The new General Data Protection Regulation (GDPR) legislation came into effect on 25th May 2018. It replaces the existing law on data protection (the Data Protection Act 1998) and gives individuals more rights and protection regarding how their personal data is used. The GDPR applies to Queniborough Parish Council as a public authority.
The GDPR's main concepts and principles are very similar to those contained in the current Data Protection Act 1998 and the Information Commissioner's Office remains the regulator in charge of data protection and privacy issues.
The GDPR has a number of underlying principles. These include that personal data:
(a) Must be processed lawfully, fairly and transparently.
(b) Is only used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.
(c) Should be adequate, relevant and limited i.e. only the minimum amount of data should be kept for specific processing.
(d) Must be accurate and where necessary kept up to date.
(e) Should not be stored for longer than is necessary, and that storage is safe and secure.
(f) Should be processed in a manner that ensures appropriate security and protection.
ICO Registration document
The Data Protection Act 1998 requires every data controller (eg organisation, sole trader) who is processing personal information to register with the ICO, unless they are exempt.
A copy of the Council's Registration details are below.
ICO Registration Document (PDF, 182 Kb)
ICO Registration Document
General Privacy Notice
The transparency requirements under the GDPR require councils to provide individuals with extensive information about how their personal data is collected, stored and used. This information must be easily accessible, transparent and presented using clear and plain language. In practice, this means that councils will need to include more information in their privacy policies, as well as retaining more detailed records of their data processing activities in relation to their staff, customers and third parties.
A copy of the Council's General Privacy Notice is below.
General Privacy Notice (PDF, 698 Kb)
General Privacy Notice
Data Breach
A personal data breach is one that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Currently, data breaches do not have to be routinely notified to the ICO or others.
A copy of Queniborough Parish Council's Data Breach Policy is below.
Data Breach Policy (PDF, 152 Kb)
Data Breach Policy
Subject Access Requests
To legally process data under the GDPR the Council must have a 'lawful basis' to do so. This is included in the Council's ICO registration (see above). Individuals have the right to know what data the Council holds on them, why the data is being processed and whether it will be given to any third party. They have the right to be given this information in a permanent form, known as a 'subject access request'.
Under the GDPR the right of data subjects to request information about the personal data processed by councils remains largely the same.
The time limit to comply with a Subject Access Request ("SAR") has been reduced from 40 calendar days to one calendar month. The ability to charge £10 per SAR has been removed so all SARs are free of charge from 25th May 2018.
A copy of Queniborough Parish Council's SAR form is below.
Subject Access Request (PDF, 403 Kb)
Subject Access Request
The following documents have been approved by the Parish Council and are available upon request:
- Privacy Statement for Staff and Councillors
- Data Audit