed to providing ongoing training and awareness programmes, making use of available software systems such as NETconsent (policy management system), Athena (online training system) and the Council s intranet, and providing a variety of printed materials and face to face training and awareness opportunities. Monitoring and Compliance Ongoing audits and monitoring will be undertaken to assess how the policy is being put into practice. Individuals who are dissatisfied with the way their personal data is processed have recourse through the Corporate Complaints procedure and the Information Commissioner s Office. Breaches of the Act can result in serious consequences for the Council. Elected members, employees and agents of the Council deliberately obtaining, disclosing or using personal data processed by the Council in any way which is not compatible with their duties, the functions of the Council or without authority may be subject to disciplinary action and legal action where an offence has been committed. Data Protection Advice and Guidance The Data Protection Officer for Blaby District Council is: The Democratic Services and Governance Manager For advice and guidance please contact the Information Management Services team in the first instance. Information Management Services Blaby District Council Council Offices Desford Road Narborough LE19 2EP foi@blaby.gov.uk 6