Data Protection and Subject Access Policy

12. Special Category Data

12.1 The council will process "special category data" relating to staff, clients, contractors and other individuals. This category of personal data may include information which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or data concerning a natural person's sex life or sexual orientation. This category also applies where the processing of genetic data, or biometric data is for the purpose of uniquely identifying a person.

12.2 The council may need to process information regarding criminal convictions or alleged offences in connection, for example, with any disciplinary proceedings or other legal enforcement obligations. Such processing will be in accordance with the provisions of the Data Protection Act 2018

12.3 In circumstances where sensitive personal data is to be held or processed, the council will only seek the explicit consent of the individual in question when no other legal basis to process applies. (e.g. to perform a legal duty regarding employees, to protect the data subject's or a third party's vital interests or if it is necessary for the purposes of the provision or management of health or social care services).

13. Data Protection Impact Assessments (DPIA)

13.1 The Council must carry out a DPIA in all new decision-making processes and projects where is likely to result in a high risk to people's rights and freedoms. Guidance on DPIAs is available from the Information Governance Team.

14. Data Security and Disclosure

14.1  All staff within the council are responsible for ensuring that any personal data that they hold are kept securely, and that personal data is not disclosed either orally or in writing or otherwise to any unauthorised third party. Every reasonable effort must be made to ensure that data are not disclosed accidentally.

14.2  Deliberate unauthorised disclosure is a disciplinary matter and may be considered gross misconduct. Such deliberate action also has the potential to be a criminal offence. If in any doubt, consult the Information Governance Manager, Data Protection Officer, or Human Resources. Personal data must be kept securely and examples of how this may be done will include:

14.3 Keeping the data in a locked filing cabinet, drawer or room; or if the data is computerised, ensuring that the data is password protected or kept on a secure network and only where necessary as a temporary measure on secure removable media.

14.4 Any other appropriate security measures which are detailed in the council's IG policy section of the internal web, such as clear desk policy, confidential waste disposal and guidance on secure transfer of personal information and meeting held in public places.

14.5 Personal Information Sharing Agreements (PISAs) will be required to facilitate regular and routine sharing of personal information with external organisations and partner agencies. All other information sharing will need to be justified in accordance with data principles and documented in compliance with the Information Sharing policy. Data controllers located or operating within the county of Wiltshire are encouraged to support the work of the Wiltshire Information Sharing Charter (WiSC) and to draw up PISAs under that framework. https://www.wiltshire.gov.uk/wisc