Data Protection Policy
We formally adopted this policy on 16 October 2002, and it applies to all employees, and those acting on our behalf.
We are required to gather and process information about our staff and people in the community in order to operate effectively. This will be done in accordance with the Data Protection Act 1998 (the Act), and other related government legislation.
We act as custodians of personal data, with a moral duty to ensure that all such data is handled properly and confidentially at all times, irrespective of whether it is held on paper or by electronic means.
This covers the whole lifecycle, including:
- the obtaining of personal data
- the storage and security of personal data
- the use of personal data
- the disposal/destruction of personal data
We have a responsibility to ensure that data subjects have appropriate access, upon written request, to details regarding personal information relating to them.
By following and maintaining strict safeguards and controls, we will:
- Acknowledge the rights of individuals to whom personal data relates, and ensure that these rights may be exercised in accordance with the Act
- Ensure that both the collection and use of personal data is done fairly and lawfully
- Ensure that personal data will only be obtained and processed for the purposes specified
- Collect and process personal data on a need to know basis, ensuring that such data is fit for the purpose, is not excessive, and is disposed of at a time appropriate to its purpose
- Ensure that adequate steps are taken to ensure the accuracy and currency of data
- Ensure that for all personal data, appropriate security measures are taken, both technically and organisationally, to protect against damage, loss or abuse
- Ensure that the movement of personal data is done in a lawful way, both inside and outside the Council and that suitable safeguards exist at all times
In order to support these actions, the Council will:
- Nominate a Data Protection Officer for the Council, responsible for gathering and disseminating information and issues relating to information security, the Data Protection Act and other related legislation
- Ensure that Chief Officers are responsible - for communications and issues relating to information security, the Data Protection Act, and other related legislation within their department
- Ensure that all activities that relate to the processing ¹ of personal data have appropriate safeguards and controls in place to ensure information security and compliance with the Act
- Ensure that all contracts and service level agreements between the Council and external third parties, where personal data is processed, make reference to the Act as appropriate
- Ensure that all staff acting on the Councils behalf understand their responsibilities regarding information security under the Act, and that they receive the appropriate training / instruction and supervision so that they carry these duties out effectively and consistently and are given access to personal information that is appropriate to the duties they undertake
- Ensure that all third parties acting on the Councils behalf are given access to personal information that is appropriate to the duties they undertake and no more
- Ensure that any requests for access to personal data are handled courteously, promptly and appropriately, ensuring that either the data subject or his/her authorised representative has a legitimate right to access under the Act, that the request is valid, and that information provided is clear and unambiguous ²
- Work towards adopting, as best working practice, the key principles of BS7799, the British Standard on Information Security Management
- Review this policy and the safeguards and controls that relate to it annually, to ensure that they are still relevant, efficient and effective
¹ Processing as defined by the Act as obtaining, recording, holding, organisation, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, blocking, erasure and destruction
² All actions regarding data subject access requests will be logged. This audit trail will include details regarding the nature of the request, the steps taken to validate it, the information provided as well as any withheld, e.g. for legal reasons.
What are your rights under data protection?
- to ask what the Council uses the information for
- to be provided with a copy of the information
- to be given details of the purposes for which the council uses the information and other persons/organisations to whom it is disclosed
- to ask for incorrect data to be corrected
Why do we keep personal information?
The Council keeps personal information about you in order that:
- it can provide you with the services you require
- collect Council Tax
- assess the correct level of benefit for your needs
- provide you with up to date information about these services and the most appropriate service for your needs
The information about you is also used to maintain a record of any help provided in order that we can look at it from time to time to see if it is still what you need and to plan for any changes. The personal information you provide may also be shared with other agencies involved in the provision of services to you, and between departments of the Council where we are legally required to do so.
Who do we share information with?
Depending on the original purpose for which is was obtained and the use to which it is to be put, information may be shared with a variety of services, examples include Housing sharing with Health, Housing Benefits sharing with the DSS. It may also be shared, where necessary, with other organisation that provide services on our behalf, eg contractors working for the Council.
In all of these examples the information provided is only the minimum necessary, to enable them to provide services to you.
Personal information about you may also be provided to Government departments, or other local councils, where we are required to do so by law. An example would be when you have moved from one Councils area to another, and the new Council requires confirmation of the services you were receiving.
Information about you may also be provided for statistical research. This will not include your name and address unless you have given us permission to provide the information.
What sort of information do we hold?
The personal information held will depend on the service being provided. Basic information; that is, your name and address, age, date of birth, sex, next of kin; plus a note of the service provided, decisions regarding the provision, and any meetings between you and the department of the Council providing the service will appear on all records.
Other more sensitive data may also be held. Depending on the needs of the service being provided such data may include for example; details of a person's physical or mental health, disabilities and racial, or ethnic origin. Data relating to specific services include; the level of payment and the current state of the account - council tax, property details and extent of proposed alterations - planning.
How do we keep the information, and who is responsible?
The information is kept on secure computer systems and in secure manual filing systems. Maintaining the record and keeping it secure is the responsibility of the departments of the Council providing the services you receive.
Are the records confidential?
The Council's employees have a duty of care when providing services. This includes respecting the right to confidentiality, and ensuring that information about you is only used and given to others for the purposes of the service being provided. Care is taken to ensure that third parties cannot access the information without permission and that data about you is not disclosed - to third parties or others - without your consent.
How long are records about you held?
Normally, your records will be kept only for as long as the service is provided to you, or as is required by law. If there is no legal requirement to keep the records they will be destroyed as soon as is practicable. Where there is a legal requirement to retain information it is not normally kept for more than six years.
How do you ask to see your information?
You can either chose to download a Subject Access Request Form (word/50.2KB/2 pages) or email firstname.lastname@example.org, alternatively you can write to the address below, or call at South Lakeland House, Kendal in person.
The Data Protection Officer
South Lakeland District Council
When you do so you must provide your name and address; details of the service(s) you are receiving; and any other information such as date of birth, gender, householder status (eg tenant, owner) you think may help us find your information. If you have any difficulty with the form, help will be provided.
You may also use the above contact information if you think any information about you is inaccurate, incomplete, or if you want to change the sort of information about you that we may have collected.
What information will you receive?
All of the personal information we hold about you on both our computer, and manual record systems. You will also be given a description of the purposes for which we process your data, a list of those to whom we disclose the data, and information about sources where this is available.
Can you see information about members of your family or any other person?
You may not see information about other persons, unless they have given their consent. This includes information about members of your family. If you are a parent or a member of an elderly person's family you may be provided with information about your child, or the elderly person, but only where you have written permission to ask for it, or have been granted powers to do so by the courts, and the Council is satisfied that such permissions are genuine.
Will you be charged a fee for information provided?
No, the Council does not currently charge, although this is reviewed annually.
How long does it take to provide you with the information?
The Council must respond within 40 days of receiving your application. The 40 days starts from the date on which you sent in the written application, and any additional information required by the Council.
What should you do when you get the information?
You should check it to ensure that you have received all of the information to which you are entitled, and to make sure it is correct.
What do you do if the information provided is incorrect?
You should tell the Council that the data is incorrect and ask them to correct it. You must do so in writing. The Council must inform you if they have, or have not corrected the data within 21 days of you asking them to. If the department does not agree that the information is incorrect you can ask it to record your disagreement on the record itself.
If the Council does not correct the information you may also appeal to the Information Commissioner or the courts. These organisations have the power to order the Council to correct data.
When is data inaccurate?
The Act defines inaccurate data as being "data which is incorrect or misleading as to any matter of act".
How can you have inaccurate data about you corrected?
The Act provides you with a right to apply to the court to have inaccurate data rectified, blocked, erased or destroyed. This right extends to any other personal data, which contains an opinion based on the inaccurate data.
What do you do if you think you have not been given all the information you asked for?
You can appeal to the Council, through its complaints procedure, or to the Information Commissioner whose staff will look into the matter on your behalf.
Do you have any other rights under the Data Protection Act, and what are they?
Yes. In addition to the right of subject access, individuals have the following rights;
- To prevent processing likely to cause damage or distress
- To prevent processing for the purposes of direct marketing
- Not to be the subject of decisions based on wholly automated means.
- To take action for compensation if he/she has suffered damage by any Contravention of the Act, by the Council
- To make a request to the Commissioner for an assessment as to whether any provision of the Act has been contravened by the Council
As far as the first three of these rights are concerned you should write to the Council informing us that you require us to cease processing personal data about you. In the case of the first of these you must state the purpose for which the data is being processed, and that you consider the processing is already causing, or is likely to cause you or another person unwarranted substantial damage or distress.
The second requires you to notify the Council in writing, that we should cease, or not begin the processing of personal data about you for the purpose of direct marketing.
The third is specific to the use of automated decision-making processes. If you do not wish to be the subject of a decision based wholly on such process you must write to the Council requiring us to ensure no decision, which significantly affects you, is based solely on such processing.
How will you know if the Council has made any decision about you based, wholly, on automated processes?
If we have not received a notice from you we will inform you that a decision, which significantly affects you has been taken by automatic means. If we do so and you object, then you can inform us in writing that you require us to reconsider the decision, or to take a new decision by some other means. The Council has 21 days of our telling you that we have made our decision by automated means.
How can you be sure the Council has complied with your notice(s)?
The Act requires us to respond to your notice within 21 days of receiving it. Our reply will tell you whether or not we have;
complied with your request, intend to comply with your request, or the extent to which we intend to comply. If we do not consider your request is justified, our response will list our reasons.
What do you do if the Council does not reply, or refuses to comply with your notice?
If you do not receive a reply, or you consider the Council has not complied with any of the above notices, you have a right to apply to the court for an order requiring us to comply.
Under what circumstances can you claim compensation?
If you have suffered damage or distress as a result of the contravention of any requirements of the Act, by the Council, you may be entitled to compensation.
The court will only support such a claim if you can show that the Council had not taken reasonable care to ensure it complied with the relevant requirements of the Act.
Are you entitled to compensation as a result of our use of inaccurate data?
As with the example quoted above, only if the court is satisfied that you have suffered damage as a result of the Council's use of inaccurate data.
What can you complain to the Information Commissioner about?
You can complain to the Information Commissioner if you consider the Council has breached any of the requirements of the Data Protection Act. These include;
- a breach of any of the Data Protection Principles
- processing data without having notified the Commissioner
- failure to respond to any of your written notices (see above)
- processing data without your consent (where consent is necessary)
- refusing to provide you with the personal information you have requested
This list is not exhaustive.
What will the Commissioner do?
At your request the Commissioner will carry out an assessment of the Council's processing to establish whether or not we are doing so in compliance with the Act.
Should the Commissioner find we are not, then the Council will be issued with a notice requiring it to take steps to ensure compliance.
Do we provide you with help in understanding the information?
If you need help in understanding the information provided, please inform the Council, and we will provide someone to explain.