Data Protection Policy
In common with most large organisations, Clackmannanshire Council relies heavily on the information it collects and holds to fulfil its aims, objectives, and obligations. Information relating directly to people (personal data) is an essential Council asset which must be properly managed in order to deliver efficient and effective services, ensure legal compliance, and to protect the Council’s image as a responsible organisation.
Ensuring the continued availability, integrity, and security of personal data held by the Council is a prime corporate and service requirement. It is also an obligation under the Data Protection Act 1998 (the Act). Effective data management is essential for ensuring compliance with the Act and to make sure that confidence between the Council and service users, staff, and others with whom the Council has dealings is maintained.
Council is committed to protecting the rights of individuals by ensuring that all personal data it holds is used appropriately and lawfully. By openly promoting a process through which individuals can gain access to the personal data about them held by the Council (whether in paper or computer media format) public confidence in the Council’s procedures will be maintained. The Council’s primary aim is to ensure that all personal data processing carried out on its behalf (either in-house or by contractors or system suppliers) complies with the eight data protection principles and key legislative requirements.
Scope of Policy:
Briefly, the Data Protection Act covers the collecting of personal data from any source, the storage and processing of that data (for identified purposes only), the control of onward disclosures from data sets held, and the rights of individuals to obtain copies of data about themselves. Elected members, staff, contractors and suppliers all have obligations under the Act. The Council recognises the need to raise awareness to the requirements, and also to monitor compliance. General compliance with the legislation is monitored nationally by the office of the Information Commissioner.
The Council’s Data Protection Officer (The Head of Strategy and Customer Services) has the responsibility for ensuring Data Protection Act compliance throughout the Council. Through Heads of Service and service-based data protection co-ordinators the Council will, through good management and the application of proper procedures:
- Observe statutory requirements regarding the fair collection and use of personal information
- Meet its legal obligations to notify the Information Commissioner of the specific purposes for which information is collected and used
- Obtain and process personal data only to the extent that it is necessary to perform its functions and deliver services
- Ensure the personal data used is of high quality in terms of accuracy and relevance
- Apply regular checks to ensure that data is not held for longer than the purpose required
- Ensure that individuals can properly exercise their rights under the Act (including the right of access to information held, and where appropriate, correction or erasure)
- Take appropriate steps to safeguard all personal data held by the Council to minimise the risk of loss, wrongful access, or improper use
- Ensure that personal data is not transferred abroad without suitable safeguards
The policy will be implemented by Services and monitored by the Data Protection Officer (DPO). In implementing the policy, the aim will be to ensure that:
- Heads of Service arrange, or deliver, appropriate training for all staff whose duties include the management of personal data
- Staff managing personal information receive adequate supervision
- Personal data collection methods are adequately managed and regularly assessed/evaluated
- Regular personal data audits are conducted and, where serious concerns are identified, these are duly reported to Service directors and the DPO. Where appropriate, concerns may also be reported to the Performance & Audit Committee.
- Overall Council data protection standards are regularly assessed and evaluated
In meeting its policy objectives, the Council will implement a range of secondary supporting policies as necessary. These secondary policies will be approved by the DPO with the aim of securing compliance with one or more of the eight data protection principles contained in the Act. They may relate to activities across the whole of the Council, or where necessary to the activities of a single service or part of a service.
These secondary policies may include:
- Guidance for individuals seeking access to their personal data, and the monitoring and management of subject access requests
- An Information and Communications Technology security policy (already approved by Council).
- E-mail and internet use policy
- Data sharing (across or within services for multiple purposes, as well as sharing with partner organisations)
- Data Matching
- Confidential waste paper disposal/re-cycling issues
- Managing staff records (HR records and all related Service based files)
- Data retention, including guidance on timescales
- Issues relating to personal data access by elected representatives
- CCTV – management and use
These secondary policies will be developed by Services in conjunction with Administration and Legal Services.
Summary of Compliance Aims
The Act requires, and the Council will ensure, that there is compliance with the eight Data Protection Principles. The overall aim is to ensure that personal data is:
- processed fairly and lawfully
- obtained only for one or more specified and lawful purposes and is not further processed in any manner incompatible with the purpose or purposes for which it was first obtained
- adequate, relevant, and not excessive in relation to the purpose or purposes for which it is held and processed
- is accurate, and is kept up to date
- is not kept for longer than is necessary for the purpose or purposes for which it was first obtained
- is processed in accordance with the rights of the data subject as specified under the act
- is held securely, with appropriate measures taken against unauthorised or unlawful processing of any personal data, and is protected from accidental loss or destruction of or damage
- is not transferred to a country or territory outside the European economic area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.