Paragraph 1: Policy Statement
Great Yarmouth Borough Council is committed to protecting the rights and privacy of individuals (includes Elected members, staff, Service Users and others) with regard to the processing of personal data. It is necessary for the Council to process certain information about its elected members, staff, Service Users and other individuals it has dealings with for various purposes (eg to recruit and pay staff, to administer benefit payments, to collect Council Tax, and to comply with legal obligations to public bodies and government). Such processing will be conducted fairly and lawfully in accordance with the Data Protection Act 1998. If you have a query regarding the accuracy of your personal data then your query will be dealt with fairly and impartially.
The policy applies to all staff and elected members of The Council. Any breach of the Data Protection Act 1998 or the Council’s Data Protection Policy is considered to be an offence and in that event, Great Yarmouth Borough Council’s disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with the Council, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that departments who deal with external agencies will take responsibility for ensuring that such agencies sign a contract agreeing to abide by this policy.
This policy will be available to all internal and external stakeholders, and will be available on the Council’s website
www.great-yarmouth.gov.uk
Paragraph 2: Background to the Data Protection Act 1998
The Data Protection Act 1998, which came into force on the 1 March 2000, enhances and broadens the scope of the Data Protection Act 1984. Its purpose is to protect the rights and privacy of living individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, is processed with their consent.
Paragraph 3: Definitions (Data Protection Act 1998)
Personal Data
Data which relate to a living individual who can be identified:-
• From that data or
• From that data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes an expression of opinion about the individual and any indication of the intensions of the data controller, or any other person in respect of the individual.
Sensitive Data
Different from ordinary personal data (such as name, address, telephone) and relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Sensitive data are subject to much stricter conditions of processing.
Data Controller
Any person who(either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. In our case the “Council” as a whole is the data controller.
Data Subject
Any living individual who is the subject of personal data held by an organisation.
Processing
Any operation related to organisation, retrieval, disclosure and deletion of data and includes: Obtaining and recording data Accessing, altering, adding to, merging, deleting data Retrieval, consultation or use of data Disclosure or otherwise making available of data.
Third Party
Any individual/organisation other than the data subject, the data controller (Council) or its agents.
Relevant Filing System
Any paper filing system or other manual filing system which is structured so that information about an individual is readily accessible.
Paragraph 4: Responsibilities under the Data Protection Act
• The Council as a body corporate is the data controller under the Act.
• A Data Protection Officer has been appointed who is responsible for day-to-day data protection matters and for developing specific guidance notes on data protection issues for the Council.
• The Corporate Management Team are responsible for developing and encouraging good information handling practice within The Council.
• Compliance with data protection legislation is the responsibility of everybody who process personal information.
• The Council, through its staff are responsible for ensuring that any personal data supplied is accurate and up-to-date.
• Members’ Responsibilities:-
Members can be regarded as Data Controllers in their own right if they process personal data either manually or by computer, whether on their own equipment or on equipment provided to them by the Council. In this case, members must notify the Information Commissioner of all purposes for which they hold and process personal data.
Where holding and processing personal data about individuals in the course of undertaking Council business, the member will be covered by Great Yarmouth Council’s Notification, and have the same responsibilities in respect of data protection as an employee of the authority. Further guidance can be found in ‘Data Protection: Councillors Guide”, published by the Improvement and Development Agency,
www.idea.gov.
Paragraph 5: Notification
The Information Commissioner maintains a public register of data controllers. Great Yarmouth Council is registered as such. Details of The Council's notification are published on the Information Commissioner's website www.informationcommissioner.gov.uk and at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 01625 545 745.
• The Data Protection Act 1998 requires every data controller who is processing personal data, to notify and renew their notification, on an annual basis. Failure to do so is a criminal offence. Notification is the responsibility of the Data Protection Officer.
• To this end designated officers will be responsible for notifying and updating the Data Protection Officer of the processing of personal data, within their directorate.
• The Data Protection Officer will review the Data Protection Register with designated officers annually, prior to notification to the Information Commissioner.
• Any changes to the register must be notified to the Information Commissioner, within 28 days.
• To this end, any changes made between reviews will be brought to the attention of the Data Protection immediately.
Paragraph 6: Data Protection Principles
All processing of personal data must be done in accordance with the eight data protection principles.
1. Personal data shall be processed fairly and lawfully.
Those responsible for processing personal data must make reasonable efforts to ensure that data subjects are informed of the identity of the data controller, the purpose(s) of the processing, any disclosures to third parties that are envisaged and an indication of the period for which the data will be kept.
2. Personal data shall be obtained for specific and lawful purposes and not processed in a manner incompatible with those purposes.
Data obtained for specified purposes must not be used for any other purpose.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is held.
Information, which is not strictly necessary for the purpose for which it is obtained, should not be collected. If data are given or obtained which is excessive for the purpose, they should be immediately deleted or destroyed.
4. Personal data shall be accurate and, where necessary, kept up to date.
Data, which are kept for a long time, must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that they are accurate. It is the responsibility of individuals to ensure that data held by the Council are accurate and up-to-date. Completion of an appropriate registration or application form etc will be taken as an indication that the data contained therein is accurate. Individuals should notify the Council of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of the Council to ensure that any notification regarding change of circumstances is noted and acted upon.
5. Personal data shall be kept only for as long as necessary. (see Paragraph 12 on Retention and Disposal of Data)
6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act. (see Paragraph 7 on Data Subjects Rights)
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data. (see Paragraph 9 on Security of Data)
8. Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Data must not be transferred outside of the European Economic Area (EEA). Staff should be particularly aware of this when publishing information on the Internet, which can be accessed from anywhere in the world.
Paragraph 7: Data Subject Rights
Data Subjects have the following rights regarding data processing, and the data that are recorded about them:
• The right of subject access:
The Data Protection Act allows individuals to find out what information is held about themselves on computer and some paper records. This is known as the right of subject access.
• The right of rectification, blocking, erasure and destruction:
The Data Protection Act allows individuals to apply to the Court to order a data controller to rectify, block, erase or destroy personal details if they are inaccurate or contain expressions of opinion which are based on inaccurate data.
• The right to prevent processing:
A data subject can ask a data controller to stop or request that they do not begin processing relating to him or her where it is causing, or is likely to cause, substantial distress to themselves or anyone else. However, this right is not available in all cases and data controllers do not always have to comply with the request.
• The right to prevent processing for direct marketing:
A data subject can ask a data controller to stop or not to begin processing data relating to him or her for direct marketing purposes. This is an absolute right.
• The right to compensation:
A data subject can claim compensation from a data controller for damage or damage and distress caused by any breach of the Data Protection Act. Compensation for distress alone can only be claimed in limited circumstances.
• Rights in relation to automated decision-taking:
An individual can ask a data controller to ensure that no decision which significantly affects them is based solely on processing his or her personal data by automatic means. There are, however, some exemptions to this.
• Telecommunications:
The Telecommunications Regulations 1999 (Data Protection and Privacy) imposes special rules for dealing with data in public telecommunications systems, faxes, telephones and automated calling systems for unsolicited marketing.
• Unsolicited marketing faxes must not be sent to individual subscribers without their prior consent.
• Individual subscribers have a statutory right to opt-out of unsolicited telephone marketing either by telling the caller or by registering on a central stop list.
• Corporate subscribers cannot opt-out of telephone sales but have the right to opt-out of unsolicited marketing faxes.
• Automated calling systems must have the prior consent of both corporate and individual subscribers.
Paragraph 8: Consent
Wherever possible, personal data or sensitive data should not be obtained, held, used or disclosed unless the individual has given consent. The Council understands "consent" to mean that the data subject has been fully informed of the intended processing and has signified their agreement, whilst being in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing. There must be some active communication between the parties such as signing a form and the individual must sign the form freely of their own accord. Consent cannot be inferred from non-response to a communication. For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.
In most instances consent to process personal and sensitive data is obtained routinely by the Council (eg when a claimant signs a benefit claim form or when a new member of staff signs a contract of employment). Any Council forms (whether paper-based or web-based) that gather data on an individual should contain a statement explaining what the information is to be used for and to whom it may be disclosed. It is particularly important to obtain specific consent if an individual's data are to be published on the Internet as such data can be accessed from all over the globe. Therefore, not gaining consent could contravene the eighth data protection principle.
If an individual does not consent to certain types of processing (eg direct marketing), appropriate action must be taken to ensure that the processing does not take place.
If any member of The Council is in any doubt about these matters, they should consult The Council’s Data Protection Officer.
Paragraph 9: Security of Data
All staff are responsible for ensuring that any personal data (on others) which they hold are kept securely and that they are not disclosed to any unauthorised third party (see Paragraph 11 on Disclosure of Data for more detail).
All personal data should be accessible only to those who need to use it. You should always consider keeping personal data:
• in a lockable room with controlled access, or
• in a locked drawer or filing cabinet, or
• if computerised, password protected, or
• kept on disks which are themselves kept securely.
Care should be taken to ensure that PCs and terminals are not visible except to authorised staff and that computer passwords are kept confidential. PC screens should not be left unattended and manual records should not be left where they can be accessed by unauthorised personnel.
Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data. Manual records should be shredded or disposed of as "confidential waste". Hard drives of redundant PCs should be wiped clean before disposal.
The central Computer room should be kept locked at all times and unauthorized personnel should not be allow access. All personal data should be the subject of regular security copying to ensure against accidental or deliberate loss, these security copies must be treated in the same way as the original data.
This policy also applies to staff and members who process personal data "off-site". Off-site processing presents a potentially greater risk of loss, theft or damage to personal data. Staff and members should take particular care when processing personal data at home or in other locations outside The Council offices.
Paragraph 10: Rights of Access to Data
Members of the public, elected members and staff have the right to access any personal data which are held by the Council in electronic format and manual records which form part of a relevant filing system. This includes the right to inspect confidential personal references received by the Council about that person.
Any individual who wishes to exercise this right should:
• Submit a written request for subject access,
• Submit a request for access in respect of a registered entry and where separate entries exist for different purposes, make separate application for each access.
• Provide satisfactory proof of identity,
• Provide sufficient information to enable the data to be located, and
• Pay a fee of £5 per enquiry.
The data controller should:
• Respond only to a written request for subject access and collect the appropriate fee,
• Be satisfied as to the identity of the data subject,
• Obtain sufficient information to enable the data to be located,
• Inform the data subject whether data is held about him/her,
• Protect the interests of third parties by deleting any reference to them,
• Provide the data subject within 40 days with a copy of the personal data that relates to the data subject together with an interpretation of any terms or codes used to describe that data (subject to receipt of the fee before the expiry of the 40 day period),
• Retain a copy of the personal data supplied for use in case of challenge, and send a further copy for the Data Protection Officer.
In order to respond efficiently to subject access requests the Council has set out in the Corporate Manual Section 40 the steps that require to be undertaken.
Paragraph 11: Disclosure of Data
The Council must ensure that personal data are not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All staff and members should exercise caution when asked to disclose personal data held on another individual to a third party. The important thing to bear in mind is whether or not disclosure of the information is relevant to, and necessary for, the conduct of the Council’s business. Best practice, however, would be to take the contact details of the person making the enquiry and pass them onto senior management or the Data Protection Officer for a decision on the release of the information.
This policy determines that personal data may be legitimately disclosed where one of the following conditions apply:
1. the individual has given their consent (eg a member of staff or a Service User has consented to The Council corresponding with a named third party);
2. where the disclosure is in the legitimate interests of the authority (eg disclosure to staff - personal information can be disclosed to other Council employees if it is clear that those members of staff require the information to enable them to perform their jobs);
3. where the authority is legally obliged to disclose the data (eg ethnic minority and disability monitoring);
The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:
• to safeguard national security*;
• prevention or detection of crime including the apprehension or prosecution of offenders*;
• assessment or collection of tax duty*;
• discharge of regulatory functions (includes health, safety and welfare of persons at work)*;
• to prevent serious harm to a third party;
• to protect the vital interests of the individual, this refers to life and death situations.
* Requests must be supported by appropriate paperwork.
Unless consent has been obtained from the data subject, information should not be disclosed over the telephone. Instead, the enquirer should be asked to provide documentary evidence to support their request. Ideally a statement from the data subject consenting to disclosure to the third party should accompany the request.
If in doubt, staff should seek advice from their Head of Department or The Council’s Data Protection Officer.
Paragraph 12: Retention and Disposal of Data
The Council discourages the retention of personal data for longer than they are required. Considerable amounts of data are collected on current staff, members. and Service Users. However, once a member of staff or Member has left the authority, it will not be necessary to retain all the information held on them. Some data will be kept for longer periods than others, data held on Service Users will be retained in line with current legislation.
Staff
In general, electronic staff records containing information about individual members of staff are kept indefinitely and information would typically include name and address, positions held, leaving salary. Other information relating to individual members of staff will be kept by the Personnel Department for 6 years from the end of employment. Information relating to Income Tax, Statutory Maternity Pay etc will be retained for the statutory time period (6 years + current).
Departments should regularly review the personal files of individual staff members in accordance with The Council's Records Retention Schedule.Information relating to unsuccessful applicants in connection with recruitment to a post must be kept for 6 months from the interview date. Personnel may keep a record of names of individuals that have applied for, be short-listed, or interviewed, for posts indefinitely. This is to aid management of the recruitment process.
Service Users
Records containing information about Service Users are kept in accordance with current Legislation pertinent to the specific service. Other information relating to an individual will be kept by the department in accordance with the agreed department retention policy.
Disposal of Records
Personal data must be disposed of in a way that protects the rights and privacy of data subjects (eg, shredding, disposal as confidential waste, secure electronic deletion).
Paragraph 13: Publication of Council Information
All Members and staff of The Council should note that the Council publishes a number of items that include personal data, and will continue to do so. These personal data are:
• Information published in The Council Year Book including:
- names of all members of Council Committees
- Names, job titles and/or professional qualifications of members of Chief Officers.
It is recognised that there might be occasions when a member of staff or a Member of the Council, requests that their personal details in some of these categories remain confidential or are restricted to internal access. All individuals should be offered an opportunity to opt-out of the publication of the above (and other) data. In such instances, The Council should comply with the request and ensure that appropriate action is taken.
Paragraph 14: Use of CCTV
The Council's use of CCTV is regulated by a separate Code of Practice. (This service is operated by Town Market Partnership on the Councils behalf).
Paragraph 15: Freedom of Information Act 2000
The Freedom of Information Act 2000 (FOIA) allows public access to all types of information held by public authorities, including Great Yarmouth Borough Council. Requests for personal information will be dealt with under the Data Protection Act. The FOIA will not make private and confidential information about people public.
Paragraph 16: Complaints
Great Yarmouth Borough Council’s ‘Comments and Complaints Procedure’ (available on the Council’s website) will be applied in the event of any complaints received about requests for access to information under the Act.
Paragraph 17: Policy Review
This policy will be managed and reviewed annually. Reviews will be subject to scrutiny and, from time to time, updates and re-issues will be circulated. However, the policy will be reviewed sooner if a weakness in the policy is highlighted, in the case of new risks, and/or changes in legislation.
Paragraph 18: Further Information
For further guidance or advice on the Data Protection Act, please contact the Freedom of Information Assistant who is collating all such requests: email foi@great-yarmouth.gov.uk, Great Yarmouth Borough Council, telephone 01493 846260.
