General Data Protection Regulations (GDPR)
The law is complex, but there are a number of underlying principles, including that personal data:
- will be processed lawfully, fairly and transparently.
- is only used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.
- collected on a data subject should be “adequate, relevant and limited.” i.e. only the minimum amount of data should be kept for specific processing.
- must be “accurate and where necessary kept up to date”
- should not be stored for longer than is necessary, and that storage is safe and secure.
The GDPR is a Europe-wide law – as a public authority, ALL parish councils come within its remit. The GDPR’s main concepts and principles are very similar to those in the current DPA and the Information Commissioners Office (ICO) will still be the organisation in charge of data protection and privacy issues. Therefore, as we are complying with the DPA, much of what we do will still apply.
CFPC has to appoint a Data Protection Officer (DPO) (as of 27 April 2017, but due to be removed as a requirement by an amendment). The appointed DPO is the Clerk, with technical support from our IT contractor Coleman Bryant.
CFPC is both the Data Controller and Data Processor. [N.B. our cloud provider is also a joint processor of our data)
(“Data Controller” means a person who (either alone or jointly or in common with other persons [such as a body corporate]) determines the purposes for which and the manner in which any personal data are, or are to be processed. “Data Processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.)
The legal basis for the Parish Council to collect data is ‘Public Task’ – i.e. the processing is necessary for CFPC to perform a task in the public interest or for the council’s official functions, and the task or function has a clear basis in law.
Parish Councillors do not (in law) exist outside of meetings unless they have a delegated authority due to being an official of the council (i.e. Chair/Vice Chair of the council/a committee under fin reg 4.1). Therefore, parish councillors should not be undertaking any ‘ward work’. If they do and they collect data then the GDPR guidance states: -
“If individual Councillors are acting as a representative of the residents of their ward (e.g. taking forward complaints made by their local residents) then they would be a data controller in their own right and would not be covered by the local authority’s registration. Therefore, they would need to pay the new fee.”
The Parish Council collects the following information about individuals (with their consent) Name, Address, Telephone No(s), and email address. It does not collect, store or process any information about children.
It processes this data to carry out its public tasks such as administering allotments (and associated waiting lists), tennis court membership/usage, and room/facility lettings.
Most frequently the data is stored on a single computer (and in the cloud), although invoices and tenancy agreements etc are also stored in the office in files, with the electoral roll kept in the locked safe. The office is kept locked when not occupied and has security shutters. Desk drawers and filing cabinets are lockable.
The computers and systems are password protected, with separate passwords for access to the cloud storage, and protected by a firewall. The officers’ wired and wireless communications are on a separate clean network, hidden behind the firewall. System security was set up by an expert and is maintained under an annual service contract.
As a general matter the parish council does not share or transport this information and it doesn’t hold any sensitive data (sexuality, political beliefs etc). Therefore, a Data Protection Impact Assessment is not required by law.
The GDPR requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means that individuals should be told what you are going to do with their personal data before you use it and consent to such use;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are used;
(d) accurate and, where necessary, kept up to date. Personal data that is found to be inaccurate should be deleted or corrected without delay. All personal data should be periodically checked to make sure that it remains up to date and relevant;
(e) kept in a form which permits the identification of data subjects for no longer than is necessary for
the purposes for which the personal data are processed. For instance, records of pastoral care discussions should not be kept for a number of years without justification. Records could be kept, for instance, if all identification features were removed, referred to as “anonymisation”; and
(f) kept securely. Personal data storage should be safe and secure – in lockable filing cabinets or in password protected computer files. Names and addresses of individuals should not be left unattended.
Individuals who have data collected about them have the following rights:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision making including profiling