Skip to main content

Heyshott Parish Council

Governance & Policies

Document Retention

Policy detailing the council's responsibilities for retaining certain documents, and how long they should be retained.

GDPR Policy – May 2018

 

Heyshott Parish Council

 

The purpose of the policy and background to the General Data Protection Policy (GDPR).

 

This policy explains to councillors and the public, about GDPR. Personal data must be processed lawfuly, fairly and transparantly. Data collected for specific,explicit and legitimate purposes must be adequate, relevant and limited to what is necessary for processing. Data must only be kept for as long as is necessary for processing and be processed in a manner that ensures its security.This policy explains the duties and responsibilties of the council and it identifies the means by which the council will meet its obligations. GDPR requires that everyone within the council must understand the implications of GDPR and that roles and duties must be assigned. GDPR requires care by everyone in the council in the sharing of information about individuals, whether as a hard copy or electronically. A breach of the regulations could result in the council facing a fine from the Information Commissioners Office (ICO) for the breach itself and also to compensate the individual(s) who could be adversley affected. Therefore the handling of information is seen as medium risk to the council (both financially and reputationally) and one which must be included in the Risk Management Policy of HPC. Such risk can be minimised by undertaking an information audit, issuing privacy statements, maintaining privacy impact statements and minimising who holds data protected information. If at any time the council is required to hold sensitive data it would have to register with the ICO; at the moment only names, addresses including email addresses are held.

 

A copy of this policy will be available on the HPC website

 

1.Heyshott Parish Council (HPC) has to keep certain personal information relating to planning matters, parish mattersand people employed by the council. This information is often referred to in the parish minutes and consequently in the news letter and on the website. Under the General Data Protection Regulations (GDPR) and UK law, Heyshott Parish Councilis the ‘data controller’ of that personal information. In normal circumstances the clerk would be the Data Protection Officer (DPO). Since we do not have a clerk, the Councillor responsible for the website will be the DPO,  Mrs Bridget Adler.

 

2. This document sets out the HPC policy on Data Protection.

 

Any questions regarding the Data Protection Policy should be addressed to the Chairman of HPC Anthea Philip, Stable Cottage Heyshott, Midhurst, West Sussex. GU290DL

 

The personal information is kept securely by the Chairman of HPC  in her home and will not be used for any other purposes.

 

Being transparent and providing information to individuals about how the council uses personal data is a key element of the Data Protection Act (DPA) 1998 and GDPR. The most  common way to provide this information is in a privacy notice (see section 4).

 

3. The GDPR sets out six lawful bases for processing data. Unless an exemption applies at least one of these will apply in all cases sometimes more than one at the same time. The council must set out in the privacy notices which Lawful bases they are relying on. The relevant ones for HPC will be: Consent(not for Councillors),  Compliance with legal obligation and Contractual necessity (eg with contractors etc)

 

(1) Consent

 

▪A controller must be able to demonstrate that consent was given. Transparency is key: consents given in written declarations which also cover other matters must be clearly distinguishable, and must be intelligible, easily accessible and in clear and plain language. National Association of Local Councils | February 2018 Page 20

 

▪Consent is defined as any freely given, specific, informed and unambiguous indication of the data subject’s wishes – either by a statement or by a clear affirmative action.

 

2) Legitimate interests

 

▪This involves a balancing test between the controller (or a third party’s) legitimate interests and the interests or fundamental rights of and freedoms of the data subject – in particular where the data subject is a child. The privacy policy of a controller must inform data subjects about the legitimate interests that are the basis for the balancing of interests.

 

▪Please note, councils and parish meetings are public authorities and under the GDPR,  public authorities cannot rely on legitimate interests  as a legal basis for processing personal data.

 

(3) Contractual necessity

 

▪Personal data may be processed if the processing is necessary in order to enter into or perform a contract with the data subject (or to take steps prior to entering into a contract).

 

(4) Compliance with legal obligation

 

▪Personal data may be processed if the controller is legally required to perform such processing e.g. complying with the requirements of legislation.

 

(5) Vital Interests

 

▪Personal data may be processed to protect the ‘vital interests’ of the data subject e.g. in a life or death situation it is permissible to use a person’s medical or emergency contact information without their consent.

 

 (6) Public Interest

 

▪ Personal data may be processed if the processing is necessary for the performance of tasks carried out by a public authority or private organisation acting in the public interest.

 

4.  Attached to this policy are the Privacy Notices which will be issued . The Privacy Notices detail the HPC approach to Data Protection.

 

The Privacy Notices set out  the following;

 

  1. The ‘lawful reason’ for processing the personal information.
  2. The information HPC hold and how it is obtained.

 

iii. How the personal information will be kept up to date.

 

1.How the information will be used.

2.How long the information will be held for.

3.The individual’s rights in respect of the information.

vii. Who the individual should contact if there is an issue.

 

viii. Consent requirement as appropriate.

 

So for example when planning applications are made by an individual, information is already held by the SDNP and CDC. This information has been given voluntarily and counts as ‘implied consent.’ This is sufficient to comply with GDPR. If, however personal information of a sensitive nature was held eg. date of birth, gender, ethnic origin,  ‘explicit consent’ would be necessary.  This will be held by the Chairman in her home.

 

6. Any individual in HPC who holds personal information is responsible for its security.

7. Any computer on which HPC personal information is held will be password protected. Any hard copy information will be kept in a secure environment.

8. The information held by HPC will be the minimum necessary for the required purpose.

9. No personal information will be passed to a third party, without the specific agreement of the individual

10. Personal information which is no longer required will be disposed of in a secure manner.

11. All categories are entitled to be told what information HPC hold about them on request and to be given a copy of the information.

12. Where there is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to the personal data. HPC will consider as soon as possible, and within 3days, what action it needs to take. In the event that the breach might have a significant detrimental effect on the individual(s), the Information Commissioners Office (ICO) will be informed together with the individuals concerned.

 

Information Audit

 

The DPO must undertake an information audit which details the personal data held, where it came from, the purpose for holding that information and with whom the council will share that information (electronically and hard copy). If a request is received to delete information the the DPO must respond within I month of the request.

 

13.HPC will review this Data Protection Policy and the necessity to hold the information every  year.

 

 

 

AP 22/5/2018

 

HEYSHOTT PARISH COUNCIL GENERAL DATA PRIVACY NOTICE

 

Your personal data – what is it?

 

“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address). Identification can be directly using the data itself or by combining it with other information which helps to identify a living individual  The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR”) and other legislation relating to personal data and rights such as the Human Rights Act.

Who are we?

 

This Privacy Notice is provided to you by the Heyshott Parish Council which is the data controller for your data.

 

Other data controllers the council works with:

 

• [e.g. other data controllers, such as local authorities

 

• Community groups

 

• Charities

 

• Other not for profit entities

 

• Contractors

 

We may need to share your personal data  with them so that they can carry out their responsibilities to the council. If we and the other data controllers listed above are processing your data jointly for the same purposes, then the council and the other data controllers may be “joint data controllers” which means we are all collectively responsible to you for your data. Where each of the parties listed above are processing your data for their own independent purposes then each of us will be independently responsible to you and if you have any questions, wish to exercise any of your rights (see below) or wish to raise a complaint, you should do so directly to the relevant data controller. A description of what personal data the council processes and for what purposes, is set out in this Privacy Notice.

 

The council will process some or all of the following personal data where necessary to perform its tasks:

 

• Names, titles, and aliases

 

• Contact details such as telephone numbers, addresses, and email addresses;

 

 • Where you pay for activities such as use of a council hall, financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers;

 

The council will comply with data protection law. This says that the personal data we hold about you must be:

 

• Used lawfully, fairly and in a transparent way.

 

• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

 

• Relevant to the purposes we have told you about and limited only to those purposes.

 

• Accurate and kept up to date.

 

• Kept only as long as necessary for the purposes we have told you about.

 

• Kept and destroyed securely including ensuring that appropriate technical and security measures are in place to protect your personal data to protect personal data from loss, misuse, unauthorised access and disclosure.

 

We use your personal data for some or all of the following purposes:

 

• To deliver public services including to understand your needs to provide the services that you request and to understand what we can do for you and inform you of other relevant services;

 

• To confirm your identity to provide some services;

 

• To contact you by post, email, telephone or using social media (e.g., Facebook, Twitter, WhatsApp);

 

• To prevent and detect fraud and corruption in the use of public funds and where necessary for the law enforcement functions;

 

• To enable us to meet all legal and statutory obligations and powers including any delegated functions

 

• To promote the interests of the council

 

• To maintain our own accounts and records

 

• To seek your views, opinions or comments

 

• To notify you of changes to our facilities, services, events and staff, councillors and other role holders

 

• To process relevant financial transactions including grants and payments for goods and services supplied to the council

 

• To allow the statistical analysis of data so we can plan the provision of services.

 

What is the legal basis for processing your personal data?

 

The council is a public authority and has certain powers and obligations. Most of your personal data is processed for compliance with a legal obligation which includes the discharge of the council’s statutory functions and powers. Sometimes when exercising these powers or duties it is necessary to process personal data of residents or people using the council’s services. We will always take into account your interests and rights. This Privacy Notice sets out your rights and the council’s obligations to you.

 

Sometimes the use of your personal data requires your consent. We will first obtain your consent to that use.

 

Sharing your personal data

 

This section provides information about the third parties with whom the council may share your personal data. These third parties have an obligation to put in place appropriate security measures and will be responsible to you directly for the manner in which they process and protect your personal data. Occassionally we may need to share your data with some or all of the following (but only where necessary):

 

• The data controllers listed above under the heading “Other data controllers the council works with”

 

• Other suppliers and contractors. For example, Cowdray/ Leconfield Estate Office,  the Parish news letter or website may be given your details

 

How long do we keep your personal data?

 

We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 8 years to support HMRC audits or provide tax information. We may have legal obligations to retain some data in connection with our statutory obligations as a public authority. The council is permitted to retain data in order to defend or pursue claims.We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim. In general, we will endeavour to keep data only for as long as we need it. This means that we will delete it when it is no longer needed.

 

Your rights and your personal data

 

You have the following rights with respect to your personal data: When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.

 

   1)The right to access personal data we hold on you

 

• At any point you can contact us to request the personal data we hold on you as well as why we have that personal data, who has access to the personal data and where we obtained the personal data from. Once we have received your request we will respond within one month.

 

• There are no fees or charges for the first request but additional requests for the same personal data or requests  may be subject to an administrative fee.

 

2) The right to correct and update the personal data we hold on you

 

• If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated.

 

3) The right to have your personal data erased

 

• If you feel that we should no longer be using your personal data or that we are unlawfully using your personal data, you can request that we erase the personal data we hold.

 

• When we receive your request we will confirm whether the personal data has been deleted or the reason why it cannot be deleted (for example because we need it for to comply with a legal obligation).

 

4) The right to object to processing of your personal data or to restrict it to certain purposes only

 

• You have the right to request that we stop processing your personal data or ask us to restrict processing. Upon receiving the request we will contact you and let you know if we are able to comply or if we have a legal obligation to continue to process your data.

 

5) The right to data portability

 

• You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.

 

6)The right to withdraw your consent to the processing at any time for any processing of data to which consent was obtained

 

• You can withdraw your consent easily by telephone, email, or by post (see Contact Details below).

 

7) The right to lodge a complaint with the Information Commissioner’s Office.

 

• You can contact the Information Commissioners Office on 0303 123 1113 or via email https:// ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

 

We keep this Privacy Notice under regular review and we will place any updates on our web page heyshott.org.uk This Notice was created in May 2018.

 

Contact Details – Please contact us if you have any questions about this Privacy Notice or the personal data we hold about you or to exercise all relevant rights, queries or complaints at: Heyshott Parish Council -The Data Controller, Heyshott Parish Council.

 

Heyshott Parish Council

 

General Data Protection Policy (GDPR)

 

The purpose of the policy and background to the General Data Protection Policy (GDPR).

 

This policy explains to councillors and the public, about GDPR. Personal data must be processed lawfuly, fairly and transparantly. Data collected for specific,explicit and legitimate purposes must be adequate, relevant and limited to what is necessary for processing. Data must only be kept for as long as is necessary for processing and be processed in a manner that ensures its security.This policy explains the duties and responsibilties of the council and it identifies the means by which the council will meet its obligations. GDPR requires that everyone within the council must understand the implications of GDPR and that roles and duties must be assigned. GDPR requires care by everyone in the council in the sharing of information about individuals, whether as a hard copy or electronically. A breach of the regulations could result in the council facing a fine from the Information Commissioners Office (ICO) for the breach itself and also to compensate the individual(s) who could be adversley affected. Therefore the handling of information is seen as medium risk to the council (both financially and reputationally) and one which must be included in the Risk Management Policy of HPC. Such risk can be minimised by undertaking an information audit, issuing privacy statements, maintaining privacy impact statements and minimising who holds data protected information. If at any time the council is required to hold sensitive data it would have to register with the ICO; at the moment only names, addresses including email addresses are held.

 

A copy of this policy will be available on the HPC website

 

  1. Heyshott Parish Council(HPC) has to keep certain personal information relating to planning matters, parish mattersand people employed by the council. This information is often referred to in the parish minutes and consequently in the news letter and on the website. Under the General Data Protection Regulations (GDPR) and UK law, Heyshott Parish Councilis the ‘data controller’ of that personal information. In normal circumstances the clerk would be the Data Protection Officer (DPO). Since we do not have a clerk, the Councillor responsible for the website will be the DPO,  Mrs Bridget Adler.

 

  1. This document sets out the HPC policy on Data Protection.

 

Any questions regarding the Data Protection Policy should be addressed to the Chairman of HPC Anthea Philip, Stable Cottage Heyshott, Midhurst, West Sussex. GU290DL

 

The personal information is kept securely by the Chairman of HPC  in her home and will not be used for any other purposes.

 

Being transparent and providing information to individuals about how the council uses personal data is a key element of the Data Protection Act (DPA) 1998 and GDPR. The most  common way to provide this information is ina privacy notice (see section 4).

 

  1. The GDPR sets out six lawful bases for processing data. Unless an exemption applies at least one of these will apply in all cases sometimes more than one at the same time. The council must set out in the privacy notices which Lawful bases they are relying on. The relevant ones for HPC will be: Consent(not for Councillors),  Compliance with legal obligation and Contractual necessity (eg with contractors etc)

 

(1) Consent

 

▪A controller must be able to demonstrate that consent was given. Transparency is key: consents given in written declarations which also cover other matters must be clearly distinguishable, and must be

 

intelligible, easily accessible and in clear and plain language. National Association of Local Councils | February 2018 Page 20

 

▪Consent is defined as any freely given, specific, informed and unambiguous indication of the data subject’s wishes – either by a statement or by a clear affirmative action.

 

2) Legitimate interests

 

▪This involves a balancing test between the controller (or a third party’s) legitimate interests and the interests or fundamental rights of and freedoms of the data subject – in particular where the data subject is a child. The privacy policy of a controller must inform data subjects about the legitimate interests that are the basis for the balancing of interests.

 

▪Please note, councils and parish meetings are public authorities and under the GDPR,  public authorities cannot rely on legitimate interests  as a legal basis for processing personal data.

 

(3) Contractual necessity

 

▪Personal data may be processed if the processing is necessary in order to enter into or perform a contract with the data subject (or to take steps prior to entering into a contract).

 

(4) Compliance with legal obligation

 

▪Personal data may be processed if the controller is legally required to perform such processing e.g. complying with the requirements of legislation.

 

(5) Vital Interests

 

▪Personal data may be processed to protect the ‘vital interests’ of the data subject e.g. in a life or death situation it is permissible to use a person’s medical or emergency contact information without their consent.

 

 (6) Public Interest

 

▪ Personal data may be processed if the processing is necessary for the performance of tasks carried out by a public authority or private organisation acting in the public interest.

 

4.Attached to this policy are the Privacy Notices which will be issued . The Privacy Notices detail the HPC approach to Data Protection.

 

The Privacy Notices set out  the following;

 

1. The ‘lawful reason’ for processing the personal information.

2. The information HPC hold and how it is obtained.

 

iii. How the personal information will be kept up to date.

 

1. How the information will be used.

2. How long the information will be held for.

3. The individual’s rights in respect of the information.

 

vii. Who the individual should contact if there is an issue.

 

viii. Consent requirement as appropriate.

 

So for example when planning applications are made by an individual, information is already held by the SDNP and CDC. This information has been given voluntarily and counts as ‘implied consent.’ This is sufficient to comply with GDPR. If, however personal information of a sensitive nature was held eg. date of birth, gender, ethnic origin,  ‘explicit consent’ would be necessary.  This will be held by the Chairman in her home.

 

6. Any individual in HPC who holds personal information is responsible for its security.

 

7. Any computer on which HPC personal information is held will be password protected.Any hard copy information will be kept in a secure environment.

 

8. The information held by HPC will be the minimum necessary for the required purpose.

 

9. No personal information will be passed to a third party, without the specific agreement of the individual

 

10. Personal information which is no longer required will be disposed of in a secure manner.

 

11. All categories are entitled to be told what information HPC hold about them on request and to be given a copy of the information.

 

12. Where there is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to the personal data. HPC will consider as soon as possible, and within 3days, what action it needs to take. In the event that the breach might have a significant detrimental effect on the individual(s), the Information Commissioners Office (ICO) will be informed together with the individuals concerned.

 

Information Audit

 

The DPO must undertake an information audit which details the personal data held, where it came from, the purpose for holding that information and with whom the council will share that information (electronically and hard copy). If a request is received to delete information the the DPO must respond within I month of the request.

 

13.HPC will review this Data Protection Policy and the necessity to hold the information every  year.

 

 

 

AP 22/5/2018

Data Policies

Popular Links

Is this page useful?