Data Protection Policy
DATA PROTECTION POLICY
1.1 The council holds and processes information about employees, councillors, residents and customers, and other data subjects for administrative and commercial purposes.
1.2 When handling such information the council, and all staff or others who process or use the information, must comply with the Data Protection principles as set out in the Data Protection Act 1998 (the Act).
2. Data protection principles
2.1 There are eight principles set out in the Act, which in summary state that data shall:
• be processed fairly and lawfully
• be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with the purpose
• be adequate, relevant and not excessive for the purpose
• be accurate and up-to-date
• not be kept for longer than necessary for the purpose
• be processed in accordance with the Data Subject’s rights
• be kept safe from unauthorised processing, and accidental loss, damage or destruction
• not be transferred to a country outside the European Economic Area, unless that country has the equivalent levels of protection for personal data, except in specified circumstances
3.1 Sidlesham Parish Council is the Data Controller and must ensure that any processing of personal data for which they are responsible complies with the Act.
3.2 The Data Protection Officer is the Clerk, who acts on behalf of the council, and is responsible for:
• fully observing conditions regarding the fair collection and use of information
• meeting the Council’s legal obligations to specify the purposes for which information is used
• collecting and processing relevant information, only to the extent that is required to fulfil operational needs/to comply with legal requirements
• ensuring the quality of information used
• applying strict checks to determine the length of time that information is held
• ensuring that the rights of the people whom information is held are able to be fully exercised under the Act
• taking appropriate technical and organisational security measures to safeguard personal information
• ensuring that personal information is not transferred abroad without suitable safeguards
• ensuring that everyone managing and handling personal information
o full understands that they are contractually responsible for following good practice in terms of protection
o is adequately trained to do so
o are appropriately supervised
4. Storage and retention
4.1 Personal data is kept in paper-based systems and/or on a password-protected computer system.
4.2 The council will keep different types of information for differing lengths of time, depending on legal and operational requirements. More information can be found in the council’s Document Retention Scheme.
5. Access to information
5.1 Any employees, councillors, residents, customers and other data subjects have a right to:
• ask what personal information the council holds
• ask what this information is used for
• be provided with a copy of the information
• be given details of the purposes for which the council uses the information and any other persons organisations to whom it is disclosed
• ask that any incorrect data held is corrected
5.2 If it is felt by the data subject that any personal information held is incorrect the individual may request that it be amended. The council must advise the individual within 21 days whether or not the amendment has been made.
6. Breach of policy
6.1 Compliance with the Act is the responsibility of all councillors, residents, customers and members of staff. Any deliberate or reckless breach of the policy may lead to disciplinary action and where appropriate, legal proceedings.
6.2 Any individual who believes that the council has breached any of the requirements of the Data Protection Act 1998 should raise the matter with the Clerk. Alternatively, a complaint can be made to the Information Commis