.svg)
TED Web Chat
.svg)
TED Web Chat
Talk to TED
This is a statement of the Data Protection Policy adopted by Tendring District Council. The Council needs to collect and process personal information about individuals so that it can operate and provide services. Personal Data includes information relating to current, past and present employees, elected members, suppliers, residents and other members of the public with whom it communicates. The Council is also required by law to collect and use some types of information to comply with the rules of government departments.
The Data Protection Act 2018 (incorporating the European General Data Protection Regulation (GDPR)), replaced the previous Data Protection Act 1998 (DPA) on 25 May 2018 but continues to serve the purpose of protecting the privacy rights of living individuals. The Act requires the secure and lawful collection, processing, sharing and disposal of personal information whether on paper (including handwritten notes), in electronic form, or recorded on other material such as CCTV images and voice recordings.
As the GDPR is a Regulation, it will not be separately interpreted into the domestic laws of each member state. However, each member state’s activities will be controlled by a supervisory authority within the country where the greatest percentage of the processing takes place. This will continue to be the UK Information Commissioner’s Office (ICO) for Great Britain and is incorporated into the Data Protection Act 2018.
The Council is required by law to protect the public funds it administers. In order to meet this obligation this will include sharing information internally and externally to prevent and detect fraud, improve the way it delivers services and for the purpose of performing any of its statutory enforcement duties. This will also include sharing information with other bodies responsible for auditing and administering public funds. All personal information will be processed in accordance with the provisions of the Data Protection Act.
The Act requires the Council to collect, process, share and dispose of personal information securely and correctly. This Council recognises that the lawful and correct treatment of personal information is essential to the delivery of successful operations to our customers and maintaining the confidence of the individuals to whom the data relates (internally and externally).
The Council requires all of its employees, elected members and third parties operating on our behalf to comply with this policy and to cooperate with all measures and procedures in place to ensure legal compliance.
To this end, this organisation fully endorses and adheres to the principles of data protection.
The Principles relate to the processing of personal data stating that it shall be:-
Note: GDPR compliance is required by every organisation that offers goods and services to people in the European Union (EU), or that collect and analyses data tied to EU residents The GDPR applies no matter where the organisation (the controller) is located. The UK Data Protection Act exists to protect the privacy rights of UK citizens.
The law requires all public authorities to designate a Data Protection Officer. A summary of the responsibilities of this role are to:-
4.2. Contact details
The contact details of the council’s Data Protection Officer are published in the Privacy Notice.
4.3. Training and Awareness
The Council has an obligation to ensure its staff are trained in their obligations and responsibilities in the handling and security of personal information. The council has a mandated data protection awareness programme in place to deliver this requirement.
The Council’s privacy notice is published on the council’s website. A paper copy is also held at each public reception area. A link to the privacy notice is included in the automatic footer which is added to all external emails.
The council will undertake a Data Protection Impact Assessment when:
6. Rights of Individuals
6.1. Summary of Rights
6.2. Requests for disclosure of Personal Information (Right of Access)
All individuals have a right of access to their own personal information. Any request by an individual for access to their own information must be considered a Right of Access request under this legislation. Normal, day to day transaction type enquiries will continue to be handled by the relevant business area; but all other requests for personal information will be managed centrally by the Data Protection Officer to ensure that statutory deadlines are achieved. An example of when this would apply is shown below.
Example :- a housing tenant requests the outstanding balance on their account – this would be a normal business transaction. If the same tenant asks for a copy of all the records associated with their tenancy, including emails and file notes, plus copies of everything that Revenues and Benefits hold, then this will be managed centrally by the Data Protection Officer.
The Council will only process personal data if at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation (UK Law) to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (under UK Law);
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller (the Council) or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. However, this point (f) shall not apply to processing carried out by public authorities in the performance of their tasks (see Statutory Obligations)
Please note that, where the processing of data is for a purpose other than that for which it was collected and the data subject's consent has not been obtained, the Council is required to consider the following to ensure that the proposed additional processing purpose is compatible with the purpose for which it was initially collected. The outcome of this consideration will be documented along with the reasons why. This file note will be retained as evidence of the decision.
Local authorities are bound by statute and their functions and obligations are set out in numerous Acts of Parliament, many of which have associated legal duties.
Any and all processing of personal data in order to carry out any statutory obligation will be undertaken in compliance with the requirements of the relevant legislation governing the statutory obligation and the principles of the data protection.
Where a decision has been made to engage with the regular and/or systematic sharing of personal data, an Information Sharing Protocol and associated agreement will be specified for each sharing purpose. A privacy impact assessment may be required to identify and mitigate the risks involved.
Where the processing of personal information is not carried out to comply with a statutory or legal obligation, then consent may need to be obtained from the data subject involved.
The consent must be a freely given, specific, informed and unambiguous statement of the data subjects agreement to the processing. Consent will not be assumed to be provided by silence or a non-response to a request.
The consent will be recorded in writing or by electronic means. If a verbal consent statement is unavoidable it will be recorded and witnessed for future review.
In order to be ‘freely given’ it is important to seek consent only where the processing is optional, as consent can also be withdrawn at any time.
Specific protection of the personal data relating to children is essential as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
Such specific protection will particularly apply to the use of personal data for the purposes of marketing or creating personality or user profiles; for example in the collection and processing of personal data for use in relation to services being offered directly to a child (e.g. leisure), and parental consent will be sought where it is appropriate to do so, based on the service and/or the age of the child.
The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child when in a child protection or safeguarding situation.
Data Protection legislation does not provide specific retention periods for personal data. However, in order to comply with the Principles, data must only be retained for as long as is necessary to fulfil the purpose for which it was collected. Statutory obligations to retain data for longer will be complied with.
The Council’s Corporate Retention Policy and associated Schedule will provide guidance in this regard.
Where regular transfers of personal data are required outside of the UK, suitable international transfer agreements will be set up to include the use of binding corporate rules. Measures will be put in place to protect all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
If any potential breach of data protection is suspected or identified, the Information Security Incident Response Procedure will be followed. This process will ensure a rapid response by the appropriate resources within the Council to look into the incident.
Any complaint received regarding the Council’s handling of personal data should be directed to the Data Protection Officer.