Corsenside Parish Councils Data Protection & Information Security Policy

Corsenside Parish Council recognises its responsibility to comply with the Data Protection Act 1998 and the General Data Protection Regulation (GDPR) 2018 which regulate the use of personal data. The

Data Protection Act 1998 sets out high standards for the handling of personal information and protecting individuals’ rights for privacy.

It also regulates how personal information can be collected, handled and used. The Data Protection Act applies to anyone holding personal information about people, electronically or on paper. This data does not have to be of a sensitive nature; it can be as little as a name and address.

Corsenside Parish Council has a number of procedures in place to ensure that it complies with The Data Protection Act 1998 and the GDPR 2018 when holding personal information. The Parish Council also notifies the Information Commissioner annually of the type of information it holds.

When dealing with personal data, Corsenside Parish Council staff and Councillors will ensure that they follow the 8 Data Protection Principles which are:

1. It must be collected and used fairly and inside the law.
2. It must only be held and used for the reasons given to the Information Commissioner. 
3. It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. We cannot give it away or sell it unless we said we would to begin with.
4. The information held must be adequate, relevant and not excessive when compared with the purpose stated in the register. So we must have enough detail but not too much for the job that we are doing with the data.
5. It must be accurate and be kept up to date. There is a duty to keep it up to date, for example to change an address when people move. (A data controller can keep data for any length of time if it is being used for statistical, historical or research purposes).
6. It must not be kept longer than is necessary for the registered purpose. It is alright to keep information for certain lengths of time but not indefinitely. This rule means that it would be wrong to keep information about past customers longer than a few years at most.
7. The information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access. It would be wrong to leave personal data open to be viewed by just anyone.
8. The files may not be transferred outside of the European Economic Area.

Storing and accessing data

Corsenside Parish Council recognises its responsibility to be open with people when taking personal details from them. This means that Councillors and staff must be honest about why they want a particular piece of personal information. If, for example, a member of the public give their contact details to staff or a member of Corsenside Parish Council, these will only be used for the purpose they have been given and will not be disclosed to anyone else without the person’s permission.

Confidentiality

Please make Councillors and staff aware when making complaints or queries if you wish these to remain confidential. All data is kept within a secure setting & work laptops are password protected. Corsenside parish clerk is the Data Controller & will be able to answer any queries you have regarding our use of data, storage & access to.

Council’s internal register of processing activities

Schedule of Processing, Personal Data and Data Subjects

Subject matter of the processing:

Corsenside Parish Council primarily collect low level personal data such as a person’s name, address, phone number & email.

CPC may also hold onto any letters/emails written to them for as long as it is necessary until the matter is resolved.

CPC will only pass on contact information when it is deemed necessary or at the request of the data subject or with their consent.

Corsenside Parish Council currently do not hold any sensitive personal information regarding members of the public. Sensitive information regarding the Clerk & Councillors is that which is lawfully needed.

CPC do not use CCTV or have a social media network.

Duration of the processing:

For as long as contact is necessary, while an action or request by the person is still being processed or for as long as CPC is legally obliged to. Many of the contacts CPC currently have is in relation with voluntary bodies within the parish or residents who wish to be contacted by the PC.

Nature and purposes of the processing:

Members of the public/Local Bodies & Charities/Businesses - Primarily to contact the relevant subject whether this is to inform them of an issue, to respond to an issue or request, to inform them of a matter of interest or provide them with information. Information regarding attendance & any issue may be recorded within meeting minutes. Other information such as contact details or letters will be kept on the clerk’s laptop & in files both located within the clerk’s home. Files are lockable and the laptop pin protected.

Any such data is kept for as long as the data subject requires, that is for as long as they may want to be kept informed about a specific issue or a meeting or information requested, or whilst they are part of a local body where their information is already in the public domain. CPC will also keep some data for as long as it is legally obliged to.

CPC may collect this data either via the person themselves, through an email, letter or phone call to the Parish Council or from a third person who passes the information onto the Parish Council. When data is no longer needed, or a person requests their details to be erased the clerk will shred any personal information.

CPC has introduced an email newsletter; members of the public are invited to join either by contacting the clerk or (as preferred) using the sign-up form on the News page of CPC website. To receive the message someone need only give an email address, no other details are required. This information is stored on the secure server of Mail Chimp and in the case the parishioner contacted the clerk directly inside the password protected CPC email inbox. Each message includes the option to unsubscribe giving the recipients total control. Anyone found to have unsubscribed will have their contact details deleted.

Data CPC may decide to collect from members of the public could be processed for the following reasons: -

•         To deliver public services including to understand your needs to provide the services that you request and to understand what we can do for you and inform you of other relevant services;

•         To confirm your identity to provide some services;

•         To contact you by post, email, telephone or using social media (e.g., Facebook, Twitter, WhatsApp);

•         To help us to build up a picture of how we are performing;

•         To prevent and detect fraud and corruption in the use of public funds and where necessary for the law enforcement functions;

•         To enable us to meet all legal and statutory obligations and powers including any delegated functions;

•         To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments and generally as necessary to protect individuals from harm or injury;

•         To promote the interests of the council;

•         To maintain our own accounts and records;

•         To seek your views, opinions or comments;

•         To notify you of changes to our facilities, services, events and staff, councillors and other role holders;

•         To send you communications which you have requested and that may be of interest to you.  These may include information about campaigns, appeals, other new projects or initiatives;

•         To process relevant financial transactions including grants and payments for goods and services supplied to the council

•         To allow the statistical analysis of data so we can plan the provision of services.

CPC will collect more personal data from employees (the clerk) see the points below.

Councillors are obliged by law to provide relevant personal information in the form of a Declaration of Interests. These can be viewed on Northumberland County Council website.

Corsenside Parish Council will keep data regarding any contractors they may hire. This will include contact details, a contract, payment details & insurance documents, as well as some of the points below.

The purposes of processing the data of employees, Councillors & contractors include:-

•         Making a decision about your recruitment or appointment.

•         Determining the terms on which you work for us.

•         Checking you are legally entitled to work in the UK.

•         Paying you and, if you are an employee, deducting tax and National Insurance contributions.

•         Providing any contractual benefits to you

•         Liaising with your pension provider.

•         Administering the contract we have entered into with you.

•         Management and planning, including accounting and auditing.

•         Conducting performance reviews, managing performance and determining performance

               requirements.

•         Making decisions about salary reviews and compensation.

•         Assessing qualifications for a particular job or task, including decisions about promotions.

•         Conducting grievance or disciplinary proceedings.

•         Making decisions about your continued employment or engagement.

•         Making arrangements for the termination of our working relationship.

•         Education, training and development requirements.

•         Dealing with legal disputes involving you, including accidents at work.

•         Ascertaining your fitness to work.

•         Managing sickness absence.

•         Complying with health and safety obligations.

•         To prevent fraud.

•         To monitor your use of our information and communication systems to ensure compliance with  

               our IT policies

•         To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.

•         Equal opportunities monitoring.

•         To undertake activity consistent with our statutory functions and powers including any delegated

               functions.

•         To maintain our own accounts and records;

•         To seek your views or comments;

•         To process a job application;

•         To administer councillors’ interests

•         To provide a reference.

CPC will not pass on any personal data such as contact details outside of the council organisation without a person’s knowledge.

Type of Personal Data:

Members of the public -Name, address, phone number, e-mail address & where applies the body or organisation represented. We may also keep letters written to the PC’s for as long as is needed.

Cllrs personal data includes all of the above as well as Declarations of Interests.

Clerk – personal data also includes all contact details, all wages paid, NI number.

Contractor – Landscape contractor – Contact details, payment history & insurance documents. 

Categories of Data Subject:

Clerk, Councillor’s, members of the public, representatives of other bodies within the parish & contractors.

Plan for return and destruction of the data once the processing is complete UNLESS requirement under union or member state law to preserve that type of data:

Data will be kept for as long as needed or as & when a person requests it to be erased. It is then destroyed using a shredder.

See CPC Retention & Destruction Policy