GENERAL PRIVACY NOTICE

Download Copy

  1. What is personal data?

 

Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address or address). This applies in the United Kingdom including the General Data Protection Regulation (the “GDPR”) and other legislation relating to personal data and rights such as the Human Rights Act.

 

  1. Who are we?

 

This Privacy Notice is provided to you by Great Torrington Town Council which is the data controller for your data.

 

  1. Other data controllers the Council works with:

 

  • Torridge District Council

  • Devon County Council

  • HMRC

 

We may need to share your personal data we hold with them so that they can carry out their responsibilities to the Council. If we and the other data controllers listed above are processing your data jointly for the same purposes, then the Council and the other data controllers may be “joint data controllers” which mean we are all collectively responsible to you for your data. Where each of the parties listed above are processing your data for their own independent purposes then each of us will be independently responsible to you and if you have any questions, wish to exercise any of your rights (see below) or wish to raise a complaint, you should do so directly to the relevant data controller.

 

A description of what personal data the Council processes and for what purposes is set out in this Privacy Notice.

 

The Council will process some or all of the following personal data where necessary to perform its tasks:

 

  • Names, titles, aliases and photographs;

  • Contact details such as telephone numbers, addresses and email addresses;

  • Where they are relevant to the services provided by a Council, or where you provide them to us, we may process information such as gender, age, marital status, nationality, education/work history, academic/professional qualifications, hobbies, family composition and dependants;

  • Where you pay for activities such as allotments, or we pay you for services rendered, financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers;

  • The personal data we process may include sensitive or other special categories of personal data such as criminal convictions, racial or ethnic origin, mental and physical health, details of injuries, medication/treatment received, political beliefs, trade union affiliation, genetic data, biometric data, or data concerning sexual life or sexual orientation.

 

  1. How we use sensitive personal data

 

  • We may process sensitive personal data including, as appropriate:



    • information about your physical or mental health or condition in order to monitor sick leave and take decisions on your fitness for work;

    • your racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation;

    • in order to comply with legal requirements and obligations to third parties.



  • These types of data are described in the GDPR as “Special categories of data” and require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.



  • We may process special categories of personal data in the following circumstances:

    • In limited circumstances, with your explicit written consent.

    • Where we need to carry out our legal obligations.

  • Where it is needed in the public interest.

 

  • Less commonly, we may process this type of personal data where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

 

The Council will comply with data protection law. This says that the personal data we hold about you must be:

 

  • Used lawfully, fairly and in a transparent way.

  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

  • Relevant to the purposes we have told you about and limited only to those purposes.

  • Accurate and kept up to date.

  • Kept only as long as necessary for the purposes we have told you about.

  • Kept and destroyed securely including ensuring that appropriate technical and security measures are in place to protect your personal data to protect personal data from loss, misuse, unauthorised access and disclosure.

 

We use your personal data for some or all of the following purposes:

 

  • To deliver public services including to understand your needs to provide the services that you request and to understand what we can do for you and inform you of other relevant services;

  • To contact you by post, email, telephone or using social media (e.g. Facebook, Twitter, WhatsApp);

  • To help us to build up a picture of how we are performing;

  • To prevent and detect fraud and corruption in the use of public funds and where necessary for the law enforcement functions;

  • To enable us to meet all legal and statutory obligations and powers including any delegated functions;

  • To promote the interests of the Council;

  • To maintain our own accounts and records;

  • To seek your views, opinions or comments;

  • To notify you of changes to our facilities, services, events and staff, councillors and other role holders;

  • To send you communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other new projects or initiatives;

  • To process relevant financial transactions including grants and payments for goods and services supplied to the council;

  • To allow the statistical analysis of data so we can plan the provision of services.

 

  1. What is the legal basis for processing your personal data?

 

The Council is a public authority and has certain powers and obligations. Most of your personal data is processed for compliance with a legal obligation which includes the discharge of the Council’s statutory functions and powers. Sometimes when exercising these powers or duties it is necessary to process personal data of residents or people using the Council’s services. We will always take into account your interests and rights. This Privacy Notice sets out your rights and the Council’s obligations to you.

 

We may process personal data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract. An example of this would be the acceptance of an allotment garden tenancy.

 

  1. Sharing your personal data

 

This section provides information about the third parties with whom the Council may share your personal data. These third parties have an obligation to put in place appropriate security measures and will be responsible to you directly for the manner in which they process and protect your personal data. It is likely that we will need to share your data with some or all of the following (but only where necessary):



  • The data controllers listed above under the heading “Other data controllers the council works with”;

  • Our agents, suppliers and contractors. For example, we may ask a commercial provider to publish or distribute newsletters on our behalf, or to maintain our database software;

  • On occasion, other local authorities or not for profit bodies with which we are carrying out joint ventures e.g. in relation to facilities or events for the community.



  1. How long do we keep your personal data?



We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 7 years to support HMRC audits or provide tax information. We may have legal obligations to retain some data in connection with our statutory obligations as a public authority. The council is permitted to retain data in order to defend or pursue claims. In some cases the law imposes a time limit for such claims (for example 3 years for personal injury claims or 6 years for contract claims). We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim. In general, we will endeavour to keep data only for as long as we need it. This means that we will delete it when it is no longer needed.

 

  1. Your rights and your personal data

 

You have the following rights with respect to your personal data:

 

When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.

  • The right to access personal data we hold on you

  • The right to correct and update the personal data we hold on you

  • The right to have your personal data erased

  • The right to object to processing of your personal data or to restrict it to certain purposes only restrict.

  • The right to data portability.

  • The right to withdraw your consent to the processing at any time for any processing of data to which consent was obtained.

 

  • The right to lodge a formal complaint with the Information Officer’s office.

 

 

  1. Children

There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the Council requires consent from young people under 13, the Council must obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children age 13 plus, must be written in language that they will understand.

  1. Contact

 

You can contact Town Council on 01805 626135 or via e-mail admin@great-torringtontowncouncil.gov.uk or write: Castle Hill, Great Torrington, EX38 8AA

The Information Commissioner’s Office of 0303 123 1113 or via e-mail https://ico.org.uk/global/contact-us/email/ or at The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

 

  1. Transfer of Data Abroad

 

Any personal data transferred to countries or territories outside the European Economic Area (“EEA”) will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union. [Our website is also accessible from overseas so on occasion some personal data (for example in a newsletter) may be accessed from overseas].

 

  1. Further processing

 

If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing

  1. Changes to this notice

 

We keep this Privacy Notice under regular review and we will place any updates on our web page.

GENERAL DATA PROTECTION REGULATION POLICY

Download Copy

1.    Purpose of the policy and background to the General Data Protection Regulation (GDPR)

This policy explains to councillors, staff, role holders and the public about GDPR. Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for as long as is necessary for processing and be processed in a manner that ensures its security. This policy includes the additional requirements of GDPR which apply in the UK from May 2018. This policy explains the duties and responsibilities of the Town Council and it identifies the means by which the council will meet its obligations.

2.    Identifying the roles and minimising risk

GDPR requires that everyone within the Council must understand the implications of GDPR and that roles and duties can be assigned.

§  A Data Subject is an individual who is the subject of personal data;

§  The Council is the Data Controller;

§  The Town Clerk is the Data Protection Responsible Officer (DPRO). 

It is the DPRO’s duty to undertake an information audit and to manage the information collected by the Council, the issuing of privacy statements, dealing with requests and complaints raised and also the safe disposal of information.

§  The Data Processor is the person who processes data on behalf of the Data Controller.

GDPR requires continued care by everyone within the Council, councillors and staff, in the sharing of information about individuals, whether as a hard copy or electronically. A breach of the regulations could result in the Council facing a fine from the Information Commissioner’s Office (ICO) for the breach itself and also to compensate the individual(s) who could be adversely affected. Therefore, the handling of information is seen as medium risk to the Council (both financially and reputational). Such risk can be minimised by undertaking an information audit, issuing privacy statements, maintaining privacy impact assessments (an audit of potential data protection risks with new projects), minimising who holds data protected information and the Council undertaking training in data protection awareness.

3.    Data Protection Principles

It is the duty of a data controller to comply with data protection principles.  These are summarised in that personal data;

§  Must be processed fairly and lawfully and in a transparent manner;

§  Must be collected and held only for specified, explicit and lawful purposes;

§  Must be adequate, relevant and limited to what is necessary for the purposes for which it is processed;

§  Must be accurate and kept up-to-date;

§  Must not be kept for any longer than is necessary for the stated purpose;

§  Must be processed in a manner that ensures appropriate security of the personal data;

§  Must have appropriate technical and organisational safeguards against unauthorised or unlawful processing;Must not be transferred to any country outside of the European Economic Area unless that country has an adequate level of protection o the rights and freedoms of the data subjects.

4.    Lawful bases of Processing

§  Consent

§  Contract

§  Legal Obligation

§  Vital Interests

§  Public Tasks

5.    Data breaches

One of the duties assigned to the DPRO is the investigation of any breaches. Personal data breaches should be reported to the DPRO for investigation. The DPRO will conduct this with the support of the Town Council.  Investigations must be undertaken within one month of the report of a breach. The ICO will be advised of a breach (within 3 days) where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the DPRO will also have to notify those concerned directly.

It is unacceptable for non-authorised users to access IT using employees’ log-in passwords or to use equipment while logged on. It is unacceptable for employees, volunteers and members to use IT in any way that may cause problems for the Council, for example the discussion of internal council matters on social media sites could result in reputational damage for the Council and to individuals.

6.    Privacy Notices

Being transparent and providing accessible information to individuals about how the Council uses personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice. This is a notice to inform individuals about what a Council does with their personal information. A privacy notice will contain the name and contact details of the data controller and Data Protection Officer, the purpose for which the information is to be used and the length of time for its use. It should be written clearly and should advise the individual that they can, at any time, withdraw their agreement for the use of this information. Issuing of a privacy notice must be detailed on the Information Audit kept by the Council. The Council will adopt a privacy notice to use, although some changes could be needed depending on the situation, for example where children are involved.

7.    Information Audit 

The DPRO must undertake an information audit which details the personal data held, where it came from, the purpose for holding that information and with whom the Council will share that information. This will include information held electronically or as a hard copy. Information held could change from year to year with different activities, and so the information audit will be reviewed at least annually or when the Council undertakes a new activity. The information audit review should be conducted ahead of the review of this policy and the reviews should be minuted.

8.    Individuals’ Rights

GDPR gives individuals rights with some enhancements to those rights already in place:

§  the right to be informed

§  the right of access

§  the right to rectification

§  the right to erasure

§  the right to restrict processing

§  right to data portability

§  the right to object

§  the right not to be subject to automated decision-making including profiling.

 

The two enhancements of GDPR are;

§  That individuals now have a right to have their personal data erased (sometime known as the ‘right to be forgotten’) where their personal data is no longer necessary in relation to the purpose for which it was originally collected and data portability must be done free of charge.

§  Data portability refers to the ability to move copy or transfer data easily between different computers.

If a request is received to delete information, then the DPRO must respond to this request within a month. The DPRO has the delegated authority from the Council to delete information.

If a request is considered to be manifestly unfounded then the request could be refused or a charge may apply. Council will be informed of such requests.

9.    Children

There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the Council requires consent from young people under 13, the Council must obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children age 13 plus, must be written in language that they will understand.

10. Summary

 In summary, the main matters arising within this policy are:

§  The Council must be registered with the ICO.

§  A copy of this policy will be available on the Council’s website. The policy will be considered as a core policy for the Council.

§  The Clerk’s Contract and Job Description (if appointed as DPRO) will be amended to include additional responsibilities relating to data protection.

§  An information audit will be conducted and reviewed at least annually or when projects and services change.

§  Privacy notices must be issued.

§  The Town Council will manage the process.

This policy document is written with current information and advice. It will be reviewed at least annually or when further advice is issued by the ICO.

All employees, role holders and councillors are expected to comply with this policy at all times to protect privacy, confidentiality and the interests of the Council. 

11. Document Record

Document

General Data Protection Policy

Lead Author(s):

Karen Chapman – Town Clerk

Developed by:

Great Torrington Town Council

Approved by/Date

Policy and Finance 26.09.18

Ratified/Adopted and date:

Council Meeting 04.10.18

Review Date:

August 2019

Version:

1

 

 

DATA RETENTION POLICY

Download Copy 

 1. Introduction

The Town Council recognises that the efficient management of its records is necessary to comply with its legal and regulatory obligations and to contribute to the effective overall management of the Town Council.

This document provides the policy framework through which this effective management can be achieved and audited. It covers:

Scope

Responsibilities

Retention Schedule

 2. Scope of the Policy

This policy applies to all records created, received or maintained by the Town Council in the course of carrying out its functions. Records are defined as all those documents which facilitate the business carried out by the Town Council and which are thereafter retained (for a set period) to provide evidence of its transactions or activities. These records may be created, received or maintained in hard copy or electronically. A small percentage of the Town Council’s records will be selected for permanent preservation as part of the Council’s archives and for historical research.

This policy has been drawn up within the context of:

• Freedom of Information

• General Data Protection Regulation

And with other legislation or regulations (including audit and Statute of Limitations) affecting the Town Council.

3. Responsibilities

The Town Council has a corporate responsibility to maintain its records and record management systems in accordance with the regulatory environment.

The person with overall responsibility for the implementation of this policy is the Clerk to the Town Council, and the Clerk is required to manage the Council’s records in such a way as to promote compliance with this policy so that information will be retrieved easily, appropriately and in a timely manner.

4.    Retention Schedule

Under the Freedom of Information Act 2000, the Town Council is required to maintain a retention schedule listing the record series which it creates during its business. The retention schedule lays down the length of time which the record needs to be retained and the action which should be taken when it is of no further administrative use.

The Clerk is expected to manage the current record keeping systems using the retention schedule and to take account of the different retention periods when creating new record keeping systems. This retention schedule refers to record series regardless of the media in which they are stored.

Document

Minimum Retention

 

 

Reason

Minute Books/Electronic Minutes

Indefinite

Archive

Annual Accounts

Indefinite

Archive

Annual Audit Returns

Indefinite

Archive

Bank Statements

7 years

Audit/ Management

Cheque Book Stubs

7 years

Management

Paying in books

7 years

Management

Quotations

7 years

Audit

Paid Invoices

7 years

Audit

Receipts

7 Years

Audit

VAT Records

7 years

Audit

Salary Records

7 years

Audit

Tax and NI records

7 years

Audit

Employee Records

2 years

Audit

Period of employment details

7 years

Audit

Employee/Councillor travel/expenses claim

 

7 years

 

Audit

Pension information

13 years

Audit

Insurance Policies

Whilst valid

Audit

Insurance Claims

7 years after completion

Audit

Certificate of Employers Liability

40 years

Audit / Legal

Certificate of Public Liability

40 years

Audit/ Legal

Council Policies

Current version indefinite

Previous version 1 year

Audit/Management

Asset Register

Indefinite

Audit

Deeds and Leases

Indefinite

Audit

Declaration of acceptance of Office (Cllr)

Term of office + 1 year

Management

Members Register of Interests

Term of office + 1 year

Management

Complaints

One year

Management

General Information

Three months

Management

Routine Correspondence/emails

Six months after relevant issue is completed

Management

Public Consultation, survey & returns

5 years

Management

 

 

 

Documentation for Legal purposes (unless extended)

Negligence

6 years

Limitation Act 1980 (as amended)

Defamation

1 years

Limitation Act 1980 (as amended

Contract/Agreement

6 years

Limitation Act 1980 (as amended

Sums recoverable

6 years

Limitation Act 1980 (as amended

Rental Agreement

12 years

Limitation Act 1980 (as amended

Personal injury

3 years

Limitation Act 1980 (as amended

To recover land

12 years

Limitation Act 1980 (as amended

Rent

6 years

Limitation Act 1980 (as amended

 

Planning applications are retained by the Torridge District Council and Devon County Council. There is no requirement to retain duplicates locally. All Town Council recommendations in connection with these applications are recorded in the Council minutes and are retained indefinitely.

Correspondence received in connection with applications will be retained as stated above (see Correspondence)

All documents that are no longer required for administrative purposes will be shredded (if confidential) or recycled waste.

5.    Document Record

Document:

Data Retention Policy

Lead Author(s:

Karen Chapman – Town Clerk

Developed by:

Great Torrington Town Council

Approved by/Date:

Policy and Finance – 26.09.18

Ratified/Adopted and date:

Council Meeting – 04.10.18

Review Date:

August 2020

Version:

1

 

Great Torrington Town Council  complies with the new General Data Protection Regulations.  Please use the links to view our General Data Protection Privacy Notices, our Data Protection Policy an Our Data Retention Policy.