Records management policy

Where data is transferred to another organisation, we must take steps to ensure the safety of the records during the transportation or transmission process. This should include:

• password protection - the password should, wherever possible, be conveyed via a different medium; for example, do not email password details and then also email the password protected data
• encryption
• the use of secure email servers
• minimisation of personal/sensitive personal data to what is needed only
• sending data by secure online portals with limited access

Data processors

Where the Council has contracted a third-party supplier to process Council data on its behalf, we must take steps to ensure that the data processor complies with security and technical measures to protect this document in line with data protection legislation. These steps include relevant clauses being inserted into our contracts as required under Article 28 UK General Data Protection Regulation. You will also need to undertake due diligence by asking appropriate questions regarding security and technical measures taken where suppliers will be processing Council personal data.

An example of data processors may be where we contract a third party to provide and administer an IT system to our instruction on which we store our customers' personal data.

Systematic data sharing with data controllers

Where we share personal data systematically with other data controllers, we should have a data sharing agreement in place which sets out the details of the data sharing. Where we share personal data, we will ensure we are compliant with data protection legislation.   

Some examples of where we may require a data sharing agreement include where we share personal data with another local authority for election purposes, where we share data with a housing association, or where we share data to deliver the Neighbourhoods that Work project.