The Council collects and uses a wide range of information about individuals in order to carry out its functions and without this we would be unable to deliver our services. These individuals include our customers, clients, employees and residents of the County.
The information we hold about them is personal data, which is a valuable asset but also a liability if we handle it incorrectly.
If we fail to take adequate care of the personal data we deal with and it is lost, stolen, disclosed inappropriately or otherwise misused, this could have a serious impact on the individuals concerned ranging from distress, financial loss to actual physical harm.
Changes to Data Protection legislation, concern over erosion of privacy and well publicised data breaches mean that Data Protection is an issue very much in the public eye.
The General Data Protection Regulation (GDPR) is designed to give more protection to personal information and provide individuals with enhanced rights. All staff who deal with personal information have to comply with it.
The GDPR is based on a framework of six Data Protection principles which we have to follow when processing personal data:
- We must process personal data lawfully, fairly and transparently
- We must only process personal data for specified, explicit and legitimate purposes, and other uses must be compatible with these purposes
- Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is used
- Personal information must be kept accurate and where necessary, up to date
- Personal data must not be kept for longer than is actually necessary
- Personal data must be processed in a secure manner, including protection against unauthorised or unlawful use of personal data and against its accidental loss, destruction or damage, using appropriate technical and organisational measures
The Council's Data Protection Policy sets out how we comply with these principles.
It is also important for all staff to be aware that misuse of personal information is a breach of Council policy and may lead to disciplinary action.
In addition, individual members of staff can be prosecuted and convicted if any offences set out in the legislation are committed.
Criminal offences relating to data protection include:
- Unlawfully obtaining, disclosing, or procuring the disclosure of personal data
- Selling, or offering to sell, personal data which has been unlawfully obtained
Serious or persistent breaches, which are not in themselves criminal offences, could also lead to the Council being fined.
We have produced a policy and procedure, which is designed to ensure that personal information is handled securely. In particular, this looks at the way personal data is stored and transferred to assist us with complying with our legal obligations under Data Protection legislation.
These would include cases where personal data is lost or stolen, either in electronic or paper format. Other examples would include emailing personal data to an unintended recipient or accidentally placing personal data on the Council’s website.
All such incidents must be dealt with in accordance with our Breach Reporting and Response Policy as follows:
- To ensure that they can be acted upon breaches should be reported by employees to their line manager immediately
- The breach must also be reported to the Breach Response Team via the central mailbox, firstname.lastname@example.org
- Out of office hours, breaches must be reported via Careline on 0300 333 2222
Failure to report, or delay in reporting, data security breaches can have potentially serious consequences for data subjects, staff, and other individuals.
The GDPR provides individuals with the right to obtain a copy of the information that is processed about them by making what is known as a ‘Subject Access Request’. Please read our Subject Access Procedure for more information on how we deal with these requests.
Page updated: 13/07/2020 10:02:17