This policy sets out the way the council manages its the data it holds and processes.

The policy is overseen by the Personnel Committee and was last updated in May 2018.

Data Protection Principles

 

1.1 In complying with the Data Protection Act 2018 the Town Council shall ensure that all data is:

  • Processed fairly, lawfully and in a transparent manner
  • Collected for specified, explicit and legitimate purposes and not processed in a manner incompatible with those purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which personal data are processed
  • Processed in a manner that ensures appropriate security of the personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational features

1.2 Where the lawful basis for processing data is consent, the Town Council shall ensure that consent is freely given, unconditional and explicit.

1.3 The Town Clerk shall take any reasonable necessary steps to ensure the security of council data; this shall include to ensure that access to data is limited and that data is disposed of securely.

1.4 The Town Council does not use automated decision making or profiling of individual personal data.

1.5 Regardless of the legal requirement to do so, the Town Council will appoint a Data Protection Officer.

1.6 The Town Council shall ensure that any third party which processes data on its behalf has sufficient data protection, security measures and breach reporting procedures in place and this shall form part of the terms and conditions of any contract entered into.

1.7 Data related to a child (under 13) will not be processed without the express parental/guardian consent of the child concerned

1.8 Members and employees must abide by any procedures developed in accordance with this policy and failure to do may result in disciplinary proceedings or suspension of access to council resources.

1.9 The Town Clerk shall ensure that a Data Audit is undertaken at least annually.

 

Training and Guidance

 

2.1 All members and employees of the council shall receive an induction on Data Protection and training as required.

2.2 The Town Clerk shall maintain a guidance note on Data Protection for both members and employees to provide easy to access guidance on Data Protection practices.

 

Privacy Notices

 

3.1 The Town Clerk shall prepare Privacy Notices as required which will be published on the Town Council website. They shall be reviewed at least annually. Privacy Notices may vary depending on the data being collected/held.

3.2 The Town Council will use a blended approach to provide privacy information to individuals; providing information at the point of collection and reference to the full Privacy Notice where it is not practical to provide the notice in full at the point of collection.

3.3 At collection sufficient information will be given to detail why the data is being collected, how it will be used, how long it will be kept for and whether it will be shared with any third party.

3.4 Privacy Notices will be prepared with reference to guidance from the Information Commissioner’s Office and shall be provided in simple language in a clear font.

 

Breach Reporting

 

4.1 A data breach is defined as a breach of security leading to ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’

4.2 The Town Clerk shall maintain procedures to safeguard against potential data breaches.

4.3 All data breaches shall be reported to the Town Clerk who shall maintain a record of data breaches and determine, in accordance with Information Commissioner’s Office guidance whether the breach must be notified.

 

Data Protection Impact Assessments

 

5.1 A Data Protection Impact Assessment is a process to identify and minimize the data protection risks of a project. It is mandatory for certain types of data processing or processing which is likely to result in a high risk to individuals’ interests.

5.2 The Town Clerk shall prepare procedures for determining if a DIPA is required and the undertaking of the same

 

Data Retention

 

6.1 The Town Council will only keep data for as long as it is necessary to do so.

6.2 The council’s standard data retention requirements are detailed in Annex A.

6.3 Data (electronic or physical) should only be disposed of if reviewed in accordance with the following:

  • Is retention required to fulfil a statutory or regulatory requirement?
  • Is retention required to meet the operational needs of a service?
  • Is retention required to evidence events in the case of dispute?
  • Is retention required because the document/record is of historic interest or intrinsic value?

6.4 All records containing personal information must be destroyed at the end of the retention period.

6.5 Where documents are of historical interest it may be appropriate that they are transmitted to the County Records Office or Knutsford Heritage Centre.

6.6 Retention periods may be increased by government regulation, judicial or administrative constraint order, contract, pending litigation or audit requirements and such modifications shall supersede the requirements in Annex A.

 

Data Subject Rights

 

7.1 A data subject has the right to:

  • Access their information
  • Correct information held which they believe is incorrect
  • Request information is deleted
  • Object to the processing of data
  • Request data is transferred to another data controller
  • Withdraw consent for processing of data
  • Lodge a complaint with the Information Commissioner’s Office

7.2 A data subject wishing to exercise their rights may do so by contacting the Town Clerk.

 

Review and Monitoring

 

8.1 This policy shall be reviewed periodically and in light of experience, comments from data subjects and guidance from the Information Commissioners Office.

 

Annex A: Data Retention Schedule

General

DOCUMENT MINIMUM RETENTION PERIOD REASON
Signed Minutes Indefinite Archive, Public Inspection
Agendas 5 years Management
Title Documents / Deeds Indefinite Audit, Management
Contracts / Leases Indefinite Management
E-mail (excluding SPAM) 2 years Local Choice
Register of Members’ Interests 1 year after end of service Local Choice
Members’ allowances register 6 years Tax, Limitation Act
Strategic Plans, Annual Reports etc Permanent Archive once superseded Common Practice
Policies and Operational procedures 7 years after superseded Local Choice
Legal / Litigation Files Active + 7 years Local Choice
Commercial Debt Recovery Matters Active + 2 years Local Choice
Complaints Records 6 years Common Practice

 

Financial

DOCUMENT MINIMUM RETENTION PERIOD REASON
Audited Accounts Indefinite
Accounting Records (invoices, VAT records etc) 6 years VAT
Bank Statements, Paying in / Cheque Book stubs Last completed audit year Audit
Insurance company names and policy numbers Indefinite Management
Insurance policies Whilst valid
Employer’s Liability Certificates 40 years from commencement/renewal Statute
Budgets Indefinite
Quotations and Tenders 6 years Limitations Act
Payroll Records 12 years Supperannuation

 

Employment

DOCUMENT MINIMUM RETENTION PERIOD REASON
Timesheets 7 years Personal Injury
Recruitment Documents 5 years Local Choice
Documents on Persons Not Hired 1 year Equal Opportunities Claims
Accident or Injury at Work 7 years Local Choice
Personnel Administration (inc. CVs, appraisal disciplinary records, contracts, pay awards etc) 6 years after person leaves council except staff working with children (25 years) Local Choice and Statutory
Personnel Service Record (Name, position, dates of employment, pay levels etc) Indefinite Local Choice

 

Services

DOCUMENT MINIMUM RETENTION PERIOD REASON
Market Licence Holder Records 6 years after leaving market Management
Room Booking / Hire Records 3 years Management

 

Glossary

 

Privacy Notice Gives information to data subjects on what data is being held and why, how it will be processed and their rights.

Data Protection Impact Assessment A process to help you identify and minimise the data protection risks of a project.

Data Audit A process of recording what data is held and the lawful purposes for which it is held, who it is shared with etc.

Data Controller The person in control of data, in most cases this is the Town Council as a corporate body.

Data Protection Officer Their role is to advise the council on Data Protection issues and have a role to play in Data Protection Impact Assessments.

Data Subject An individual who is the subject of personal data