Data Protection Act 2018
Data Protection
The Council is fully committed to compliance with the requirements of the Data Protection Act 2018 and the changes arising from the General Data Protection Regulation (GDPR) which came into force on the 25 May 2018.
Our Data Protection Policy has been reviewed in line with the new requirements for GDPR and the Data Protection Act 2018.
More information about your rights under General Data Protection Regulation GDPR , Data Protection Act 2018 and how to access your personal information (making a Subject Access Request).
Our data protection and privacy aims
Process personal data lawfully
We will collect and process personal data lawfully for a specific and legitimate purpose, fairly and in a transparent manner. It will not be used for anything other than the stated purposes. We will aim to be accurate, and where necessary, keep it up to date. Any inaccuracies will be amended or removed without undue delay. It will be stored for as long as required, as specified on our privacy notices and records retention and disposal policy.
Be transparent with the information we collect and process
We want you to understand what information we collect and how it is used to provide you with a service. We provide a range of services that often mean we need to share your data with suppliers and partners who provide that service on our behalf. We aim to explain what we do with your information through our set of customer privacy notices.
Protect your data and privacy
By providing your personal information to us you expect us to protect and use it and share appropriately. We will manage our approach to information governance by training staff in data protection, privacy and security, and have practices to manage personal data from collection through to destruction. We will carry out privacy impact assessments to ensure the risks to your privacy are assessed when introducing new systems or changes to processes. These assessments are called data protection impact assessments.
Be accountable to our privacy commitments
We take our commitment to privacy seriously and hold ourselves to a high standard. Our senior managers are accountable for holding and processing customer personal information. We have a Data Protection Officer and a Policy Support Team to help oversee how we manage all our processing of personal information. Our Internal Audit Team will also carryout audit reviews and checks of our processing.
Provide privacy safe services
Personal data will be secured with appropriate solutions, which protect the data against unauthorised or unlawful processing and against accidental loss, destruction or damage. Our services will complete a data protection impact assessment when making changes to processes, and for new systems and services. We will ensure new suppliers have adequate data protection and security processes in place. We are compliant with the annual Government security assurance to allow us to use the public service network for email and access to systems. We are also accredited to the Cyber Essentials Plus assessment for cyber security.
New data protection – what it means to you
Data Protection legislation has changed. The General Data Protection Regulation (GDPR) is the new legal framework in the EU which came into force on 25 May 2018. This provides new rights to individuals about how their personal data is handled and stored. You will have the right to know how your data has been processed and make requests to us, depending on the lawful basis. You can find out more about these rights on the Regulator’s website, the Information Commissioner (ICO) contact details displayed on this page.
There is also the new Data Protection Act 2018 that came into force on 25 May 2018. This replaces the 1998 Act.
Personal data and special category data
The definition has been expanded to include an identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. Personal data that has been pseudonymised – example key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. The special categories (personal sensitive data) now specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
Lawful basis
We will apply an appropriate lawful basis for processing your data. For most of our public services this will be because we have a legal obligation or, it’s a task in the public interest or in our official capacity, or a contract with you. Some services will ask for your explicit consent, such as collecting data like cookies when you go on our website or, being able to contact you by email or text for news updates.
Consent
In the case where we are relying on your explicit consent to process your data, you can request to withdraw consent or restrict/object to some elements of the processing. The ICO have a guide to consent.
Transparency
To comply with the new law we must provide detailed information on why and how we are processing the data – these are called privacy notices and we have used a layered approach as recommended by the ICO. These may be summarised and a web link provided for more information. Printed versions are available. See our main customer privacy notice at www.northwarks.gov.uk/privacy and links to further service specific notices.
Requesting a copy of your information – subject access requests
Everyone can make a request to the council for the information it holds about them. We would be grateful that you only ask for the information you actually need, to save time and allow us to be more efficient. We will not charge for this request, unless we consider it is excessive. Once we have a valid request we will have a month to provide the information requested which we can extend if the request is complex for two further months. We will provide this in an electronic form unless you request otherwise. See our access to information page for help and the section to request personal information.
Correction
You will have the right to ask for changes to inaccurate personal data. This may be your contact details or in the case of applications or assessments it may be making a note on the record.
Data portability
This allows you to ask for personal data to be given in an electronic form to be used in or transferred to another organisation’s electronic processing system. This only applies if the lawful basis is a contract with you or you gave your consent.
Erasure
Where we rely on your consent as your legal basis to process your personal data, you have the right to withdraw your consent and ask for your data to be deleted. As explained above, we will not rely on consent in many cases to process your information.
Automated decisions and profiling
After 25 May 2018, if we process your personal data based on automated decisions (where no individual was involved in the final decision), and this will have a legal or similarly significant effect on you, then you can request a written explanation of the decision made and you can contest the results of the decision. We will notify you in a privacy notice if we carry out automated decision making or profiling that comes under this definition.
Accountability
All organisations will have to be able to demonstrate how they comply with the new law when collecting and processing your personal data, if asked by the regulator (ICO). Contracts need to be in place between us and an organisation that we ask to process your data on our behalf to provide a service or host a system is a data processing.
Data Protection Impact Assessments
Organisations are obliged to conduct a data protection impact assessment when processing is likely to result in a high risk to individuals. These assessments look at the privacy risk when introducing new technology, profiling, using special category data, matching data and a number of other types of processing.
Data Protection Officer
As a public authority we have a statutory duty to appoint a Data Protection Officer. Their role is described in the General Data Protection Regulation with guidance given by the ICO. They are independent, provide audit assurance, review Data Protection Impact Assessments and report to the highest authority in their role, the council’s Management Team and the Executive Board. The Officer can be contacted using the details displayed on this page.
How the council has prepared for the new legislation
We set up an internal officer group to help manage our preparations for GDPR. The group is chaired by the Council’s Data Protection Officer and includes representatives from each service area. The group reports to the Council’s Management Team.
We have:
- Ravinder Johal - Head of Legal Services as the statutory Data Protection Officer
- Reviewed our key contracts with our suppliers and partners, implemented contract variations for GDPR compliance and technical data and security questions
- Prepared data asset registers to record our current processing activity for all our services and reviewed high risk areas to see if any changes are needed to meet GDPR requirements
- Determined the lawful basis for processing to meet GDPR requirements
- Developed layered privacy notices: a new customer privacy notice plus service area and service specific privacy notices to inform customers
- Developed a programme of communications to staff to raise awareness with regular, updates and new intranet material
- Implemented, specific e-learning training modules for staff on Data Protection Essentials and cyber security.
- Reviewed and revised information policies and procedures for staff and customers
We will continue our compliance work during 2018 and into 2019 which will include:
- Maintaining our data asset registers for our services to meet GDPR requirements
- Developing our procedures for data protection impact assessments, following new guidance from the ICO on 15 May 2018
- Developing service specific privacy notices where required
- Ongoing checking of internal and hosted systems for GDPR compliance
Data protection for suppliers to the council
A requirement of GDPR is for the Council (as Data Controller) to perform a risk assessment on the provider of systems or services (as Data Processor) regarding the Confidentiality, Integrity and Availability of data. See Article 32 of GDPR “Security of Processing”.
See the link below or in the ‘Do it online’ section for our questionnaire. There is no right or wrong way to answer these questions, it simply allows us to perform a risk assessment. Questions need to be fully answered (even if it’s just N/A) or it may delay the approval of suppliers, if we require further detail to provide assurance. The personal information (contact details) you provide are needed so we know which system we attribute the answers to and if we need to contact you for more information. Your answers will only be used for GDPR security review and will be stored as part of our GDPR review. They will be transferred from this form and stored until the end of the contract to process data.
