Medbourne Parish Council - Data Protection Policy
If you wish to download this policy document click this link: Data Protection Policy (PDF File).
Data Protection Policy
One of the Council’s roles is to encourage community involvement and participation; publication of some personal information is integral to this aim. At the same time, such publication must minimise any potential negative impact on individuals, e.g. intrusive marketing or identity theft.
The Council is bound by law to abide by the provisions of the Data Protection Act 1998. The main principles of the act are given at the end of this Policy along with a link to the full online definition of the Act. It should be noted that any individual has the right to make a complaint to the Information Commissioner and that any upheld complaint against the Council could result in a fine.
In addition, from May 2018, the Council is bound by the provisions of the European Union’s General Data Protection Regulation (GDPR). Much of the GDPR relates to the electronic processing of personal information and does not affect the Council but one provision, the “right of erasure” does apply.
The simplest way of ensuring compliance is to adopt a simple set of over-arching principles, since individuals acting for the Council may not be familiar with all the legislation. The following principles apply:
Principle 1: Permission
The Council will not gather or publish any personal data unless the purpose of the data is made clear to, and written permission has been obtained from, the data owner.Principle 2: Single Use
Any personal data gathered as above will not be used for any purpose other than that stated when it was obtained. For example, if the Council gathers personal data for a paper publication it may not subsequently publish that data on the internet, and vice versa.Principle 3: Protection of Electronic Data
The Council will ensure the safe keeping of any electronic files containing personal data and will not release those files to any external party except for the purpose of printing or publication. The Council will require that any files thus released are deleted after use.Principle 4: Right of Erasure
A data subject has the right to request erasure of personal data related to them. The GDPR states a number of grounds that pertain to this but it’s probably easier to allow this principle in any circumstances.
As further protection the following recommendations are also advised:
Use Copyright
Any paper publication containing personal data should carry the Council’s copyright statement (see example at the end of this Policy). Without this, it may be very difficult to control subsequent misuse of the data once published
Take Precautions with Data Published Online
There are always people who will use data from the internet for purposes other than that intended. An example would be gathering contact lists for onward sale; in this case, understanding the demographic or locality of contacts makes them more valuable. The way data is presented online may deter such misuse:
(a) Avoid presenting long lists of personal data. In general, contact information should be “dotted around” and presented in the context of other information.
(b) There is no need to publish email addresses in clear text online. It is better to include them as a “mail hyperlink”, e.g. publish “contact John Smith” where clicking this pops up an email window.
The Data Protection Act 1998
For full information see: http://www.ico.gov.uk/for_organisations/data_protection.aspx.
The following are the eight principles of the Act reproduced from UK Government web site above:
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up-to-date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under the Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Medbourne Parish Council Data Protection Policy, Version 2, 16th November 2017
Copyright © Medbourne Parish Council, 2017