This policy sets out the way the council manages its the data it holds and processes.
The policy is overseen by the Personnel Committee and was last updated in May 2018.
Data Protection Principles
1.1 In complying with the Data Protection Act 2018 the Town Council shall ensure that all data is:
- Processed fairly, lawfully and in a transparent manner
- Collected for specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed
- Processed in a manner that ensures appropriate security of the personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational features
1.2 Where the lawful basis for processing data is consent, the Town Council shall ensure that consent is freely given, unconditional and explicit.
1.3 The Town Clerk shall take any reasonable necessary steps to ensure the security of council data; this shall include to ensure that access to data is limited and that data is disposed of securely.
1.4 The Town Council does not use automated decision making or profiling of individual personal data.
1.5 Regardless of the legal requirement to do so, the Town Council will appoint a Data Protection Officer.
1.6 The Town Council shall ensure that any third party which processes data on its behalf has sufficient data protection, security measures and breach reporting procedures in place and this shall form part of the terms and conditions of any contract entered into.
1.7 Data related to a child (under 13) will not be processed without the express parental/guardian consent of the child concerned
1.8 Members and employees must abide by any procedures developed in accordance with this policy and failure to do may result in disciplinary proceedings or suspension of access to council resources.
1.9 The Town Clerk shall ensure that a Data Audit is undertaken at least annually.
Training and Guidance
2.1 All members and employees of the council shall receive an induction on Data Protection and training as required.
2.2 The Town Clerk shall maintain a guidance note on Data Protection for both members and employees to provide easy to access guidance on Data Protection practices.
Privacy Notices
3.1 The Town Clerk shall prepare Privacy Notices as required which will be published on the Town Council website. They shall be reviewed at least annually. Privacy Notices may vary depending on the data being collected/held.
3.2 The Town Council will use a blended approach to provide privacy information to individuals; providing information at the point of collection and reference to the full Privacy Notice where it is not practical to provide the notice in full at the point of collection.
3.3 At collection sufficient information will be given to detail why the data is being collected, how it will be used, how long it will be kept for and whether it will be shared with any third party.
3.4 Privacy Notices will be prepared with reference to guidance from the Information Commissioner’s Office and shall be provided in simple language in a clear font.
Breach Reporting
4.1 A data breach is defined as a breach of security leading to ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’
4.2 The Town Clerk shall maintain procedures to safeguard against potential data breaches.
4.3 All data breaches shall be reported to the Town Clerk who shall maintain a record of data breaches and determine, in accordance with Information Commissioner’s Office guidance whether the breach must be notified.
Data Protection Impact Assessments
5.1 A Data Protection Impact Assessment is a process to identify and minimize the data protection risks of a project. It is mandatory for certain types of data processing or processing which is likely to result in a high risk to individuals’ interests.
5.2 The Town Clerk shall prepare procedures for determining if a DIPA is required and the undertaking of the same
Data Retention
6.1 The Town Council will only keep data for as long as it is necessary to do so.
6.2 The council’s standard data retention requirements are detailed in Annex A.
6.3 Data (electronic or physical) should only be disposed of if reviewed in accordance with the following:
- Is retention required to fulfil a statutory or regulatory requirement?
- Is retention required to meet the operational needs of a service?
- Is retention required to evidence events in the case of dispute?
- Is retention required because the document/record is of historic interest or intrinsic value?
6.4 All records containing personal information must be destroyed at the end of the retention period.
6.5 Where documents are of historical interest it may be appropriate that they are transmitted to the County Records Office or Knutsford Heritage Centre.
6.6 Retention periods may be increased by government regulation, judicial or administrative constraint order, contract, pending litigation or audit requirements and such modifications shall supersede the requirements in Annex A.
Data Subject Rights
7.1 A data subject has the right to:
- Access their information
- Correct information held which they believe is incorrect
- Request information is deleted
- Object to the processing of data
- Request data is transferred to another data controller
- Withdraw consent for processing of data
- Lodge a complaint with the Information Commissioner’s Office
7.2 A data subject wishing to exercise their rights may do so by contacting the Town Clerk.
Review and Monitoring
8.1 This policy shall be reviewed periodically and in light of experience, comments from data subjects and guidance from the Information Commissioners Office.
Annex A: Data Retention Schedule
General
DOCUMENT | MINIMUM RETENTION PERIOD | REASON |
Signed Minutes | Indefinite | Archive, Public Inspection |
Agendas | 5 years | Management |
Title Documents / Deeds | Indefinite | Audit, Management |
Contracts / Leases | Indefinite | Management |
E-mail (excluding SPAM) | 2 years | Local Choice |
Register of Members’ Interests | 1 year after end of service | Local Choice |
Members’ allowances register | 6 years | Tax, Limitation Act |
Strategic Plans, Annual Reports etc | Permanent Archive once superseded | Common Practice |
Policies and Operational procedures | 7 years after superseded | Local Choice |
Legal / Litigation Files | Active + 7 years | Local Choice |
Commercial Debt Recovery Matters | Active + 2 years | Local Choice |
Complaints Records | 6 years | Common Practice |
Financial
DOCUMENT | MINIMUM RETENTION PERIOD | REASON |
Audited Accounts | Indefinite | |
Accounting Records (invoices, VAT records etc) | 6 years | VAT |
Bank Statements, Paying in / Cheque Book stubs | Last completed audit year | Audit |
Insurance company names and policy numbers | Indefinite | Management |
Insurance policies | Whilst valid | |
Employer’s Liability Certificates | 40 years from commencement/renewal | Statute |
Budgets | Indefinite | |
Quotations and Tenders | 6 years | Limitations Act |
Payroll Records | 12 years | Supperannuation |
Employment
DOCUMENT | MINIMUM RETENTION PERIOD | REASON |
Timesheets | 7 years | Personal Injury |
Recruitment Documents | 5 years | Local Choice |
Documents on Persons Not Hired | 1 year | Equal Opportunities Claims |
Accident or Injury at Work | 7 years | Local Choice |
Personnel Administration (inc. CVs, appraisal disciplinary records, contracts, pay awards etc) | 6 years after person leaves council except staff working with children (25 years) | Local Choice and Statutory |
Personnel Service Record (Name, position, dates of employment, pay levels etc) | Indefinite | Local Choice |
Services
DOCUMENT | MINIMUM RETENTION PERIOD | REASON |
Market Licence Holder Records | 6 years after leaving market | Management |
Room Booking / Hire Records | 3 years | Management |
Glossary
Privacy Notice Gives information to data subjects on what data is being held and why, how it will be processed and their rights.
Data Protection Impact Assessment A process to help you identify and minimise the data protection risks of a project.
Data Audit A process of recording what data is held and the lawful purposes for which it is held, who it is shared with etc.
Data Controller The person in control of data, in most cases this is the Town Council as a corporate body.
Data Protection Officer Their role is to advise the council on Data Protection issues and have a role to play in Data Protection Impact Assessments.
Data Subject An individual who is the subject of personal data