PURPOSE

Fordingbridge Town Council needs to collect and use certain types of information about people in order to effectively carry out its day to day operations, many of which are statutory duties; maintain our accounts and records; manage and support our employees

The Council process information relevant to the above reasons/purposes. This may include:

  • personal details
  • family details
  • lifestyle and social circumstances
  • education and employment details
  • financial details
  • goods and services
  • We may also process sensitive classes of information that may include: physical or mental health details; racial or ethnic origin; political opinion; religious or other beliefs; Trade Union membership; criminal proceedings or convictions; sexual life

PEOPLE

We process personal information about:

  • employees
  • suppliers
  • complainants, enquirers
  • business contacts
  • professional advisers and consultants
  • residents of the parish
  • elected representatives and holders of public office
  • members of the parish council

LAW

Fordingbridge Town Council recognises its responsibility to comply with the Data Protection Act 1998 and the General Data Protection Regulation. The lawful and correct treatment of personal information must be dealt with properly, however it is collected, recorded or used – whether on paper, electronically, or other material. Personal data is defined as any information relating to an identified or identifiable natural person (Data Subject).

THE DATA PROTECTION ACT: The Data Protection Act 1998 set out high standards for the handling of personal information and protecting individuals’ rights for privacy. It also regulates how information can be collected, handled and used. The Data Protection Act applies to anyone holding information about people electronically or on paper.

THE GENERAL DATA PROTECTION REGULATION: The General Data Protection Regulation 2018 says that the information provided to people about how we process their personal data must be concise, transparent, intelligible and easily accessible, written in clear and plain language, particularly if addressed to a child and free of charge.

PROCESS

Fordingbridge Town Council has procedures in place to ensure that it complies with The Data Protection Act 1998 and the General Data Protection Regulation 2018 when holding personal information.  The Council will follow procedures that aim to ensure all employees, elected members, contractors, agents, consultants, partners or other servants of the council who have access to any personal data held by or on behalf of the council, are fully aware of and abide by their duties and responsibilities under the Acts.

When dealing with personal data, Fordingbridge Town Council staff and Councillors must ensure that:

  • IT IS PROCESSED FAIRLY AND LAWFULLY. This means that information should only be collected from individuals if staff and Councillors have been open and honest about why they want the information.
  • IT IS PROCESSED FOR SPECIFIED PURPOSES ONLY
  • IT IS RELEVANT TO WHAT IT IS NEEDED FOR. Data will be monitored so that too much or too little is not kept; only data that is needed should be held.
  • IT IS ACCURATE AND KEPT UP TO DATE. Personal data should be accurate, if it is not it should be corrected.
  • IT IS NOT KEPT LONGER THAN IT IS NEEDED
  • IT IS PROCESSED IN ACCORDANCE WITH THE RIGHTS OF INDIVIDUALS. This means that individuals must be informed, upon request, of all the information held about them.
  • IT IS KEPT SECURELY. This means that only staff and Councillors can access the data, it should be stored securely so it cannot be accessed by members of the public.
  • SHALL NOT BE TRANSFERRED TO A COUNTRY OR TERRITORY OUTSIDE THE EUROPEAN ECONOMIC AREA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Fordingbridge Town Council will act as the Data Controller – to agree how and why personal data is processed.  Before any new projects start the Data Controller must carry out a Data Protection Impact Assessment.

Fordingbridge Town Council has appointed IAC Ltd (internal auditor) as the designated Data Protection Officer (DPO).  The DPO will advise the Council on their legal obligations, monitor compliance, be responsible for implementation of policies, and act as a point of contact for the regulator (Information Commissioners Office – ICO).

All employees and members managing and handling personal information will be appropriately trained and supervised.  The Town Clerk and Council employees will act on behalf of the Data Controllers behalf, as Data Processors.  All enquiries about handling of personal information will be dealt with promptly and courteously.

COLLECTING DATA

Fordingbridge Town Council recognises its responsibility to be open with people when taking personal details from them and positive consent must be demonstrated by the Council to hold the information (positive “opt-in”). This means that staff must be honest about why they want a particular piece of information. If, for example, a member of the public gives their phone number to staff or a member of Fordingbridge Town Council, this will only be used for the purpose it has been given and will not be disclosed to anyone else.

Data may be collected via the Town Council’s website – the ‘Contact Us’ form.  The webpage contain policy statements about how the data will be stored and used.

STORING AND ACCESSING DATA

Fordingbridge Town Council may hold information about individuals such as their addresses and telephone numbers.  These are kept in a secure location at the Town Hall and Information Office and are not available for the public to access.  All data stored on a computer is password protected.  Once data is not needed anymore, if it is out of date or has served its use, it will be shredded or deleted from the computer.

The Town Council is aware that people have the right to access any information that is held about them (Data Subject Access Requests).  A request must be made in writing and contain sufficient information to enable the request to be processed, the identity of the data subject must be verified before releasing data.  If a person requests to see any data that is being held about them:-

  • They must be sent all of the information that is being held about them
  • There must be explanation for why it has been stored
  • There must be a list of who has seen it
  • It must be sent within one month
  • Requests that are manifestly unfounded or excessive may be refused or a charge made
  • If a request is refused, a reason must be given.
  • If an individual requests that their data is rectified or erased, this will be carried out, unless there is a legal reason that prevents this from taking place..

There are certain classes of data that are exempt from the data subject access provisions.

DISCLOSURE OF INFORMATION

If an elected member of the council, for example a councillor needs to access information to help carry out their duties, this is acceptable. They are only able to access as much information as necessary and it should only be used for that specific purpose. If for instance someone has made a complaint about over hanging bushes in a garden, a councillor may access an address and telephone number of the person who has made the complaint so they can help with the enquiry. They can only do this providing they represent the area that the subject lives in. However, before they access any sensitive information about a person, they would need consent to do this from the Town Clerk.  Data should never be used for political reasons unless the data subjects have consented.

We sometimes need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

Where necessary or required we share information with:

  • suppliers and service providers
  • persons making an enquiry or complaint
  • local government
  • family, associates and representatives of the person whose personal data we are processing
  • current, past and prospective employers

Any applications, representations, objections or other documents received by the Council that are published on the website will have personal telephone numbers, e-mail addresses, and all signatures removed before publication.

CONFIDENTIALITY

Fordingbridge Town Council staff must be aware that when complaints or queries are made, they must be remain confidential unless the subject gives permission otherwise. When handling personal data, this must also remain confidential. If a data breach is identified the ICO must be informed and an investigation will be conducted.  Notification must take place within 72 hours.

Data Protection Registration

Organisation Name: FORDINGBRIDGE TOWN COUNCIL

Registration Reference: Z7891853

Registration Expiry: 12/05/2019

Organisation address: 63 High Street, Fordingbridge, SP6 1AS

Nature of work description: Provision of council services

To be adopted by Fordingbridge Town Council

Chair               Paul Anstey                                         Date: 23rd May 2018

Document created:                 May 2018

Approved:                               May 2018

For review:                              May 2019 (or as required)