Personal Data Management & Audit Policy May 2018

Hatfield & District Group Parish Council

Personal Data Management and Audit Policy May 2018

Adopted by the Council on 22nd May 2018                                                                          Review Date May 2020

Data Management

The GDPR places a much greater emphasis on transparency, openness and fairness than previous legislation required.  The Parish Council as Data Controller will ensure the Principles of Data Protection legislation will be followed in the management of personal data and that employees and councillors understand the requirements of the new legislation.

The Clerk (as Data Processor) will follow the underlying principles that personal data:

(a)                Must be processed lawfully, fairly and transparently.

(b)                Is only used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.

(c)                 Should be adequate, relevant and limited i.e. only the minimum amount of data should be kept for specific processing.

(d)                Must be accurate and where necessary kept up to date.

(e)                Should not be stored for longer than is necessary, and that storage is safe and secure.

(f)                  Should be processed in a manner that ensures appropriate security and protection.

The Clerk will manage subject access requests allowing data subjects to exercise their rights under the GDPR:

The right to access personal data we hold on you

The right to correct and update the personal data we hold on you

The right to have your personal data erased

The right to object to processing of your personal data or to restrict it to certain purposes only

The right to data portability

The right to withdraw your consent to the processing at any time for any processing of data to which consent was obtained

The right to lodge a complaint with the Information Commissioner’s Office.

The Clerk will ensure the notification of personal data breaches and undertake data protection impact assessments where required for new projects as directed by the Council as Data Controller.  A record log of processing of data will be maintained by the Clerk as Data Processor.

Data Audit

SUBJECT Nature/purpose of processing Type of data/where is it from Who is the data subject? Lawful basis/bases for processing Data Controls
Planning Applications Consultations and decisions published by the Planning Authority, and shared with Parish Council.  Clerk emails details of each application and decision to parish councillors.  Also published with agenda and minutes, and discussed in open forum.  Parish council comments on application provided by Planning Authority Name and contact information; Principal authority; residents/public Planning applicant/resident;  Other members of the public speaking in open public session at council meetings Compliance with legal obligation 1.    Clerk to check all information before sharing with parish councillors, and ensure sensitive personal data is redacted wherever possible before sharing or publishing.

2.    Information in agenda and minutes to include only what is necessary to identify and discuss the application or decision.

3.    Any correspondence between PC and applicant to be in accordance with data protection principles, and to be deleted within two years.

 

Electoral roll provided by Principal Authority Names, address, marital status; principal authority Parish residents Compliance with legal obligation 1.    Clerk to retain in a secure place.

2.    Electoral roll not to be shared with any other person.

3.    Members of the public to be directed to Principal Authority  for any electoral roll queries.

Parish Newsletter/Resident Surveys Inform residents and gain views of residents Resident Names and Contact details- from residents Residents Consent Clerk to retain in a secure place and obtain consent form. Not to be shared.

 

Website Information relating to the Parish is published on the website Members of public Consent; compliance with legal obligation 1.    Photographs of individuals shall not be published on the website without the express permission of the individual.

2.    Photographs will be deleted after a maximum of two years, and no copy of the photograph shall be retained by the PC

Councillor details Clerk retains contact details/gathered for election purposes/published in accordance with Transparency Code and Code of Conduct Name, address, contact details, and disclosable pecuniary interests Parish Councillors Compliance with legal obligation 1.    Details will be published on website in accordance with statutory requirements.

2.    Data will be held by Clerk, on the PC laptop, and will be deleted when a councillor retires from office.

3.    Requests for this data from third parties shall be referred to the website.

Email or letter queries from residents or from other third parties including a request for service , reporting issues or making complaints Correspondence from members of the public/residents/other parties relating to parish matters which may contain personal data. Name, address, contact details, with possible sensitive personal data, depending on the nature of the matter; residents provide Members of the Public/Residents Public interest; compliance with legal obligation 1.    Any email letter of other form of query received by the PC which contains personal data will be retained for a maximum of two years.

2.    Such data may be stored on the PC laptop, held by the Clerk in a secure place.

3.    The agreed privacy notice shall be provided to any person who contacts the PC.

4.    In accordance with the agreed privacy notice, such data shall not be shared with any third party without the express permission of the data subject.

Minutes – matters raised by members of the public at meetings Maintained and published in accordance with Local Government legislation Names and possibly other information Residents/members of the public Compliance with legal obligation; public interest 1.    Every effort should be made to avoid inclusion of personal data in agenda or minutes.  Where personal data or potential identifiers cannot be avoided, these should be kept to a minimum.

2.    Members of the public who attend the public forum or the annual meeting should be informed by the Chair that the issue may be included in public minutes, and should give their consent to this before the discussion (consent to be implied as Chair gives the members of the public the chance to withdraw from the meeting if they wish).

Letter/email to residents asking them to perform actions (eg trim trees or hedges) In response to requests made at PC meetings. Names, addresses and possibly other personal data provided by residents Residents/members of the public Compliance with legal obligation; public interest 1.    Copy to be retained on PC laptop, held by Clerk in a secure place, for a maximum of two years.

2.    Information shall not be shared with any third party without express permission of the data subject.

Council Contracts and Services

.

 

Carrying out contracting work and services required by the Council; Names, contact details, qualifications, financial details, details of certificates and diplomas, education and skills; provided in contract applications etc

 

Contractors/Trades persons surveyors, architects, builders, suppliers, advisers, payroll processors Contractual necessity 1.    Copy to be retained on PC laptop, held by Clerk in a secure place, for life of contract or 6 months for employment applications.
Consider any other personal data ; eg Payroll

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Book Hall

Personal data which comes under the control of the PC which does not fit into any of the categories above

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Bookings Clerk name & address & email.

Used to ascertain availability of Hall and to pay for use

Names, addresses and possible other personal data.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Used to book Village Hall for meetings

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Booking Clerk

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contacted before and after meeting

1.    Clerk to process the data in accordance with the data protection principles, always ensuring that personal data is stored securely and not shared with any third party without the express permission of the data subject.

2.    Clerk may need to  bring report to Council to determine the way in which the data should be controlled.

 

 

 

 

1) Will get consent to store name and email.

Will be stored securely and deleted when Booking Clerk changes

 

.

 

 

 

Completed by:     SD Hanson                                                                                                                         Date: 22/05/18

Clerk to the Parish Council