GDPR
GDPR - Your information
How the information you provide will be used
General Data Protection Regulation - Any personal information including your name, postal address, telephone number, and email address given via this website/form (or via direct postal or electronic contact with the council) will only be used to provide a requested service or other service provided by or on behalf of Withern with Stain Parish Council, kept for as long as necessary to provide that service and will not be disclosed to any other third party without your prior permission or unless we are required to do so by law.
------------------------------------------------------------
GDPR - Privacy Notice
Withern with Stain Parish Council complies with the General Data Protection Regulation (GDPR) law which comes into effect on 25 May 2018 and supercedes the Data Protection Act 1998. We are committed to keeping your personal information accurate and up to date. We will not keep your information longer than necessary.
This privacy notice explains how we use your personal information and the ways in which we protect your privacy. This notice applies to all personal data collected for or on behalf of the Withern with Stain Parish Council. This includes information collected by letter, email, face to face, telephone or online. You may also receive a privacy notice specific to the service you are receiving.
The Council is the data controller and the Parish Clerk is the data processor and the data protection officer.
By using our site or communicating with the Parish Council you agree to accept this privacy notice. This notice may be reviewed from time to time so please check back here each time you submit personal data to us.
How we use your personal information
We collect and use your personal information so we can provide you with statutory and other services. We use your information for the purpose for which you provided the information, including the delivery of services for you. We also use this information to monitor our performance in responding to your request.
We use your information in the following ways:
to tell you about services and provide services appropriate to you, for example highlighting additional help or services available to you.
for insight purposes to allow us to analyse patterns and trends of service usage
for service and financial planning, to help us create policy and inform decision making, e.g. identifying where new facilities/infrastructure are most needed
to process financial transactions including payments involving the Parish Council or where the Council is acting on behalf of other government bodies, eg East Lindsey District Council
to help us to verify your identity if you ask us for services
to ensure that the council meets its duties, including those imposed by the Equality and Health and Safety Acts
where necessary for law enforcement functions, eg licensing, planning enforcement, trading standards and food safety where the Parish Council is legally obliged to carry out such processing.
to help investigate any concerns or complaints you have may have about the services you receive
where otherwise allowed under law. For further information on the General Data Protection Regulation (GDPR) which comes into effect on 25 May 2018, please refer to the Information Commissioner’s website
Services such as education and social care, protection of vulnerable children and adults, and the support of public health and wellbeing may involve collecting, using and sharing sensitive personal data as defined by law. We do not disclose or share sensitive or confidential information without your explicit consent except in a small number of situations where disclosure is allowed by law, or where we have good reason to believe that failing to do so would put you or someone else at risk.
The Parish Council is obliged to protect public funds. We may use personal information and data-matching techniques to help us to detect and prevent fraud and ensure public money is spent in the most appropriate and cost-effective way. In order to achieve this, we may share information with other organisations which audit or administer public funds. This includes the Audit Commission, other local authorities, HM Revenue and Customs, and the Police.
The Parish Council may record some telephone conversations. The reasons for this include to help with staff training, to maintain records of conversations, to help with the detection, investigation and prevention of crime. We will tell you if your call is being recorded.
We may use personal information to identify people who will need extra support during emergencies or major incidents e.g. emergency evacuation.
We are keen to ensure that we are providing the services that are needed and may contact you to make you aware of services or support which could be of interest to you. We may invite you to sign up for other services at the same time (for example, a regular mailing list). You can choose not to accept this invitation.
We may also ask for feedback on how we are performing, or ask for your views on services which you have been using.
You may not want us to collect or share your personal information, or you may set conditions on how we can use it. In these cases we may not be able to provide with the service you need, or may only be able to provide it in a limited way. There are occasions when we have a statutory obligation to collect or use personal information. In those cases we will not be able to agree to your request.
We may use ethnic, gender, sexual orientation and age information (ie, equalities data) to compile statistics in order to comply with equality legislation and assist in planning and service provision. Such data does not identify individuals or affect your entitlement to services.
Data protection issues associated with the Electoral Roll are the responsibility of East Lindsey District Council. The Clerk is sent a copy of the electoral roll, with updates throughout the year. The Parish Council does not permit any third party to view this document.
All paper documents are stored at the Clerk’s home.
All computer records are stored on a password protected laptop, with anti-virus software, at the Clerk’s home.
The Parish Council does not utilise Cloud storage.
Data is only used for the purpose for which it has been provided.
The Parish Council does not share or sell data, and never has done.
Third parties
The information we collect may be shared between Parish Council services and with other organisations, such as government bodies, the Police, health and social care organisations providing you with services and educational establishments.
We will only share your personal information when we are permitted to or are required to by law or we have your consent to do so as required by law.
The Parish Council does not pass personal data to other organisations for marketing purposes without your consent. Your personal information may be processed by an external service provider acting on our behalf to provide services.
Email
Emails that we send to you or you send to us may be kept as a record of contact. We may also store your email address for future use. If we need to email sensitive or confidential information to you, we will check that we are using the correct email address and may use additional security measures. If you need to send us sensitive information, we recommend using encrypted email or the postal service.
Your rights
You can ask us to stop processing your personal data in relation to any Parish Council service. This may delay or prevent us delivering a service to you. We will try to meet your request but we may be required to hold or process information to meet our legal duties.
You are entitled to request access to and a copy of any information we hold about you.
If you find that the information that the Parish Council holds about you is no longer accurate, you have the right to ask to have this corrected. We may not always be able to change or remove the information. However, we will correct factual inaccuracies and may include your comments in the records.
Visitors to this web site
When someone visits this website, we or the website administrators use a third party service, such as Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We and they do this to find out things such as the number of visitors to the various parts of the site. This information is only processed by us in a way which does not identify anyone. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
By using our site you agree to accept this privacy notice. This notice may be reviewed from time to time so please check back here each time you submit personal data to us.
Security and Performance
We use a third party service to help maintain the security and performance of our website. To deliver this service it processes the IP addresses of visitors to the site.
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Use of Cookies
This site uses cookies to maintain and keep track of users’ preferences and authenticated sessions, to identify technical issues, user trends and effectiveness of campaigns, and to monitor and improve the overall performance.
Disclosure of personal information
We collect contact details via the web site for the purposes of providing a service to existing and potential correspondents and residents. We will never disclose personal details without the consent of the owner unless required to by law. Details are only held for as long as is necessary for Parish Council business, normally not more than 7 years.
Access to personal information
Individuals can find out if we hold any personal information by making a ‘subject access request’ under the General Data Protection Regulations. If we do hold information about you we will:
• give you a description of it;
• tell you why we are holding it;
• tell you who it could be disclosed to; and
• let you have a copy of the information in an intelligible form.
Please make any such request in writing via our Data Protection Officer the Parish Clerk: Parishclerkwithernstain@gmail.com or by post . We will normally respond within 30 days.
----------------------------------------------------------------------------------------------------------
General Data Protection Regulation Policy
Adopted: 24th April 2018
To be reviewed: May 2019
Purpose of the policy and background to the General Data Protection Regulation
This policy explains to councillors, staff and the public about GDPR. Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for as long as is necessary for processing and be processed in a manner that ensures its security. This policy updates any previous data protection policy and procedures to include the additional requirements of GDPR which apply in the UK from May 2018. The Government have confirmed that despite the UK leaving the EU, GDPR will still be a legal requirement. This policy explains the duties and responsibilities of the council and it identifies the means by which the council will meet its obligations.
Identifying the roles and minimising risk
GDPR requires that everyone within the council must understand the implications of GDPR and that roles and duties must be assigned. The Council is the data controller and the Clerk /RFO is the Data Protection Officer (DPO). It is the DPO’s duty to undertake an information audit and to manage the information collected by the council, the issuing of privacy statements, dealing with requests and complaints raised and also the safe disposal of information. This will be included in the Job Description of the Clerk/RFO/DPO
Appointing the Clerk as the DPO must avoid a conflict of interests, in that the DPO should not determine the purposes or manner of processing personal data.
GDPR requires continued care by everyone within the council, councillors and staff, in the sharing of information about individuals, whether as a hard copy or electronically. A breach of the regulations could result in the council facing a fine from the Information Commissioner’s Office (ICO) for the breach itself and also to compensate the individual(s) who could be adversely affected. Therefore, the handling of information is seen as medium risk to the council (both financially and reputationally) and one which must be included in the Risk Management Policy of the council. Such risk can be minimised by undertaking an information audit, issuing privacy statements, maintaining privacy impact assessments (an audit of potential data protection risks with new projects), minimising who holds data protected information and the council undertaking training in data protection awareness.
Data breaches
One of the duties assigned to the DPO is the investigation of any breaches. Personal data breaches should be reported to the DPO for investigation. The DPO will conduct this with the support of the Parish Council. Investigations must be undertaken within one month of the report of a breach. Procedures are in place to detect, report and investigate a personal data breach. The ICO will be advised of a breach (within 3 days) where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the DPO will also have to notify those concerned directly.
It is unacceptable for non-authorised users to access IT using employees’ log-in passwords or to use equipment while logged on. It is unacceptable for employees, volunteers and members to use IT in any way that may cause problems for the Council, for example the discussion of internal council matters on social media sites could result in reputational damage for the Council and to individuals.
Privacy Notices
Being transparent and providing accessible information to individuals about how the Council uses personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice. This is a notice to inform individuals about what a council does with their personal information. A privacy notice will contain the name and contact details of the data controller and Data Protection Officer, the purpose for which the information is to be used and the length of time for its use. It should be written clearly and should advise the individual that they can, at any time, withdraw their agreement for the use of this information. Issuing of a privacy notice must be detailed on the Information Audit kept by the council. The council will adopt a privacy notice to use, although some changes could be needed depending on the situation, for example where children are involved. All privacy notices must be verifiable.
Information Audit
The DPO must undertake an information audit which details the personal data held, where it came from, the purpose for holding that information and with whom the council will share that information. This will include information held electronically or as a hard copy. Information held could change from year to year with different activities, and so the information audit will be reviewed at least annually or when the council undertakes a new activity. The information audit review should be conducted ahead of the review of this policy and the reviews should be minuted.
Individuals’ Rights
GDPR gives individuals rights with some enhancements to those rights already in place:
§ the right to be informed
§ the right of access
§ the right to rectification
§ the right to erasure
§ the right to restrict processing
§ right to data portability
§ the right to object
§ the right not to be subject to automated decision-making including profiling.
The two enhancements of GDPR are that individuals now have a right to have their personal data erased (sometime known as the ‘right to be forgotten’) where their personal data is no longer necessary in relation to the purpose for which it was originally collected and data portability must be done free of charge. Data portability refers to the ability to move, copy or transfer data easily between different computers.
If a request is received to delete information, then the DPO must respond to this request within a month. The DPO has the delegated authority from the Council to delete information.
If a request is considered to be manifestly unfounded then the request could be refused or a charge may apply. The charge will be as detailed in the Council’s Freedom of Information Publication Scheme. The Parish Council will be informed of such requests.
Children
There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the council requires consent from young people under 13, the council must obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children age 13 plus, must be written in language that they will understand.
Summary
The main actions arising from this policy are:
§ The Council must be registered with the ICO.
§ A copy of this policy will be available on the Council’s website. The policy will be considered as a core policy for the Council.
§ The Clerk’s Contract and Job Description (if appointed as DPO) will be amended to include additional responsibilities relating to data protection.
§ An information audit will be conducted and reviewed at least annually or when projects and services change.
§ Privacy notices must be issued.
§ Data Protection will be included on the Council’s Risk Management Policy.
§ The Parish Council will manage the process.
This policy document is written with current information and advice. It will be reviewed at least annually or when further advice is issued by the ICO. All employees, volunteers and councillors are expected to comply with this policy at all times to protect privacy, confidentiality and the interests of the Council.
------------------------------------------------------------
GDPR - Your information
How the information you provide will be used
General Data Protection Regulation - Any personal information including your name, postal address, telephone number, and email address given via this website/form or via direct postal and electronic communication will only be used to provide a requested service or other service provided by or on behalf of Withern with Stain Parish Council, kept for as long as necessary to provide that service and will not be disclosed to any other third party without your prior permission or unless we are required to do so by law.