Titley & District Group Parish Council
Personal Data Management and Audit Policy April 2018
Adopted by the Council on 8th May 2018 Review Date May 2019
The GDPR places a much greater emphasis on transparency, openness and fairness than previous legislation required. The Parish Council as Data Controller will ensure the Principles of Data Protection legislation will be followed in the management of personal data and that employees and councillors understand the requirements of the new legislation.
The Clerk (as Data Processor) will follow the underlying principles that personal data:
(a) Must be processed lawfully, fairly and transparently.
(b) Is only used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.
(c) Should be adequate, relevant and limited i.e. only the minimum amount of data should be kept for specific processing.
(d) Must be accurate and where necessary kept up to date.
(e) Should not be stored for longer than is necessary, and that storage is safe and secure.
(f) Should be processed in a manner that ensures appropriate security and protection.
The Clerk will manage subject access requests allowing data subjects to exercise their rights under the GDPR:
The right to access personal data we hold on you
The right to correct and update the personal data we hold on you
The right to have your personal data erased
The right to object to processing of your personal data or to restrict it to certain purposes only
The right to data portability
The right to withdraw your consent to the processing at any time for any processing of data to which consent was obtained
The right to lodge a complaint with the Information Commissioner’s Office.
The Clerk will ensure the notification of personal data breaches and undertake data protection impact assessments where required for new projects as directed by the Council as Data Controller. A record log of processing of data will be maintained by the Clerk as Data Processor.
|SUBJECT||Nature/purpose of processing||Type of data/where is it from||Who is the data subject?||Lawful basis/bases for processing||Data Controls|
|Planning Applications||Consultations and decisions published by the Planning Authority, and shared with Parish Council. Clerk emails details of each application and decision to parish councillors. Also published with agenda and minutes, and discussed in open forum. Parish council comments on application provided by Planning Authority||Name and contact information; Principal authority; residents/public||Planning applicant/resident; Other members of the public speaking in open public session at council meetings||Compliance with legal obligation||1. Clerk to check all information before sharing with parish councillors, and ensure sensitive personal data is redacted wherever possible before sharing or publishing.
2. Information in agenda and minutes to include only what is necessary to identify and discuss the application or decision.
3. Any correspondence between PC and applicant to be in accordance with data protection principles, and to be deleted within two years.
|Electoral roll provided by Principal Authority||Names, address, marital status; principal authority||Parish residents||Compliance with legal obligation||1. Clerk to retain in a secure place.
2. Electoral roll not to be shared with any other person.
3. Members of the public to be directed to Principal Authority for any electoral roll queries.
|Parish Newsletter/Resident Surveys||Inform residents and gain views of residents||Resident Names and Contact details- from residents||Residents||Consent||Clerk to retain in a secure place and obtain consent form. Not to be shared.
|Website||Information relating to the Parish is published on the website||Members of public||Consent; compliance with legal obligation||1. Photographs of individuals shall not be published on the website without the express permission of the individual.
2. Photographs will be deleted after a maximum of two years, and no copy of the photograph shall be retained by the PC
|Councillor details||Clerk retains contact details/gathered for election purposes/published in accordance with Transparency Code and Code of Conduct||Name, address, contact details, and disclosable pecuniary interests||Parish Councillors||Compliance with legal obligation||1. Details will be published on website in accordance with statutory requirements.
2. Data will be held by Clerk, on the PC laptop, and will be deleted when a councillor retires from office.
3. Requests for this data from third parties shall be referred to the website.
|Email or letter queries from residents or from other third parties including a request for service , reporting issues or making complaints||Correspondence from members of the public/residents/other parties relating to parish matters which may contain personal data.||Name, address, contact details, with possible sensitive personal data, depending on the nature of the matter; residents provide||Members of the Public/Residents||Public interest; compliance with legal obligation||1. Any email letter of other form of query received by the PC which contains personal data will be retained for a maximum of two years.
2. Such data may be stored on the PC laptop, held by the Clerk in a secure place.
3. The agreed privacy notice shall be provided to any person who contacts the PC.
4. In accordance with the agreed privacy notice, such data shall not be shared with any third party without the express permission of the data subject.
|Minutes – matters raised by members of the public at meetings||Maintained and published in accordance with Local Government legislation||Names and possibly other information||Residents/members of the public||Compliance with legal obligation; public interest||1. Every effort should be made to avoid inclusion of personal data in agenda or minutes. Where personal data or potential identifiers cannot be avoided, these should be kept to a minimum.
2. Members of the public who attend the public forum or the annual meeting should be informed by the Chair that the issue may be included in public minutes, and should give their consent to this before the discussion (consent to be implied as Chair gives the members of the public the chance to withdraw from the meeting if they wish).
|Letter/email to residents asking them to perform actions (eg trim trees or hedges)||In response to requests made at PC meetings.||Names, addresses and possibly other personal data provided by residents||Residents/members of the public||Compliance with legal obligation; public interest||1. Copy to be retained on PC laptop, held by Clerk in a secure place, for a maximum of two years.
2. Information shall not be shared with any third party without express permission of the data subject.
|Council Contracts and Services
|Carrying out contracting work and services required by the Council;||Names, contact details, qualifications, financial details, details of certificates and diplomas, education and skills; provided in contract applications etc
|Contractors/Trades persons surveyors, architects, builders, suppliers, advisers, payroll processors||Contractual necessity||1. Copy to be retained on PC laptop, held by Clerk in a secure place, for life of contract or 6 months for employment applications.|
|Consider any other personal data ; eg Payroll||Personal data which comes under the control of the PC which does not fit into any of the categories above||Names, addresses and possible other personal data.||1. Clerk to process the data in accordance with the data protection principles, always ensuring that personal data is stored securely and not shared with any third party without the express permission of the data subject.
2. Clerk may need to bring report to Council to determine the way in which the data should be controlled.
Policy adopted by Titley & District Parish Council on 8th May 2018
Completed by: …………………………………………………… Date:
Clerk to the Parish Council