Data Protection and Subject Access Policy

© Wiltshire Council copyright 2018

You may use and re-use this information (not including logos) free of charge in any format or medium, under the terms of the Open Government Licence v3.0 (opens new window)

Policies- Wiltshire Council controlled documents

• Information Governance Policy
• Information Security Policy
• Password Policy
• Records Management Policy
• Acceptable use policy
• Breach Reporting procedure
• Subject Access Request Process
• Wiltshire Information Sharing Charter
• Information Sharing Policy

Legal framework

• (UK) General Data Protection Regulation 2016
• Data Protection Act 2018
• Human Rights Act 1998
• The Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019 - SI 419

1. Policy Statement
2. Scope
3. Summary of Aims
4. Registration with the Information Commissioner
5. Council staff with Data Protection responsibilities
6. Data Protection Principles
7. Processing
8. Privacy Notices and Data Subject Information notices
9. Responsibilities of Individual Data Users
10. Contractors and Data Processors
11. Accuracy of Data
12. Special Category Data
13. Data Protection Impact Assessments (DPIA)
14. Data Security and Disclosure
15. Data Breaches & Security Incidents
16. Consent
17. Right of Access to Personal Data
18. Access to Third Party Personal Data by Elected Representatives
19. Complaints
20. CCTV
21. Covert Surveillance - Regulation of Investigatory Powers Act (RIPA)
22. Travelling Abroad
23. Email
24. Disclosure outside of the United Kingdom (UK) or European Economic Area (EEA)
25. Retention of Data
26. Training
27. Appendix EEA Countries

1. Policy Statement
   1.1Wiltshire Council will ensure every user is aware of, and understands, their responsibilities regarding the security of personal data held by, and on behalf of, the Council in respect of;
   a) their responsibilities under data protection law for the protection of personal data
   b) the benefits of appropriate data sharing
   c) the necessity for good records management
   d) the technical and administrative controls operating in the Council
   e) other laws and statutory guidance around this subject
   1.2 Wiltshire Council holds and processes information about its employees, clients, and other individuals for various purposes. To comply with the Data Protection legislation, personal information must be collected and used fairly, lawfully and transparently for specific purposes. It should be limited to what is necessary, be maintained accurately, and stored safely for no longer than is necessary. When no longer required, it should be securely disposed of, and not disclosed to any unauthorised person.
   1.3 The GDPR and this policy apply to all personal information processed by the council. Non-compliance with this policy may result in disciplinary action.
   1.4Any work activity involving personal data now has the status of a regulated activity.

2. Scope
   2.1 This policy is intended for all Councillors, Committees, Services, Partners, Employees of the Council, Contractual Third Parties and Agents of the Council who have access to information held or processed by Wiltshire Council.
   2.2 This policy covers all personal information held and processed by the Council however it is collected, recorded and used, whether digital, on paper or recorded on other media.
   2.3 The council is responsible for its own records under the terms of the GDPR, and it has registered as a Data Controller with the Information Commissioner. Registration No. Z1668953

3. Summary of Aims

3.1 The lawful and correct treatment of personal information is vital to the successful operation of, and maintaining confidence within the council, and the individuals with whom it deals.

3.2 Therefore, the council will, through appropriate management, and strict application of criteria and controls:

a) Observe fully conditions regarding the fair collection and use of information;
b) Meet its legal obligations to specify the purposes for which information is used;
c) Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements;
d) Ensure the quality of information used;
e) Apply strict checks to determine the length of time information is held;
f) Take appropriate technical and organisational security measures to safeguard personal information;
g) Ensure that personal information is not transferred abroad without suitable safeguards.
h) Ensure that the rights of people about whom information is held can be fully exercised under the legislation and include:
i. The right to access your personal information, to request rectification or erasure of certain personal information and to object to processing in certain circumstances.
ii. The right to withdraw any consent you may have given to process your personal information.
iii. The right to complain to the Information Commissioner (opens new window) if you feel we are processing your personal information unlawfully.
iv. The right to restrict processing activity in certain circumstances.
v.  The right to object to certain types of processing activity such as automated decision making and profiling.

4. Registration with the Information Commissioner

4.1 The council has an obligation as a Data Controller to register with the Information Commissioner that it processes personal data and pay an annual fee.

4.2 Registration renewal within the council is carried out by the Data Protection Officer.

4.3 Individual data subjects can obtain full details of the council's data protection registration with the Information Commissioner from the Information Governance Manager or from the Information Commissioner's website (ico.org.uk (opens new window)).

5. Council staff with Data Protection responsibilities

5.1 All queries about this council policy should be directed to the Data Protection Officer.

5.2 Requests for a subject access request should be made to the Information Governance Team. InformationGovernance@wiltshire.gov.uk (opens new window)

5.3 See also Section17 Right of Access to Personal Data for more details.

6. Data Protection Principles

6.1  The council, as a Data Controller, must comply with the six Data Protection Principles set out in the GDPR. In summary, these state that personal data shall be:

a) processed lawfully, fairly and in a transparent manner;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
f)  processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

6.2 The Council is responsible for, and must be able to demonstrate compliance with the above principles.

7 Processing

7.1 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as:

a) collection,
b) recording,
c) organisation,
d) structuring,
e) storage,
f) adaptation or alteration,
g) retrieval,
h) consultation,
i) use,
j) disclosure by transmission, dissemination or otherwise making available,
k) alignment or combination,
l) restriction,
m) erasure or destruction;

8 Privacy Notices and Data Subject Information Notices

8.1 Any collection of personal data must satisfy the requirements of fairness and transparency set out in the first Principle.

8.2 This includes paper or electronic application forms, telephone calls, and surveys.

8.3 At the time of collection, the Council will provide data subjects with information to comply with Articles 13 & 14 of GDPR.  This shall explain to the individual:

a) The identity of the Data Controller collecting the information - Wiltshire Council
b) Contact details for the Council and its Data Protection Officer InformationGovernance@wiltshire.gov.uk (opens new window)
c) The purpose for processing and the legal basis for doing so
d) Recipients or categories of recipients of their personal data

8.4 Wiltshire Council will ensure an appropriate Privacy Notice is included wherever personal data is collected.

Wiltshire Council publishes an overarching Privacy Notice is in a prominent position on the web sites it maintains https://www.wiltshire.gov.uk/privacy. In addition, where services have different specific needs, further privacy notices which are service specific will be added where appropriate.

9. Responsibilities of Individual Data Users

9.1 All employees and Members of the council who record and/or process personal data in any form (called "Data Users" in this policy) must ensure that they comply with:

a) The requirements of the UK General Data Protection Regulation 2016  (including the Data Protection Principles);
b) The council's Data Protection Policy, including any procedures and guidelines which may be issued from time to time.

9.2 A breach of the General Data Protection Regulation 2016 and/or the council's Data Protection Policy may result in disciplinary action.

9.3 Consideration should be given towards contacting the Information Governance Team for data protection advice concerning the following:

a) When developing any new system for processing personal data - it may also be necessary to comply with the council's Information Asset Change Policy and Data Privacy Impact Assessment Policy;
b) When using an existing computer system to process personal data for a new purpose as it may be necessary to notify an amendment to an existing registration in the council's Information Asset Change Policy, and it will be necessary to document the new processing activity;
c) When creating a new manual filing system containing personal data;
d) When using an existing manual filing system containing personal data for a new purpose.

10. Contractors and Data Processors

10.1 Outside agents working with Wiltshire Council data will be required to ensure full data compliance in accordance with contractual arrangements. Wiltshire Council reserves the right to inspect contractors and data processors to satisfy these requirements.

11. Accuracy of Data

11.1 Staff that have responsibility for handling any client, staff or other individual's personal information must ensure that it is accurate and as up to date as possible.

11.2 All staff members are responsible for checking that any personal information they provide to the council in connection with their own employment is accurate and up to date e.g. change of address or name.

11.3 The council cannot be held responsible for issues arising from any errors in such employment data unless the member of staff has informed the council about any relevant changes of circumstance.

12. Special Category Data

12.1 The council will process "special category data" relating to staff, clients, contractors and other individuals. This category of personal data may include information which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or data concerning a natural person's sex life or sexual orientation. This category also applies where the processing of genetic data, or biometric data is for the purpose of uniquely identifying a person.

12.2 The council may need to process information regarding criminal convictions or alleged offences in connection, for example, with any disciplinary proceedings or other legal enforcement obligations. Such processing will be in accordance with the provisions of the Data Protection Act 2018

12.3 In circumstances where sensitive personal data is to be held or processed, the council will only seek the explicit consent of the individual in question when no other legal basis to process applies. (e.g. to perform a legal duty regarding employees, to protect the data subject's or a third party's vital interests or if it is necessary for the purposes of the provision or management of health or social care services).

13. Data Protection Impact Assessments (DPIA)

13.1 The Council must carry out a DPIA in all new decision-making processes and projects where is likely to result in a high risk to people's rights and freedoms. Guidance on DPIAs is available from the Information Governance Team.

14. Data Security and Disclosure

14.1  All staff within the council are responsible for ensuring that any personal data that they hold are kept securely, and that personal data is not disclosed either orally or in writing or otherwise to any unauthorised third party. Every reasonable effort must be made to ensure that data are not disclosed accidentally.

14.2  Deliberate unauthorised disclosure is a disciplinary matter and may be considered gross misconduct. Such deliberate action also has the potential to be a criminal offence. If in any doubt, consult the Information Governance Manager, Data Protection Officer, or Human Resources. Personal data must be kept securely and examples of how this may be done will include:

14.3 Keeping the data in a locked filing cabinet, drawer or room; or if the data is computerised, ensuring that the data is password protected or kept on a secure network and only where necessary as a temporary measure on secure removable media.

14.4 Any other appropriate security measures which are detailed in the council's IG policy section of the internal web, such as clear desk policy, confidential waste disposal and guidance on secure transfer of personal information and meeting held in public places.

14.5 Personal Information Sharing Agreements (PISAs) will be required to facilitate regular and routine sharing of personal information with external organisations and partner agencies. All other information sharing will need to be justified in accordance with data principles and documented in compliance with the Information Sharing policy. Data controllers located or operating within the county of Wiltshire are encouraged to support the work of the Wiltshire Information Sharing Charter (WiSC) and to draw up PISAs under that framework. https://www.wiltshire.gov.uk/wisc

15. Data Breaches & Security Incidents

15.1 If you are aware that you, or someone else, has disclosed personal or sensitive data, to someone who did not have permission or authority to receive that information, you must report it to your line manager or the IG Team immediately and in any case within 24 hours of discovery:

a) If any personal information has been sent to the wrong individual, in paper form, attempts must be made to recover the information, ideally in person.
b) If any personal information has been sent to the wrong individual, in electronic form, attempts must be made to ensure the recipient has deleted the information from their computer and email.
c) Your line manager must ensure a report is sent to the IG team to ensure they have all the necessary information in case the breach needs to be notified to the Information Commissioner's Office (ICO). Notification to the ICO must occur within 72 hours of discovery of the breach .

15.2   The mandatory process that governs how that data breach is dealt with is covered in detail in the Council's Data Incident Reporting Policy.

16. Consent

16.1 Only when no other lawful basis to process can be identified, will the council will seek consent from data subjects to process their personal information.

16.2 Care should be taken not to confuse consent to receive a service or package of services or benefits, with consent to process data.  GDPR principles are only concerned with consent to process the data.

16.3 Consent will not be regarded as valid unless it can be demonstrated to be fully informed, freely given, and an unambiguous positive indication that the data subject knows what they are consenting to and why.

16.4 Consent must be as easy to refuse or withdraw as it is to give. If consent to process is withdrawn, only once another legal basis has been established may processing restart or continue.

17. Right of Access to Personal Data

17.1 All individuals have the right under the GDPR to access any personal data that is being held about them. They also have the right to request the correction of such data where they are inaccurate.

17.2 The council has a Subject Access Process for manging requests for information. An individual who wishes to exercise his/her right of subject access is required to request this information in writing to the council.

17.3 Subject Access requests shall only be responded to by trained staff under guidance from Information Governance personnel. Every effort shall be made to comply within the 30 calendar day statutory time limits.

17.4 Any inaccuracies in data which are highlighted as a result of disclosure in this way should be communicated immediately to the Information Governance Manager, or Senior Information Governance Lead who shall take appropriate steps to have the necessary amendments made by the relevant service.

18. Access to Third Party Personal Data by Elected Representatives

18.1 MPs and Members of Wiltshire Council can make a request for personal information about someone if they are acting in an official capacity on behalf of a constituent, and this personal information may be provided without the council receiving explicit consent from the data subject in question. Disclosure to elected representatives is made under provisions of Schedule 1, Part 2, paragraph 24 of the Data Protection Act 2018. Advice may be sought from the Data Protection Officer if needed.

18.2 Any further onward disclosure by a Councillor of information supplied to them must be in compliance with data principles, and in particular must be fair and lawful by reference to the first data principle. Responsibility for confirming that such processing activity is compliant and justified by reference to an appropriate legal basis lies with the relevant Councillor.

18.3 Any provision of special category data to an elected member or particularly an MP should therefore be referred to the Information Governance team who will engage with the member and service to facilitate an appropriate solution.

19. Complaints

19.1 Complaints resulting from disclosure of personal information must be referred to the Data Protection Officer or Information Governance Manager who will be responsible for investigating them and preparing an appropriate response.

20. CCTV

20.1 A number of CCTV cameras are present on the council sites, to assist with security for staff, other individuals and their property.

20.2 Disclosure of images from the CCTV system will be controlled and consistent with the purpose for which the system was established. For example, it will be appropriate to disclose images to law enforcement agencies if necessary to support a criminal investigation but it would not necessarily be considered appropriate to place images of identifiable individuals on the internet or disclose them to the media for entertainment purposes.

20.3 Images may be released to the media for identification purposes; however, this should not generally be done by anyone other than a law enforcement agency.

20.4 If you have any queries regarding the operation of or access to the CCTV system, please contact the council Head of Service for Facilities Management.

20.5 If access is required in connection with ongoing disciplinary matters, permission should be sought from the Head of Human Resources or their nominated deputy.

21. Covert Surveillance - Regulation of Investigatory Powers Act (RIPA)

21.1 The Council does not in general operate under the remit of RIPA, however if you are doing any of the following please contact Information Governance for advice and guidance to ensure compliance with the law.

a) Use of private investigators
b) Use of cameras or sound recordings to monitor members of the public
c) Use of Facebook or other Social Media to trace or monitor members of the public
d) Use of Social media to screen or assess prospective or current employees

22. Travelling Abroad

22.1 You should not take your corporate laptop or corporate mobile phone abroad unless you have been authorised to travel abroad to work. If you intend to travel abroad for work you must contact the ICT helpdesk or Information Governance who will advise you. Different countries have a variety of controls and restrictions on travelling with encrypted devices, and there are implications that arise if taking personal data out of the UK.

23. Email

23.1 It is permissible and appropriate for the council to keep records of internal communications, provided such retention complies with the Data Protection Principles.

23.2 All council staff should be aware that the GDPR subject access right, subject to certain exceptions, also applies to e-mails that contain personal data about individuals which are sent or received by council staff.

24. Disclosure outside of the United Kingdom (UK) or European Economic Area (EEA)

24.1 The council may, from time to time, need to transfer personal data to countries or territories outside of the UK including the European Economic Area (which is the EU member states plus the European Free Trade Association (EFTA) countries of Iceland, Liechtenstein and Norway) in accordance with purposes made known to individual data subjects.

24.2 However, such a transfer will only be lawful if it is to a destination which has been declared a safe and secure destination. This is called transfer of data on the basis of an adequacy decision. It is a presumption that any country implementing GDPR will have adequacy. At the time of writing, there is a temporary decision of adequacy between the EU and UK. Other countries may have adequacy decisions determined in their favour such as the USA.

24.3 If you are considering transferring data to another country, outside of the UK please consult the Information Governance team first - before any such transfer.

24.4 If an individual wishes to raise an objection to disclosure, then written notice should be given to the council's Data Protection Officer.

24.5 Other personal data, even if it would otherwise constitute fair processing, must not, unless certain exemptions apply or protective measures taken, be disclosed or transferred outside the UK  to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects.

24.6 The Data Protection, Privacy and Electronic Communications (EU Exit) Regulations SI-419/2019 came into effect the day the UK leaves the EU. The effect of this is to recognize all EU decisions of adequacy, which include all EEA and EU countries plus Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey, and the transfer of Air Passenger Name Record to the United States' Bureau of Customs and Border Protection.

24.7 The SI 419/2019 also amends the UK data protection legislation throughout, to reflect the exit from the EU, but at this time does not alter significantly the remaining content as it applies the principles and our compliance to them. In the future, it will be possible for the UK to diverge significantly from the current legislation, and the Information Governance Team will publicise any such changes as and when they take effect.

25. Retention of Data

25.1 The council will hold different types of information for differing lengths of time, depending on legal and operational requirements, following which it will either be archived or securely destroyed.

25.2 This will be done in accordance with the retention and disposal periods detailed in the council's retention schedule which is compliant with the National Archives guidance, the Code of Practice for Management of Records, (Section 46) Freedom of Information Act [2000] and the relevant legislation.

25.3 All data retention will comply with the 5th Principle of Article 5 of GDPR. Data will not be kept for longer than is necessary for the purposes for which it is processed. Guidance and retention schedules are published online.

26. Training

26.1 All staff will receive mandatory training on data security, data principles, and general compliance with the GDPR. This training will be repeated at regular intervals no greater than 24 months and tailored to meet different needs of the various council service areas.

27. Appendix EEA Countries

27.1 Article 44 of the General Data Protection Regulation 2016 prohibits the transfer of personal information to countries or territories that do not meet adequacy requirements. GDPR applies to members states of the European Economic Area (EEA).

27.2 Currently the EEA consists of the 26 other European Union member states and 3 additional states. The European Union states are:

• Austria
• Belgium
• Bulgaria
• Cyprus
• The Czech Republic
• Denmark
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• Ireland
• Italy
• Latvia
• Lithuania
• Luxembourg
• Malta
• Netherlands
• Poland
• Portugal
• Romania
• Slovakia
• Slovenia
• Spain
• Sweden

27.3 The other EEA states are:

• Iceland
• Liechtenstein
• Norway