GDPR and Data Protection Policy

LLANDEILO TOWN COUNCIL

General Data Protection Regulation Policy ( GDPR)

Policy

It is Llandeilo Town Council’s Policy to ensure it collects, maintains and processes personal data in compliance with the Data Protection Act 1998 and the EU General Data Protection Regulation.

  1. Data Protection Policy for website

Personal data will be collected only to respond to enquiries, carry out council business, fulfil contractual obligations or maintain contact for ongoing communication. The information kept includes information on council staff, councillors and members of the public.
Data collected is limited and consists of names, titles, dates of birth, reference numbers, contact details, postal address, bank details and email address. More sensitive personal data, and information such as affiliation to or representation of specific organisations, such as government bodies, political parties, trusts or any other association will only be recorded, if clearly relevant to the enquiry/ case.

Any personal data provided by you is only made public where necessary due to legal requirements or clear public interest. For example, letters or requests received from you may be discussed in council meetings which are public and minuted, but only your name and affiliations etc relevant to your request will be mentioned, not your contact details or other personal or sensitive data.

Minutes and letters will be kept for a minimum of 5 years in electronic and paper form.

Your data will not be used for marketing purposes or sold. It will not be shared with third parties unless as a direct result of action required, e.g. should we need to instruct builders or engineers to carry out work for us on your premises etc. Any use of your information beyond the practical will need your prior consent.

Data are kept securely and access is only given to the officers and councillors who need to deal with them.

You have the right to object to us holding any data not needed for us to carry out contractual / legal / council duties, you can withdraw your consent and you have the right to access any data we hold about you.

If you suspect any breaches of data protection, have complaints regarding data, want to withdraw your consent to your data being kept, as well as for any other data and record related issues please contact the Town Clerk or the Data Protection Officer at CCC. ________________

All electronic data are kept physically safe at all times via firewalls and passwords and by use of secure and dedicated council email addresses; all council data is sent only to these dedicated email addresses on secured and password protected chrome books. Councillors are trained on handling data securely.

KEY PRINCIPLES

Personal data shall be:

  • Processed lawfully, fairly and in a transparent manner in relation to individuals
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate with every reasonable step taken
  • Kept in a form which permits identification of data subjects for no longer that is necessary for the purposes for which the personal data are processed
  • Processed in a manner that ensures appropriate security of the personal data.

Individuals have the following rights :

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to object

Note:

The council may retain data where there is a regulatory obligation to do so or where it may need the data to establish a legal defence in the future. When there has been a business relationship (as opposed to just marketing or social media contact, for example) then the Town Council will not have to delete the data. Other exemptions are the fulfilment of contractual necessities, legal compliance, protection of vital interest and public interest. (Link to CCC full policy)

  1. Data protection and data privacy policy

All councillors and staff will be trained on our data policy and on best practices for data privacy and data protection.

Data Handling

All data will be recorded, handled, stored and destroyed securely whether in electronic or paper form. Cabinets and offices are locked when not in use and keys only accessible to authorised personnel; buildings are protected by alarm systems. Data will only be handled or processed by relevant staff.
Computers and all publicly owned and personal devices that contain council data, such as the chrome books or personal smart phones with email applications, need to be kept secure and on the person at all times when in public as well as password protected.  They must never be left unattended, even when locked, and kept safe in the home, too.
The council IT system, its firewalls and anti-virus software will be updated regularly and data securely backed up and stored at regular intervals.

When handling council data – whether in public or on private premises – staff and councillors always need to be aware of  the visibility of their computer , tablet and mobile phone screens and the possibility of inadvertent leaking of sensitive information into unauthorised hands by careless handling of data and devices in this way.

Attention must also be given to prohibit access to this information by visitors to their office space or home.
Councillors and staff are responsible to keep up to date with the LTC data privacy and protection policies and use due diligence.  Breaches may lead to disciplinary action being taken.

Ideally, all council data should only be dealt with on dedicated devices and dedicated email addresses. If these are provided then other means must not be used.
Devices and email accounts need to be password protected and the passwords not to be shared, left or made easily accessible or even kept with the device.
Sharing of devices and email systems handling council data with non-councillors is prohibited. It is essential that you are familiar with the specifics of the email system to avoid accidentally sharing information with unauthorised people, such as sending emails to the wrong person.

Use of private, non-council, memory sticks, SD Cards, CD-Roms and DVDs is only permitted when there is a genuine need to use them and no alternative method available. Prior permission must be obtained from the town clerk and the Major. Information on these devices should be encrypted and the devices must be stored and transported securely at all times.

Cloud storage of data, use of Dropbox or Microsoft OneDrive and the use of unencrypted messaging and file sharing systems, such as messenger, are prohibited.

Care needs to be given to verbal communication between councillors and staff when other people are present; this includes social media postings. Councillors and staff must always take note of their surroundings and any possible audiences (watch the privacy settings of their and their communication partner’s social media) to any discussion or information shared to ensure they are appropriate.

 

Councillors and staff must also be careful when using the devices that handle council data. Browsing on untrusted sites and streaming data on council devices is prohibited.
In order to avoid hacking, pishing emails and malware staff and councillors should not open suspicious emails, i.e. emails with hyper-links, emails from unknown or unlikely sources and emails with odd or extremely generic subject headings. Opening these emails can open links that can contain viruses or spyware affecting the system; opening or replying to so-called pishing (fake) emails can lead to an increase of spam emails; using unsecured messaging and file sharing on your computer can also lead to hacking and data breaches.
Confidentiality

Definitions:

Personal data: Information relating to an identifiable individual

Sensitive Personal data: Data that reveals race or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health and sex life, criminal proceedings or convictions

 

Data Breaches

 

In case of a suspected data breach you should contact the Town Clerk and ________ at CCC within 72 hours.  All incidents of data breaches are to be treated as serious and fully investigated and, if proven to be due to negligence, disciplinary action must be taken.

 

Self-assessment for organisations:

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/