General Data Protection Regulations

Data Protection Policy (Adopted by Council 11th April 2018, reviewed on 9th May 2018)

 Cotgrave Town Council recognises its responsibility to comply with the General Data Protection Regulations (GDRP) 2018 which regulates the use of personal data.  This does not have to be sensitive data; it can be as little as a name and address.

General Data Protection Regulations (GDRP)

The GDRP sets out high standards for the handling of personal information and protecting individuals’ rights for privacy.  It also regulates how personal information can be collected, handled and used.  The GDRP applies to anyone holding personal information about people, electronically or on paper.  Cotgrave Town Council has also notified the Information Commissioner that it holds personal data about individuals.

When dealing with personal data, Cotgrave Town Council staff and members must ensure that:

  • Data is processed fairly, lawfully and in a transparent manner

This means that personal information should only be collected from individuals if staff have been open and honest about why they want the personal information.

  • Data is processed for specified purposes only

This means that data is collected for specific, explicit and legitimate purposes only.

  • Data is relevant to what it is needed for

Data will be monitored so that too much or too little is not kept; only data that is needed should be held.

  • Data is processed in accordance with the rights of individuals

Individuals must be informed, upon request, of all of the personal information held about them.

  • Data is kept securely

There should be protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Storing and accessing data

Cotgrave Town Council recognises its responsibility to be open with people when taking personal details from them.

Cotgrave Town Council may hold personal information about individuals such as their names, addresses, email addresses and telephone numbers.  These will be securely kept at the Cotgrave Town Council Office and are not available for public access.  All data stored on the Cotgrave Town Council Office computers are password protected.  Once data is not needed any more, is out of date or has served its use and falls outside the minimum retention time of Councils document retention policy, it will be shredded or securely deleted from the computer.

Cotgrave Town Council is aware that people have the right to access any personal information that is held about them.  Subject Access Requests (SARs) must be submitted in writing (this can be done in hard copy, email or social media).  If a person requests to see any data that is being held about them, the SAR response must detail:

  • How and to what purpose personal data is processed
  • The period Cotgrave Town Council tend to process it for
  • Anyone who has access to the personal date

The response must be sent within 30 days and should be free of charge.

If a SAR includes personal data of other individual, Cotgrave Town Council must not disclose the personal information of the other individual.  That individual’s personal information may either be redacted, or the individual may be contacted to give permission for their information to be shared with the Subject.

Individuals have the right to have their data rectified if it is incorrect, the right to request erasure of the data, the right to request restriction of processing of the data and the right to object to data processing, although rules do apply to those requests.

Please see “Subject Access Request Procedure” for more details.

Confidentiality

Cotgrave Town Council members and staff must be aware that when complaints or queries are made, they must remain confidential unless the subject gives permission otherwise. When handling personal data, this must also remain confidential.

GENERAL PRIVACY NOTICE (Adopted by Council on 9th May 2018)

Your personal data – what is it?

“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address).
Identification can be directly using the data itself or by combining it with other information which helps to identify a living individual (e.g. a list of staff may contain personnel ID numbers rather than names but if you use a separate list of the ID numbers which give the
corresponding names to identify the staff in the first list then the first list will also be treated as personal data).  The processing of personal data is governed by legislation relating to
personal data which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR) and other legislation relating to personal data and rights such as the Human Rights Act.

Who are we?

This Privacy Notice is provided to you by Cotgrave Town Council which is the data controller for your data.

Other data controllers the council works with:

  • [e.g. other data controllers, such as local authorities
  • Community groups
  • Charities
  • Other not for profit entities
  • Contractors
  • Credit reference agencies

We may need to share your personal data we hold with them so that they can carry out their responsibilities to the council.  If we and the other data controllers listed above are processing your data jointly for the same purposes, then the council and the other data controllers may be “joint data controllers” which mean we are all collectively responsible to you for your data. Where each of the parties listed above are processing your data for their own independent purposes then each of us will be independently responsible to you and if you have any
questions, wish to exercise any of your rights (see below) or wish to raise a complaint, you should do so directly to the relevant data controller.

A description of what personal data the council processes and for what purposes is set out in this Privacy Notice.

The council will process some or all of the following personal data where necessary to
perform its tasks
:

  • Names, titles, and aliases, photographs;
  • Contact details such as telephone numbers, addresses, and email addresses;
  • Where they are relevant to the services provided by a council, or where you provide them to us, we may process information such as gender, age,  marital status,
    nationality, education/work history, academic/professional qualifications, hobbies, family composition, and dependants;
  • Where you pay for activities such as use of a council hall, financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers,
    policy numbers, and claim numbers;
  • The personal data we process may include sensitive or other special categories of
    personal data such as criminal convictions, racial or ethnic origin, mental and physical health, details of injuries, medication/treatment received, political beliefs, trade
    union affiliation, genetic data, biometric data, data concerning and sexual life or

How we use sensitive personal data  

  • We may process sensitive personal data including, as appropriate:
    • information about your physical or mental health or condition in order to
      monitor sick leave and take decisions on your fitness for work;
    • your racial or ethnic origin or religious or similar information in order to
      monitor compliance with equal opportunities legislation;
    • in order to comply with legal requirements and obligations to third parties.
  • These types of data are described in the GDPR as “Special categories of data” and
    require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.
  • We may process special categories of personal data in the following circumstances:
    • In limited circumstances, with your explicit written consent.
    • Where we need to carry out our legal obligations.
    • Where it is needed in the public interest.
  • Less commonly, we may process this type of personal data where it is needed in
    relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

Do we need your consent to process your sensitive personal data?

  • In limited circumstances, we may approach you for your written consent to allow us to process certain sensitive personal data. If we do so, we will provide you with full details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.

The council will comply with data protection law. This says that the personal data we hold about you must be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited only to those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes we have told you about.
  • Kept and destroyed securely including ensuring that appropriate technical and
    security measures are in place to protect your personal data to protect personal data from loss, misuse, unauthorised access and disclosure.

We use your personal data for some or all of the following purposes:

  • To deliver public services including to understand your needs to provide the services that you request and to understand what we can do for you and inform you of other relevant services;
  • To confirm your identity to provide some services;
  • To contact you by post, email, telephone.
  • To help us to build up a picture of how we are performing;
  • To prevent and detect fraud and corruption in the use of public funds and where
    necessary for the law enforcement functions;
  • To enable us to meet all legal and statutory obligations and powers including any
    delegated functions;
  • To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe
    environments and generally as necessary to protect individuals from harm or injury;
  • To promote the interests of the council;
  • To maintain our own accounts and records;
  • To seek your views, opinions or comments;
  • To notify you of changes to our facilities, services, events and staff, councillors and
                  other role holders.
  • To send you communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other new projects or initiatives;
  • To process relevant financial transactions including grants and payments for goods and services supplied to the council
  • To allow the statistical analysis of data so we can plan the provision of services.

Our processing may also include the use of CCTV systems for the prevention and prosecution of crime.

What is the legal basis for processing your personal data?

The council is a public authority and has certain powers and obligations.  Most of your
personal data is processed for compliance with a legal obligation which includes the discharge of the council’s statutory functions and powers.  Sometimes when exercising these powers or duties it is necessary to process personal data of residents or people using the council’s
services.   We will always take into account your interests and rights.  This Privacy Notice sets out your rights and the council’s obligations to you.

We may process personal data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract.  An example of this would be processing your data in connection with the use of sports facilities, or the acceptance of an allotment garden tenancy

Sometimes the use of your personal data requires your consent. We will first obtain your consent to that use.

 Sharing your personal data

This section provides information about the third parties with whom the council may share your personal data.  These third parties have an obligation to put in place appropriate security measures and will be responsible to you directly for the manner in which they process and protect your personal data. It is likely that we will need to share your data with some or all of the following (but only where necessary):

  • The data controllers listed above under the heading “Other data controllers the
    council works with”;
  • Our agents, suppliers and contractors. For example, we may ask a commercial
    provider to publish or distribute newsletters on our behalf, or to maintain our
    database software;
  • On occasion, other local authorities or not for profit bodies with which we are carrying out joint ventures e.g. in relation to facilities or events for the community.

How long do we keep your personal data?

We will keep some records permanently if we are legally required to do so.  We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 6 years to support HMRC audits or provide tax information.  We may have legal obligations to retain some data in connection with our statutory obligations as a public authority.  The council is permitted to retain data in order to defend or pursue claims.  In some cases the law imposes a time limit for such claims (for example 3 years for personal injury claims or 6 years for contract claims).  We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim.  In general, we will endeavour to keep data only for as long as we need it.  This means that we will delete it when it is no longer needed.

Your rights and your personal data 

You have the following rights with respect to your personal data:

When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security.  In such cases we will need you to respond with proof of your identity before you can exercise these rights.

  • The right to access personal data we hold on you

At any point you can contact us to request the personal data we hold on you as well as why we have that personal data, who has access to the personal data and where we obtained the personal data from.  Once we have received your request we will respond within one month.

There are no fees or charges for the first request but additional requests for the same personal data or requests which are manifestly unfounded or excessive may be
subject to an administrative fee.

 2)         The right to correct and update the personal data we hold on you

If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated.

3)         The right to have your personal data erased

If you feel that we should no longer be using your personal data or that we are
unlawfully using your personal data, you can request that we erase the personal data we hold.

When we receive your request we will confirm whether the personal data has been deleted or the reason why it cannot be deleted (for example because we need it for to comply with a legal obligation).

 4)         The right to object to processing of your personal data or to restrict it to certain
purposes only

You have the right to request that we stop processing your personal data or ask us to restrict processing. Upon receiving the request we will contact you and let you know if we are able to comply or if we have a legal obligation to continue to process your data.

5)         The right to data portability

You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.

6)         The right to withdraw your consent to the processing at any time for any processing of data to which consent was obtained

You can withdraw your consent easily by telephone, email, or by post (see Contact Details below).

7)         The right to lodge a complaint with the Information Commissioner’s Office.

 You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s
Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Transfer of Data Abroad

Any personal data transferred to countries or territories outside the European Economic Area (“EEA”) will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union.  [Our website is also accessible from overseas so on occasion some personal data (for example in a newsletter) may be accessed from overseas].

Further processing

If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.  Where and whenever necessary, we will seek your prior consent to the new processing.

Changes to this notice

We keep this Privacy Notice under regular review and we will place any updates on the Council Website – www.cotgrave-tc.gov.uk.  This Notice was last updated in May 2018.

Contact Details

Please contact us if you have any questions about this Privacy Notice or the personal data we hold about you or to exercise all relevant rights, queries or complaints at:

The Data Controller
Cotgrave Town Council
Cotgrave Leisure Centre
Woodview
Cotgrave
Nottingham
NG12 3PJ

Telephone: 0115 9893876

Email:  clerk@cotgrave-tc.gov.uk

RETENTION OF DOCUMENT AND  RECORDS MANAGEMENT POLICY (Adopted by Council on 11th April 2018 and reviewed on 9th May 2018).

Cotgrave Town Council recognises that the efficient management of its records is necessary to comply with its legal and regulatory obligations and to contribute to the effective overall management of the Town Council.  This document provides the policy framework through which this effective management can be achieved and audited.  It covers:

  • Scope
  • Responsibilities
  • Relationships with existing policies
  • Retention Schedule

Scope of the Policy

This policy applied to all records created, received, or maintained by Cotgrave Town Council in the course of carrying out its functions.  Records are defined as all those documents which facilitate the business carried out by Cotgrave Town Council and which are thereafter retained (for a set period) to provide evidence of its transactions or activities.  These records may be created, received, or maintained in hard copy or electronically.

A small percentage of Cotgrave Town Council’s records will be selected for permanent preservation as part of the Council’s achieves and for historical research.

Responsibilities

Cotgrave Town Council has a corporate responsibility to maintain its records and record management systems in accordance with the regulatory environment.  The person with overall responsible for this policy is the Clerk to the Town Council.

The person responsible for records management will give guidance for good records management practice and will promote compliance with this policy so that information will be retrieved easily, appropriately and timely.

Individual staff and employees must ensure that records for which they are responsible are accurate and are maintained and disposed of in accordance with the Town Council’s records management guidelines.

Relationship with existing policies

This policy has been drawn up with the context of:

  • Freedom of Information Policy
  • Data Protection policy/Publication Scheme

And with other legislation or regulations (including audit and Statute of Limitations) affecting the Town Council.

Retention Schedule

Under the Freedom of Information Act 2000, the Town Council is required to maintain a retention schedule listing the record series which it creates during its business.  The retention schedule lays down the length of time which the record needs to be retained and the action which should be taken when it is of no further administrative use.

Members of staff are expected to manage their current record keeping system using the retention schedule and to take account of the different kinds of retention periods when they are creating new record keeping systems.

The retention schedule refers to all the Town Council’s record, irrespective of the media in which they are stored.

Please see the retention Schedule at Appendix 1 and Appendix 2.

APPENDIX 1

RETENTION OF DOCUMENTS REQUIRED FOR THE AUDIT OF COTGRAVE TOWN COUNCIL

DOCUMENT MINIMUM RETENTION PERIOD REASON
Signed minutes of council meetings (Hard Copy) Indefinite Archive
Scales of fees and charges 6 years Management
Receipt and payment account(s) 6 years VAT
Receipt books of all kinds 6 years VAT
Bank statements, including deposit/savings accounts Last completed audit year Audit
Bank paying-in books Last completed audit year Audit
Cheque book stubs Last completed audit year Audit
Quotations and tenders 6 years Limitation Act 1980 (as amended)
Paid invoices 6 years VAT
Paid cheques 6 years Limitation Act 1980 (as amended)
VAT records 6 years generally but  20 years for VAT on rents VAT
Annual Return & Audited Accounts Indefinite Archive
Petty cash, postage and telephone books 6 years HMRC
Insurance policies While valid Management
Certificates for insurance against liability for employees 40 years after policy end The Employers’ Liability Regulations 1998
Grant Requests 3 years Management/Audit
Equipment Inspection Records 15 years Management
Premises Inspection Records 15 Years Management
Title deeds, leases, agreements, contracts Indefinite Audit/Management
Accident books 25 years from closure Management
Risk assessments 3 years from last assessment Management
Assets Register Indefinite Audit, Management
Press releases 6 years Management
Public consultation – survey and returns 5 years Management
FOI Requests 2 years after closure Management
Town Council Newsletter Deposit copy with Library

Own copy as long as wish

Archive Management
For Allotments
Register and plans Indefinite Audit, Management
Planning Applications

 

All planning applications and relevant decision notices are available at Rushcliffe Borough Council.  There is no requirement to retain duplicates locally.  All Town Council recommendations in connection with these applications are recorded in the Council minutes which are retained indefinitely.

Declarations of acceptance Term of Office + 1 year Management
Members register of interest’ Term of Office + 1 year Management
Members allowance register 6 years Tax, Limitation Act 1980 (as amended)
Complaints 1 year Management
General Information 6 months Management
Routine correspondence and emails 6 months Management
Photographs As long as necessary Management/Historical

 

 APPENDIX 2

PERSONNEL / HUMAN RESOURCES RECORDS/DATA

DOCUMENT MINIMUM RETENTION PERIOD REASON
Payroll and wage records 6 years from end of financial year. Superannuation
Timesheets 2 years Audit (requirement) Personal injury (best practice)
PAYE Records 3 years Audit
Accident Book 25 Years from last report Management
Statutory Maternity Pay (SMP) Records 3 years Audit
Statutory Paternity Pay (SSP) Shared Parental Pay (ShPP) and Adoptions Pay (SAP Records) 3 years Audit
Immigration Checks 2 year after termination of employment Management
CVs/application forms, interview notes 6 months from date of appointment Management
CVs/application forms of unsuccessful candidates 12 month from date of application submitted Management
Copies of qualifications Retain while employment valid/current Management
Contract of employment Duration of employment + 6 months Management
Holiday Records 3 years Management
Sickness Records:

Self-certification form

Return to work forms

GP fit notes

Sickness absence management records

SSP Records

Medical/OHP reports

3 years

3 years

4 years from date of receipt

Management

Management

Performance Improvement For the period during which performance is being assessed, plus 6 months Management
Disciplinary Investigations 6 months from date becomes spent or 6 months from dismissal. Management

 

DOCUMENT MINIMUM RETENTION PERIOD REASON
Training Records Once completed/Resolved Management
Subject Access Request 12 months from date of request Management
Grievances Records 6 months from date of completion (6 years if grievance relates to pay/contract terms) Management
Redundancy 6 months from termination of employment Management
Flexible working requests 12 months from request Management
Termination

Letters of resignation

Notes of exit interviews

Records/audits of return of company property

Employment personnel file

6 months from termination Management

SUBJECT ACCESS REQUEST PROCEDURES (Adopted by Council on 9th May 2018)

This procedure is to be followed when an individual contacts Cotgrave Town Council to request access to their personal information held by the Council.  Requests must be completed within 1 month, so it should be actioned as soon as it is received.  SAR’s should be provided free of charge, however, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

The steps below should be followed to action the request:

  1. Is it a valid access request?
  2. The request must be in writing (letter or email).
  3. Has the person requesting the information provided you with sufficient information to allow you to search for the information? (You are allowed to request for more information from the person if the request is too broad.)
  4. Verify the identity of the requestor.
  5. You must be confident that the person requesting the information is indeed the person the information relates to. You should ask for the person to attend the office with their passport/photo driving licence and confirmation of their address (utility bill/bank statement).
  6. Determine where the personal information will be found
  7. Consider the type of information requested and use the data processing map to determine where the records are stored. (Personal data is data which relates to a living individual who can be identified from the data (name, address, email address, database information) and can include expressions of opinion about the individual.)
  8. If you do not hold any personal data, inform the requestor. If you do hold personal data, continue to the next step.
  9. Screen the information
  10. Some of the information you have retrieved may not be disclosable due to exemptions, however legal advice should be sought before applying exemptions.

Examples of exemptions are:

  • References you have given
  • Publicly available information
  • Crime and taxation
  • Management information (restructuring/redundancies)
  • Negotiations with the requestor
  • Regulatory activities (planning enforcement, noise nuisance)
  • Legal advice and proceedings
  • Personal data of third parties
  1. Are you able to disclose all the information?
  2. In some cases, emails and documents may contain the personal information of other individuals who have not given their consent to share their personal information with others. If this is the case, the other individual’s personal data must be redacted before the SAR is sent out.
  3. Prepare the SAR response and make sure to include as a minimum the following information: (sample letters attached).
  4. The purpose of the processing;
  5. The categories of personal data concerned;
  6. The recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of date;
  7. Where possible, the envisaged period for which personal data will be stored, or if not possible, the criteria used to determine that period;
  8. The existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
  9. The right to lodge a complaint with the Information Commissioner Office (“ICO”);
  10. If the data has not been collected from the data subject: the source of such data;
  11. The existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Be sure to also provide a copy of the personal data undergoing processing.

Note: All SAR’s should be logged to include the date of receipt, identity of the data subject, summary of the request, indication of if the Council can comply, date information is sent to the data subject.

Samples Letters:

  1. Replying to a subject access request providing the requested personal data

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject].  We are pleased to enclose the personal data you requested.

[included 6 (a) to (h) above]

Copyright in the personal data you have been given belongs to the council or to another party.  Copyright material must not be copied, distributed, modified, reproduced, transmitted, published or otherwise made available in whole or in part without the prior written consent of the copyright holder.

Yours sincerely

  1. Release of part of the personal data, when the remainder is covered by an exemption

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject].  To answer your request we ask the following areas to search their records for personal data relating to you:

  • [List the areas]

I am pleased to enclose [some/most] of the personal data you requested. [If any personal data has been removed].  We have removed any obvious duplicate personal data that we noticed as we processed your request, as well as any personal data that is not about you.  You will notice that [if there are gaps in the document] parts of the document(s) have been blacked out. [Or if there are fewer documents enclosed] I have not enclosed all of the personal data you requested.  This is because [explain why it is exempt]

[Include 6(a) to (h) above]

Copyright in the personal data you have been given belongs to the council or to another party.  Copyright material must not be copied, distributed, modified, reproduced, transmitted, published or otherwise made available in whole or in part without the prior written consent of the copyright holder.

Yours sincerely

  1. Replying to a subject access request explaining why you cannot provide any of the requested personal data.

Dear [name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject].

I regret that we cannot provide the personal data you requested.  This is because [explanation where appropriate]

[Examples include where one of the exemptions under the data protection legislation applies.  For example the personal data might include personal data is ‘legally privileged’ because it is contained within legal advice provided to the council or relevant to ongoing or preparation for litigation.  Other exemptions include where the personal data identified another living individual or relates to negotiations with the data subject.  Your data protection officer will be able to advise if a relevant exemption applies and if the council is going to reply on the exemptions to withhold or redact the data disclosed to the individual, then in this section of the letter the council should set out the reason why some of the data has been excluded]

Yours sincerely

[Your full address]
[Phone number]
[The date]

Cotgrave Town Council
Cotgrave Leisure Centre
Woodview
Cotgrave
Nottingham
NG12 3PJ

Dear Sir or Madam,

Subject access request

[Your full name and address and any other details to help identify you and the information you want.]

Please supply the information about me I am entitled to under the General Data Protection Regulations relating to: [give specific details of the information you want, for example

  • Your personnel file;
  • Emails between ‘A’ and ‘B’ (between 1.6.11 to 1.9.11);
  • Your medical records (between 2006 & 2009) held by Dr ‘C’ at ‘D’ hospital;
  • CCTV camera situated at (‘E’ location) on 23.5.12 between 11am and 5pm;
  • Copies of statements (between 2006 and 2009) held in account number xxxxx)

If you need any more information from me, or a fee, please let me know as soon as possible.

It may be helpful for you to know that a request for information under the General Data Protections Regulations should be responded to with 1 month.

If you do not normally deal with these requests, please pass this letter to your Data Protection Officer.  If you need advice on dealing with this request, the Information Commissioner’s Office can assist you and can be contacted on 0303 123 1113 or at ico.org.uk.

Yours faithfully

[Signature]

DATA BREACH POLICY (Adopted by Council on 9th May 2018 and reviewed on 13th June 2018)

GDRP defines a personal data breach as “a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosures of, or access to, personal data transmitted, stored or otherwise processed”.  Examples include:

  • Access by an unauthorised third party
  • Deliberate or accidental action (or inaction) by a controller or processor
  • Sending personal data to an incorrect recipient
  • Computing devices containing personal data being lost or stolen
  • Alteration of personal data without permission
  • Loss of availability of personal data

Cotgrave Town Council takes the security of personal data seriously, computers are password protected and hard copy files are kept in locked cabinets.

Consequences of a personal data breach

A breach of personal data may result in a loss of control of personal data, discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data, damage to property or social disadvantage.  Therefore a breach, depending on the circumstances of the breach, can have a range of effects on individuals.

Cotgrave Town Council’s duty to report a breach

If the data breach is likely to result in a risk to the rights and freedom of the individual, the breach must be reported to the individual and ICO without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.  When notifying the ICO of a breach, Cotgrave Town Council must:

  1. Describe the nature of the breach including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data record concerned.
  2. Describe the likely consequences of the breach.
  • Describe the measures taken or proposed to be taken to address the personal data breach including, measures to mitigate its possible adverse effects.

When notifying the individual affected by the breach, Cotgrave Town Council must provide the individual with (ii)-(iii) above.

Cotgrave Town Council would not need to communicate with an individual if the following applies:

  • It has implemented appropriate technical and organisational measures (ie encryption) so those measures have rendered the personal data unintelligible to any person not authorised to access it;
  • It has taken subsequent measures to ensure that the high risk to rights and freedoms of individuals is no longer likely to materialise, or
  • It would involve a disproportionate effort

However, the ICO must still be informed even if the above measures are in place.

Data processors duty to inform Cotgrave Town Council

If a data processor (ie payroll provider) becomes aware of a personal data breach, it must notify Cotgrave Town Council without undue delay.  It is then Cotgrave Town Council’s responsibility to inform the ICO, it is not the data processors responsibility to notify the ICO.

Records of data breaches

All data breaches must be recorded whether or not they are reported to individuals.  This record will help to identify system failures and should be used as a way to improve the security of personal data.

Record of Data Breaches

Date of Breach Type of Breach Number of individuals affected Date reported to ICO/individual Actions to prevent breach recurring

To report a data breach use the ICO online system:

https://ico.org.uk/for-organisations/report-a-breach/

How Cotgrave Town Council uses your information

Cotgrave Town Council is committed to compliance with Data Protection legislation. Keeping your personal information accurate and secure is a vital part of providing efficient services to you.

The council will only use the information it holds about you for the purpose you provided it except in the circumstances outlined in this notice. It will also only collect the minimum information necessary to fulfil that purpose.

When you provide information you will be told what it will be used for and whom it will be shared with. However, you need to be aware that the council is required to share your information, on occasion, between different sections of the council, and with other agencies to help reduce crime or investigate fraud.

The council also works closely with other councils and community organisations and often needs to share information with them in order to deliver your services.

However, the council will not supply these organisations with your information unless it is satisfied that equal measures are in place to protect the information from unauthorized access.

The council has a responsibility to promote social wellbeing and works in partnership with other councils and agencies such as the Police, Fire and Rescue Service, the voluntary services and the Health Service in order to preserve life, reduce accidents, reduce crime and disorder and improve health.

To promote this social wellbeing the council may need to share your personal and sensitive information with other councils and partner agencies.

What is Personal Data?

Personal Data is information that relates to a living individual who can be identified either:

  • from the information combined with any other information which is already in the possession of, or likely to come into the possession of, the person or organization holding information
  • The information includes any expression of opinion about the individual, and any indication of the intentions of the data controller or any other person in respect of the individual. Personal data will therefore cover basic details such as name, address, date of birth and telephone numbers.
  • The council must always comply with the 8 Principles of Data Protection when handling your personal information.
    These principles state that data must be:-
  • fairly and lawfully processed
  • processed for limited purposes
  • adequate, relevant and not excessive
  • accurate and up to date
  • not kept for longer than is necessary
  • processed in line with your rights
  • secure
  • not transferred to other countries without adequate protection

What is Sensitive Personal Data?

Certain data is also categorised as ’Sensitive Personal Data’, for example:

  • racial or ethnic origin
  • physical or mental health or condition
  • sexual life
  • offences (including alleged offences)
  • religious or other beliefs of a similar nature

The law says explicit consent should be sought to before using your Sensitive Personal Information. Usually your consent will be sought when you make an application for council services.

Why does the council collect and retain Personal Data?

In order to provide you with efficient and effective services Cropwell Bishop Parish Council needs to collect personal data. The council may also need to share your personal data with other service providers who are contracted to carry out services on their behalf. These providers are obliged to keep your personal details secure and use them only to fulfil your service request. The council will process the information you provide in a manner that is compatible with the Data Protection Act and in particular aims to comply with the principles stated above. Cropwell Bishop Parish Council will use information about you for the provision of services and specifically for the following:-

  • for all law enforcement, regulation and licensing, criminal prosecutions and court proceedings which the council is obliged to undertake
  • all financial transactions to and from the council including payments, grants and benefits; where monies are due or outstanding the council reserves the right to use all the available information at its disposal to protect public funds

Sharing information with other partner agencies

The council has a responsibility to promote social wellbeing and to work with other councils and partner agencies such as the Police, Fire and Rescue Service, the voluntary services and the Health Service in order to preserve life, reduce accidents, reduce crime and disorder and improve health. To promote this social wellbeing the council may need to share your personal and sensitive information with other councils and partner agencies.

The sharing of sensitive personal data where your consent has not been directly secured will only occur in order to promote community wellbeing for example in saving life, reducing crime, reducing accidents and improving health and will be on a “need to know” basis.

 Further Information

If you require further information about the use of your data or wish to make a subject access request for copies of your personal data held by Cotgrave Town Council please contact:

Mrs Julie Stephenson
Cotgrave Town Council
Cotgrave Leisure Centre
Woodview
Cotgrave
Nottingham
NG12 3PJ

Tel: 0115 9893876
Email: clerk@cotgrave-tc.gov.uk

General Data Protection Regulation 2016

On 25th May 2018 the existing data protection act 1998 ceases to exist and is replaced by the General Data Protection Regulations 2016. This regulation is currently going through parliament and will be called the Data Protection Bill. The Data Protection Bill was published on 14 September 2017 and aims to modernise data protection laws to ensure they are effective in the years to come.

What is the difference between the DP Bill and the GDPR?

The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DP Bill is the details of these. It is therefore important the GDPR and the Bill are read side by side.

For more information please click on the following link.

https://ico.org.uk/for-organisations/data-protection-bill/