In accordance with the EU General Data Protection Regulations 2018 St Tudy Parish Council confirm the following;
- Any information received by email through this web site will be solely used to reply to your enquiry and will not be forwarded without your permission.
- You are at any time welcome to request a copy of your email until it is deleted once your enquiry is satisfied. All email records are deleted annually.
- We will not share or pass on any details from your email to any third parties.
- If you require your name or any personal details removed from minutes, previous minutes or agendas, please contact the clerk by email regarding this
CALC Summary of GDPR issues:
1. Who is the Data Controller? – the Council is the Data Controller and is required to establish policy and procedures to protect the personal, attributable data which it holds. The Council will need to register with the Information Commissioner’s Office (ICO). Individual councillors may be data controllers in their own right if they keep personal information in their own archive.
As of 30.05.18 the PC has not yet registered with ICO as policy has not yet been established & legislation requirements not clear and as a non-profit organisation may not be required to pay a fee for this.
As of 30.11.18 on application to register with ICO on recommendation from Cornwall Association of Local Councils (CALC) form page rejects application as unnecessary.
2. Who is the Data Processor? – anyone that uses the information on behalf of the council i.e. HMRC, NDP Steering Group
Mainly it is the clerk who is the data processor but councillors may also handle 'sensitive' information such as the 'Register of Electors'
3. What is personal data? – it is anything which you hold where the individual can be recognised and relates to them personally. This includes
a. Personnel files for your clerk and other staff
b. Contact details of individual members and organisations in your community
c. Contractors and other suppliers
d. Survey results i.e. Neighbourhood Plans, Housing Needs surveys etc where you can identify the individual. If you have added an email address to keep in touch or similar.
4. How can the council use the data – you can only use it when you have consent from the individual to use it and are restricted to only using it for that single function. Therefore you cannot gather names and emails addresses through a village mailing list and use this for the NDP consultation. Individuals will have a right to be forgotten and you must have a clear plan of how long you intend to keep data and when it has been destroyed.
At the moment the clerk os working through historical information & preparing it for the records office which re-opens in 2019. The council does not hold a database for email apart from the councillors and may at some point develop a double opt-in method for safely making contact with its parishioners.
5. Who is the regulator? – the Information Commissioner will oversee the regulations and may levy fines for the mismanagement of information. The ICO has confirmed that provided local councils are seen to be working towards compliance, it will be a fair and proportionate regulator.
So far the clerk has audited all of the contemporary parish files, information held on paper and on computer and listed the areas where personal data is held - which are few. Historic data - some of which goes back to the 1930's is being sorted through. The parish website contains a covering statement concerning privacy, the handling of data and other issues.
6. Who is accountable under the regulations? Any data controller will be accountable for their actions. Under the new GDPR individual councillors are responsible for complying with the regulations if they hold personal data. They will be accountable under the act for any breaches of the regulations and personally liable for any prosecution brought against them as an individual.
What must you do to comply?
i) Establish a plan for working through the requirements. Delegate a number of councillors or a committee to work through the requirements and get started on the work towards compliance.
ii) Audit the data you hold and only keep that which you need. Make sure that the council has a clear understanding of the information which it keeps and for how long? You will not need to keep anything which someone elsehas. Individual councillors should return anything which is no longer needed or would be unlawful for them to hold. The GDPR regulations remove the ability to keep personal data ‘just in case’ anda council should consider how it handles confidential information.
iii) Register with the Information Commission as a data controller. It will cost you up to £55 depending on the size of your organisation.
iv) Review the council’s use of email for circulation of correspondence. Learn to use the bcc function for emails and if in doubt always get the correspondent’s permission to share their email/letter before distributing it.
Data Protection Officer
The Government has confirmed that local councils are no longer required to have a Data Protection Officer but that all of the functions of the role remain and are still compulsory. In practice this means that there is no requirement to appoint to the title but the work must still be covered.
CALC has prepared a number of templates to help the Council as a data controller to manage its responsibilities. We are working with the Information and Governance team at Cornwall Council to provide a clear suite of documents and guidance to support your council. These will be available as soon as the final regulations have been confirmed.