Collingbourne Ducis Parish Council
General Data Protection Regulation Policy
Adopted: 5 July 2018
To be reviewed: Annually
Purpose of the policy and background to the General Data Protection RegulationThis policy explains to councillors, staff and the public
about GDPR. Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate
purposes; be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for as
long as is necessary for processing and be processed in a manner that ensures its security. This policy updates any previous data
protection policy and procedures to include the additional requirements of GDPR which apply in the UK from May 2018. The
Government have confirmed that despite the UK leaving the EU, GDPR will still be a legal requirement. This policy explains the
duties and responsibilities of the council and it identifies the means by which the council will meet its obligations.Identifying the roles
and minimising riskGDPR requires that everyone within the council must understand the implications of GDPR and that roles and
duties must be assigned. The Council is the data controller and it is the Council's duty to undertake an information audit and to manage
the information collected by the council, the issuing of privacy statements, dealing with requests and complaints raised and also the
safe disposal of information GDPR requires continued care by everyone within the council, councillors and staff, in the sharing of
information about individuals, whether as a hard copy or electronically. A breach of the regulations could result in the council facing a
fine from the Information Commissioner’s Office (ICO) for the breach itself and also to compensate the individual(s) who could be
adversely affected. Therefore, the handling of information is seen as medium risk to the council (both financially and reputationally)
and one which must be included in the Risk Management Policy of the council. Such risk can be minimised by undertaking an
information audit, issuing privacy statements, maintaining privacy impact assessments (an audit of potential data protection risks with
new projects), minimising who holds data protected information and the council undertaking training in data protection
awareness.Data breaches. Personal data breaches should be reported to the Council for investigation. Investigations must be
undertaken within one month of the report of a breach. Procedures are in place to detect, report and investigate a personal data breach.
The ICO will be advised of a breach (within 3 days) where it is likely to result in a risk to the rights and freedoms of individuals – if,
for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant
economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the Council
will also have to notify those concerned directly.It is unacceptable for non-authorised users to access IT using employees’ log-in
passwords or to use equipment while logged on. It is unacceptable for employees, volunteers and members to use IT in any way that
may cause problems for the Council, for example the discussion of internal council matters on social media sites could result in
reputational damage for the Council and to individuals.
Privacy NoticesBeing transparent and providing accessible information to individuals about how the Council uses personal data is a
key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way
to provide this information is in a privacy notice. This is a notice to inform individuals about what a council does with their personal
information. A privacy notice will contain the name and contact details of the data controller, the purpose for which the information is
to be used and the length of time for its use. It should be written clearly and should advise the individual that they can, at any time,
withdraw their agreement for the use of this information.
Individuals’ RightsGDPR gives individuals rights with some enhancements to those rights already in place:• the right to be informed•
the right of access• the right to rectification• the right to erasure• the right to restrict processing• right to data portability• the right to
object• the right not to be subject to automated decision-making including profiling.
The two enhancements of GDPR are that individuals now have a right to have their personal data erased (sometime known as the ‘right
to be forgotten’) where their personal data is no longer necessary in relation to the purpose for which it was originally collected and
data portability must be done free of charge. Data portability refers to the ability to move, copy or transfer data easily between different
If a request is received to delete information, then the Council must respond to this request within a month.
If a request is considered to be manifestly unfounded then the request could be refused or a charge may apply. The charge will be as
detailed in the Council’s Freedom of Information Publication Scheme. The Parish Council will be informed of such requests.
There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the council
requires consent from young people under 13, the council must obtain a parent or guardian’s consent in order to process the personal
data lawfully. Consent forms for children age 13 plus, must be written in language that they will understand.
The main actions arising from this policy are:
• The Council must be registered with the ICO.• A copy of this policy will be available on the Council’s website. The policy will be
considered as a core policy for the Council.• Privacy notices must be issued.• Data Protection will be included on the Council’s Risk
Management Policy.• The Parish Council will manage the process.
This policy document is written with current information and advice. It will be reviewed at least annually or when further advice is
issued by the ICO.All employees, volunteers and councillors are expected to comply with this policy at all times to protect privacy,
confidentiality and the interests of the Council