Data protection policy

This policy forms part of the Council's data and information handling policies and should be read in conjunction with the Freedom of Information and Environmental Information Policies.

This policy has been written to ensure that the council complies with its obligations and statutory requirements under the United Kingdom General Data Protection Regulation and the Data Protection Act 2018.

This policy seeks to establish a standard set of conditions, and a framework for data protection within the Council. The Policy is designed to ensure that there are clear internal arrangements for the effective management of data protection.

Review

This Policy will be reviewed on a biennial basis with the next review date being July 2024. Reviews will be subject to scrutiny and, from time to time, updates and re-issues will be circulated.  However, the policy will be reviewed sooner if a weakness in the policy is highlighted, in the case of new risks, and/or changes in legislation.

Great Yarmouth Borough Council lawfully processes information about its residents, Members, employees, customers and other individuals in order to carry out its everyday business and to fulfil its public functions.

Great Yarmouth Borough Council is committed to protecting the rights of privacy and processing will be conducted fairly, lawfully and transparently in accordance with the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, Guidance issued by the Information Commissioner's Officer (the ICO) and all other applicable data protection law ('Data Protection Legislation').

Data subjects have legal rights including the right to request access to their data; rectification of an error; erasure of their details; restriction of processing; portability of their data; and to object to processing. To find out more about these rights please see paragraph 7.

This Policy must be read and complied with by all permanent staff, temporary staff, Councillors, Partner Organisations, other authorised third parties (suppliers and contractors) and all other authorised users. It must be adhered to when processing any of Great Yarmouth Borough Council's personal data.

This policy is open to all internal and external stakeholders and is available on the Council's website.

Data Protection Legislation requires all public authorities to designate a Data Protection Officer. The Data Protection Officer for Great Yarmouth Borough Council is involved in matters which relate to the protection of personal data and is required to monitor compliance, provide advice and to cooperate/communicate with the Regulator as required. In the absence of the Data Protection Officer there will be a duly designated person or persons who will deputise.

The Senior Information Risk Owner (SIRO) is responsible for ensuring information assurance controls are in place.

The Executive Leadership Team is responsible for developing and encouraging robust information handling practices within the Council.

Data champions have been nominated from across the Council who have received additional training and help to ensure that all the Council services maintain our high standards.

Beyond this, compliance with Data Protection Legislation is the responsibility of everyone that processes personal data on behalf of the Council. The Council, through its staff, Members and authorised third parties, is responsible for ensuring that any personal data is processed in accordance with Data Protection Legislation.

All processing of personal data must be done in accordance with the data protection principles as prescribed in data protection legislation:

• personal data shall be processed lawfully, fairly & transparently ('lawfulness, fairness and transparency')
• personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes ('purpose limitation')
• personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')
• personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay ('accuracy')
• personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation')
• personal data shall be processed in a manner that ensures appropriate security of the personal data, including against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')

Furthermore, as a Data Controller Great Yarmouth Borough Council are responsible for, and required to demonstrate compliance with the principles ('accountability'). The Council's accountability is demonstrated in numerous ways, including:

• the provision of mandatory data protection training, refresher training and advanced training for Data Champions
• the assignment of responsible individuals across the organisation (as set out at Section 2) including the assignment of the Data Protection Officer and Data Champions from across service areas who help to maintain high standards of data privacy and attend regular meetings
• through the application of Council policies which are all regularly reviewed, promoted and accessible and read by all new employees
• through a robust internal audit system

Personal data will be lawfully processed by the Council at all times. There are six ways in which lawful processing can occur, however only five of these are available to the Council as a public authority in the performance of their public tasks.

The ways of lawful processing under Article 6(1) UK GDPR are:

1. the data subject consents to the processing for one or more specific purpose
2. in the performance of a contract to which the data subject is a party
3. in compliance with a legal obligation
4. it is necessary to protect the vital interests of the data subject
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller
6. processing is necessary for the purposes of the legitimate interests pursued by the controller of by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

When Great Yarmouth Borough Council exercises its official obligation to provide services, the lawful ground generally used will be Article 6(1)(e).

Consent

The Council hereby acknowledges the Regulator's guidance on Consent which identifies that public authorities will rarely be able to use consent as their lawful processing ground. However, where consent is the lawful processing ground used this will be:

• clearly identified and sought in a transparent, plain and clear manner ensuring compliance with the ICO's guidance
• able to put individuals in control of their data, build trust and engagement and maintain the Council's high-standards.
• important in providing genuine choice and control. It will be an affirmative action and will not be deemed or gathered by pre-ticked or opt-out boxes
• as easy to withdraw as it was to provide consent; we will clearly explain how consent can be withdrawn and continue to do so in future interactions
• reviewed and refreshed regularly
• acted upon, ensuring that appropriate action is taken to prevent further processing where consent is withdrawn

When we collect personal information from data subjects we will be clear and transparent about this in what is termed, a privacy notice. Data protection legislation stipulates the information which must be provided.

You can see further details of our privacy notices both on the specific forms and on our website.

A privacy notice includes the details as set out under the UK GDPR at Article 13. We set this out in a clear and accessible manner explaining details such as:

• who we/the joint data controller is
• the contact details of the Council's Data Protection Officer
• the purpose we are collecting the data for and our legal basis for doing so
• the recipients of this data
• how long we store this data for or otherwise our retention criteria
• your rights
• and dependent upon the issue, we may also include additional information in compliance with the legislation

Please note sometimes this information will be layered.

The Council implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks.

All staff are responsible for ensuring that any personal data which they hold is kept securely and that they are not disclosed to any unauthorised third parties.

All personal data should be accessible only to those who need to use it. To ensure an appropriate level of security, we will consider the following:

• storing the data in a secure access controlled room
• storing the data in a locked drawer or filing cabinet
• if computerised, we will limit accessibility and ensure it is kept on a secure system
• if it is required to be taken off site, storage will be considered on an encrypted disk or where it is in paper form, in a locked case
• care will be taken to ensure that PCs and screens are only visible to authorised individuals
• computer passwords will be kept confidential

We ensure that care is taken with the safe disposal or deletion of data ensuring systematic and secure destruction in line with the Council's Records Management policy and the Retention Schedule.

Where data is transferred to a third-party individual or organisation, we take steps to ensure that the data remains secure both in transit and upon receipt. We cannot however be held responsible for data once it reaches the third party unless they are an authorised data processor for the Council, in which case we take due diligence to ensure they meet Council standards of security.

The Council has in place measures which ensure compliance with security requirements.

The Council is committed to ensuring that any data breaches are promptly reported internally and robustly investigated by the Data Protection Officer and that mitigating steps are taken at the earliest opportunity. Where legally required the Data Protection Officer will notify the Information Commissioner's Office of any relevant breaches in line with the Council's Breach Notification Procedure.

 Data protection legislation provides individuals with the right to:

• access their data
• be informed
• port their data
• erase their data
• object to the processing
• rectify their data
• restrict the processing
• rights in relation to automated decision making and profiling

The rights set out above are not absolute rights and may be dependent upon the lawful processing ground used. Furthermore, they may be subject to an exception or an exemption as set out under Data Protection Legislation.

We will take reasonable authentication steps to verify your identity. We will ordinarily request to see two original forms of identification as detailed on our Subject Access Request Form.

Where one of the rights detailed above are exercised, these will be actioned by the Council without undue delay and ordinarily within one calendar month. This time may, on occasion, be extended by up to two months, in compliance with data protection legislation. Where it is necessary to extend this time we will the data subject of the reasons for this delay.

The Data Protection Officer

The Data Protection Officer and team can be contacted by e-mail at gdpr@great-yarmouth.gov.uk.

Subject access request

A subject access request made in electronic form will ordinarily be responded to in the same format, unless otherwise requested.

A charge will not usually be made for a subject access request. Data protection legislation prescribes that a charge could only be made whereby further copies of personal data are requested by a data subject or where a request is manifestly unfounded or excessive. In these circumstances, the Council will make an assessment as to whether we have the resources to deal with the request in line with Article 12 (5) of the UK GDPR or whether this will be refused under Article 12(5)(b).

Automated decision making

In order to improve the efficiency of services, we may use automated decision-making processes in compliance with Article 22(2) of the UK GDPR. If an automated decision is made about you that is significant (one that has a legal effect, or otherwise significantly affects you), you will be notified of this, together with your rights to challenge this decision.

The privacy notices displayed in the Privacy notices and statements section of our website detail where and how the Council carries out automated decisions.

You also have a right to lodge a complaint with the Information Commissioner's Office.

• Address:
  Information Commissioner's Office
  Wycliffe House
  Water Lane
  Wilmslow
  Cheshire
  SK9 5AF
• Website: https://ico.org.uk/
• Telephone: 0303 123 1113

Personal data may be lawfully disclosed where one of the following conditions apply:

• the individual has given their consent (eg. a member of staff or a customer has consented for the Council to correspond with a named third party
• there is a Power of Attorney in place which authorises a third party to act on behalf of the data subject in relation to that issue.
• this is allowed by legislation: the Data Protection Act 2018 sets out exemptions from UK GDPR at Schedules 2 and 3.

The Freedom of Information Act 2000 allows the public access, subject to certain exemptions, to all types of non-personal information held by public authorities, including this Council. However, requests for personal information will be dealt with under data protection legislation.

See Great Yarmouth Borough Council's Freedom of information policy for further information.

Great Yarmouth Borough Council's Corporate complaints and compliments policy will be applied in the event of any complaints received.

You can also request an internal review of our decision regarding the exercise of your rights or in regards to how we process personal data.

If you wish to request an internal review of our decision regarding the exercise of your rights please contact the Council's Data Protection Officer. We will undertake a review both of the information collected and the decision made and ordinarily respond to you within one calendar month. Where this is complex and additional time is required we will let you know at the earliest opportunity that an extension is required.

This policy will initially be implemented through the Chief Executive and Strategic Directors of the Council.

An email will be sent to all employees to make them aware of the policy.

It is the responsibility of managers to ensure that new staff receive information about this Policy and should be part of any local induction where appropriate. Human Resources will add the Policy to its list of policy issues provided to any new starters. Managers must also ensure that any changes to this policy are effectively communicated within their areas of responsibility.

All staff undertake data protection training and will be required to complete a yearly refresher course covering the basic principles of the Data Protection Act or pass a test to show their understanding.  Furthermore, the Council has data champions across the Council who have received additional training who will assist the Council with cascading information regarding data protection.

Managers are responsible for ensuring that staff are aware of the location of this policy. In addition, Managers are responsible for keeping staff up to date about any changes within the policy.

All staff are obliged to adhere to this policy.

There are no Equality Impact issues with this policy; however specific procedures used to enact the policy must be evaluated separately.

There are no Health and Safety implications with this policy.

This policy should be read in conjunction with the following legislation, regulations and Council policies:

• Freedom of information policy
• Environmental information regulations policy

This policy will be available for all the Council's designated locations.