Handling personal data

Where it’s possible to share personal data using a file sharing platform or portal, you must always use these in preference to sending personal data by email. So only send personal data by email when you really need to, as this reduces the risk of it being sent to the wrong person.

Always remember the following guidance:

• Encrypt emails that are sent outside the Council which contain sensitive personal data and aren’t otherwise protected (please see the Policy for more information on this).
• When you type an email address in Outlook, any similar addresses that you’ve used before will be ‘suggested’ by the email software. It’s essential that you choose the right address before the message is sent – never assume the suggested address is the correct one.
  • It’s your responsibility as the sender to check and double check that the right address has been typed or selected before sending an email.
  • This is essential as many personal data breaches happen when emails are sent to the wrong person. There’s currently no way of recalling an email that you’ve sent outside the Council – so there’s no safety net if you make a mistake in this way.
• Avoid sending emails to groups or lists of contacts as this introduces the risk of disclosing personal data to recipients who shouldn’t see it. When responding to emails, choosing the ‘reply to all’ option could also result in information being sent to people that aren’t meant to have access to it.
• When you send an email to a number of people, any private email addresses must be entered into the Blind Carbon Copy or ‘Bcc’ field within the message rather than the ‘To’ field. Doing this hides individuals’ personal email addresses.
• Please take care when forwarding email trails. The recipients of the latest message may not be authorised to see the content of earlier emails further down the trail.
• When you collect an email address verbally, always read the address back to the intended recipient to make sure you’ve heard and recorded it correctly.

These days, many of us spend more of our working lives outside Council premises.

So, when working from home or in a public area, where there are other people present like family or members of the public, you must make sure that they are not allowed to have access to Council personal data in any form.

This means making sure that:

• Personal data can’t be seen by other people on laptops or tablets.
• Personal data can’t be overheard, for instance when being discussed using Teams, any other digital communication platforms, or on the phone.
• Paper documents containing personal data aren’t left where they can be accessed by people who shouldn’t see them.
• You never allow Council IT equipment, like laptops or tablets to be used by unauthorised people like family members. This equipment is provided for work purposes only.
• Portable devices, removable media, or paper records are always carried safely when being taken from one location to another. They must never be left unattended and vulnerable such as within vehicles or in areas accessible to the public.
• You don’t print, scan or photocopy documents containing personal data using devices that aren’t owned by the Council. This includes personal devices in your home and those available for use in retail premises.
• Personal data in paper form is never disposed of in the home.

Personal data breaches are defined in the UK GDPR as:

"a breach of security leading to the accidental or unlawful destruction, loss, alteration unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

Although there are other types of incidents covered by this definition, examples include:

• Emailing personal data to the wrong person
• Losing paperwork containing personal data
• The loss or theft of financial information such as bank account or payment card details
• Accidental deletion of records, affecting service delivery

All incidents like this have to be dealt with in accordance with Part 3 of the Handling Personal Data Policy, as follows: 

• To make sure that they can be acted on, breaches should be reported by employees to their line manager immediately, or in any event within 12 hours of the issue being discovered.
• Within the same time limit, the breach must also be reported to the Breach Response Team via the central mailbox, databreaches@carmarthenshire.gov.uk
• Out of office hours, breaches must be reported via Delta Wellbeing on 0300 333 2222.

If we don’t report personal data breaches, or take too long to do so, this could have potentially serious consequences for our customers, staff and other individuals.

The simple rule is that personal data shouldn’t be kept for longer than necessary. This is known as the principle of ‘storage limitation’.

So we’ve produced detailed Retention Guidelines for all of the record types we hold that provide advice on how long to keep them. Most of these record types contain personal data.

Please remember:

• We shouldn’t normally keep personal data for longer than the periods specified in these Retention Guidelines.
• We should periodically review the personal data we hold and delete (or anonymise) it when we no longer need it.
• Paper records containing personal data must be disposed of securely by shredding or by using a confidential waste service in accordance with our Records Disposal Procedure.
• It’s also important that personal data (or information that is confidential for another reason) is stored securely until it is shredded or collected by a confidential waste service.