In accordance with the EU General Data Protection Regulations 2018 St Tudy Parish Council confirm the following;
- Any information received by email through this web site will be solely used to reply to your enquiry and will not be forwarded without your permission.
- You are at any time welcome to request a copy of your email until it is deleted once your enquiry is satisfied. All email records are deleted annually.
- We will not share or pass on any details from your email to any third parties.
- If you require your name or any personal details removed from minutes, previous minutes or agendas, please contact the clerk by email regarding this
CALC Summary of GDPR issues:
1. Who is the Data Controller? – the Council is the Data Controller and is required to establish policy and procedures to protect the personal, attributable data which it holds. Individual councillors may be data controllers in their own right if they keep personal information in their own archive.
2. Who is the Data Processor? – anyone that uses the information on behalf of the council i.e. HMRC, NDP Steering Group. Mainly it is the clerk who is the data processor but councillors may also handle 'sensitive' information such as the 'Register of Electors' for which they sign a form to confirm responsible usage.
3. What is personal data? – it is anything which you hold where the individual can be recognised and relates to them personally. This includes
a. Personnel files for your clerk and other staff
b. Contact details of individual members and organisations in your community
c. Contractors and other suppliers
d. Survey results i.e. Neighbourhood Plans, Housing Needs surveys etc where you can identify the individual. If you have added an email address to keep in touch or similar. The initial forms for the Neighbourhood Plan were distributed using postcodes only. Further research by the members of the NP Group may ask for personal details such as names, adresses oe email addresses but these will only be used with permission.
4. How can the council use the data – you can only use it when you have consent from the individual to use it and are restricted to only using it for that single function. Therefore you cannot gather names and emails addresses through a village mailing list and use this for the NDP consultation. Individuals will have a right to be forgotten and you must have a clear plan of how long you intend to keep data and when it has been destroyed.
5. Who is the regulator? – the Information Commissioner will oversee the regulations and may levy fines for the mismanagement of information. The ICO has confirmed that provided local councils are seen to be working towards compliance, it will be a fair and proportionate regulator.
6. Who is accountable under the regulations? Any data controller will be accountable for their actions. Under the new GDPR individual councillors are responsible for complying with the regulations if they hold personal data. They will be accountable under the act for any breaches of the regulations and personally liable for any prosecution brought against them as an individual.
What must you do to comply?
i) Establish a plan for working through the requirements. Delegate a number of councillors or a committee to work through the requirements and get started on the work towards compliance. All of the information held by the clerk has been audited and the main bulk of public information is in planning material sent to the PC which is kept locked in a file until deemed 'out of date'.
ii) Audit the data you hold and only keep that which you need. Make sure that the council has a clear understanding of the information which it keeps and for how long? You will not need to keep anything which someone else has. Individual councillors should return anything which is no longer needed or would be unlawful for them to hold. The GDPR regulations remove the ability to keep personal data ‘just in case’ and a council should consider how it handles confidential information.
Planning application information has been removed from public view on the parish website.
iii) Register with the Information Commission as a data controller. It will cost you up to £55 depending on the size of your organisation.
Regular applications to register with ICO (on recommendation from Cornwall Association of Local Councils (CALC)) were made in 2018 with the result that 'form page rejects application as unnecessary'.
On a fifth attempt to register on 03.03.2020 was successful and the parish council are now registered pending an invoice for payment by cheque from ICO.
The parish website employs a 3rd party to manage website form processing and no records are saved on the 3rd party server. They have their own GDPR policy here:
iv) Review the council’s use of email for circulation of correspondence. Learn to use the bcc function for emails and if in doubt always get the correspondent’s permission to share their email/letter before distributing it.
Almost all of the emails sent within 'sttudypc at gmail.com' are internal and shared with councillors who have given their permission for such.
Data Protection Officer
The Government has confirmed that local councils are no longer required to have a Data Protection Officer but that all of the functions of the role remain and are still compulsory. In practice this means that there is no requirement to appoint to the title but the work must still be covered. As the clerk is the 'data processor' this function falls to the councillors.