Colchester Borough Council has to collect and use information about the people with whom it works; members of the public; current, past and prospective employees; customers; suppliers and others in order to carry out its duties.
Colchester Borough Council will ensure that it treats all personal information entrusted to it lawfully and correctly.
Application of policy
The Council fully endorses and adheres to the principles set out in the Data Protection legislation (Data Protection Act 2018 and General Data Protection Regulations). The Council will therefore ensure that all employees, Councillors, contractors, agents, consultants, partners or anyone else who has access to any personal data held by or for the Council are fully aware of and abide by their duties and responsibilities under Data Protection legislation.
This Policy and the procedures set down in it are reviewed annually to ensure that the Council continues to comply with all relevant statutory requirements.
The Council will ensure that all personal data is handled properly and with confidentially at all times, irrespective of whether it is held on paper or by electronic means.
- the obtaining of personal data
- the storage and security of personal data
- the use and processing of personal data
- the disposal of or destruction of personal data
The Council will ensure that data subjects have appropriate access, upon written request, to personal information relating to them and will ensure the data subjects’ rights to rectification, erasure, restriction, portability and object are adhered to.
The principles of data protection
Whenever collecting or handling information about people the Council will ensure that:
- personal data is processed, lawfully, fairly and in a transparent manner
- the purposes for which personal data is obtained and processed are specified and that data is not used for any other purpose
- processing of personal data is adequate relevant and limited to what is necessary
- any data used or kept is accurate and up to date
- personal data is retained only for as long as necessary
- data is disposed of properly
- all personal data is processed in accordance with the rights of the individual concerned
- personal data is processed in an appropriate manner to maintain security
- the movement of personal data is done in a lawful way, both inside and outside the Council, and that suitable safeguards exist, at all times
Definition of personal and sensitive data
The legislation makes a distinction between 'personal data' and 'personal sensitive data':
Personal data is defined as data relating to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. This will include any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Personal sensitive data is defined as personal data consisting of information as to:
- Racial or ethnic origin
- Political opinion
- Religious or other beliefs
- Trade union membership
- Physical or mental health or condition
- Sexual life or sexual orientation
- Criminal proceedings or convictions
- Genetic data
- Biometric data
Roles and responsibilities
Colchester Borough Council will ensure that:
- A member of staff, the Data Protection Officer (DPO), is appointed who has specific responsibility for data protection within the Council
- Any disclosure of personal data is in compliance with the law and with approved procedures
- Anyone managing and handling personal information understands that they are legally bound to follow good data protection practice
- Anyone managing and handling personal information is appropriately trained and supervised
- Staff have access only to personal information relevant to their roles
- Appropriate advice and guidance is available to anyone wanting to make enquiries about personal information held by the Council
- Enquiries and requests regarding personal information are handled courteously and within the time limits set out in law
- All councillors are to be made fully aware of this policy and of their duties and responsibilities under legislation
- Where personal data may need to be shared with third parties in order to deliver services or perform our duties, the Council will only share personal data when a lawful basis from the legislation can justify that sharing, where it is necessary to achieve a clear purpose and, with that purpose in mind, it is fair and proportionate to do so
- Data Protection Impact Assessments (DPIA) are conducted, and signed off by the Data Protection Officer and the Senior Information Risk Owner (SIRO) where processing presents a high risk to the privacy of data subjects
- A record of personal data processing is kept and maintained, this will include a data classification
All managers and staff will ensure that:
- Paper files and other records or documents containing personal and or sensitive data are kept securely and destroyed securely
- Personal data held electronically is protected by the use of secure passwords
- All users must choose passwords which meet the security criteria specified by the Council
- Staff working remotely from home or elsewhere must keep any Council owned equipment they use secure and prevent systems and data for which the Council is responsible being used or seen by members of their family or any other unauthorised person
- No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party
- Personal data is not stored on personal devices or forwarded to personal email accounts
- Personal data is not be left where it can be accessed by persons not authorised to see it
- Personal data is kept up to date and accurate
- Personal data is kept in accordance with the Council’s retention schedule
- Any data protection breaches are swiftly brought to the attention of the Data Protection Officer and that they support the Data Protection Officer in resolving breaches
- Where there is uncertainty around a data protection matter advice is sought from the Data Protection Officer
All contractors, consultants, partners or other servants or agents of the Council must:
- Confirm in writing that they will abide by the requirements of the legislation with regard to information obtained from the Council
- Provide assurance relating to their compliant handling of personal data and when requested allow the Council to audit the protection of data held on its behalf
- Ensure that they and all persons appointed by them who have access to personal data held or processed for or on behalf of the Council are aware of this Policy and are fully trained in their duties and responsibilities under Data Protection legislation
- Ensure that the Council receives prior notification of any disclosure of personal data to any other organisation or any person who is not a direct employee of the contractor
- Indemnify the Council without limitation against any prosecutions, claims, proceedings, actions or payments of compensation or damages arising from the loss or misuse of data. Any breach of any provision of Data Protection Act 2018 (DPA 2018) or the General Data Protection Regulations (GDPR) will be deemed as being a breach of any contract between the Council and that individual, company, partner or firm
The Council’s Data Protection Officer is responsible for:
- Advising the Council and its staff of its obligations under Data Protection legislation
- Ensuring the provision of cascade Data Protection training, for staff within the Council
- The development of best practice guidelines
- Ensuring compliance checks are undertaken to ensure adherence, throughout the authority, with Data Protection legislation
- Providing advice where requested on Data Protection Impact Assessments
- To co-operate with and act as the contact point for the Information Commissioner’s Office
- For conducting an annual review of this Data Protection Policy and the practices and procedures pertaining to it to ensure continuing compliance with all relevant statutory provisions
The Council’s Senior Information Risk Owner, is responsible for:
- Being the organisation’s leader and Champion for Information Risk Management and Assurance
- Advocating good information management and security practices
- Acting in an arbitrary role – to challenge risk mitigation
- Ensuring others are undertaking risk assessments and assurance activities
- Reporting annually to the Accountable Officer
- Is the senior manager with accountability for data protection and information risk and provides a link to the Council’s senior management team (SMT)
An officer has also been designated in each service as responsible for ensuring that this Policy is adhered to.
The Council’s Chief Executive Officer is the Accountable Officer ultimately responsible for ensuring that all information is appropriately protected.
This policy applies to councillors, and all councillors are made aware of the advice produced by the Information Commissioners Office, which is available at the link below.
Elected representatives and political parties
Councillors must be registered with the Information Commissioner as data controllers.
The Information Commissioner
Colchester Borough Council is registered with the Information Commissioner as a data controller.
The DPA 2018 requires every data controller who is processing personal data to notify and renew their notification on an annual basis. Failure to do so is a criminal offence.
Designated officers will be responsible for notifying and updating the Data Protection Officer with regard to the processing of personal data within their department.
The Data Protection Officer will review the Information Asset Register with designated officers annually.
In the event of an information breach, or suspected breach, contact the ICT team or the Data Protection Officer.
Data Protection Officer