Our Data Protection Policy

The Data Protection Act 1998 which came into force on 1st March 2000, regulates the processing of information about living individuals. This Act applies to all personal data held electronically and to personal data held manually in a relevant filing system. The authority will process personal data and sensitive personal data in compliance with this legislation.


Scope

This Policy applies to all personal data that Redcar and Cleveland Borough Council Processes. It covers personal data held in manual files as well as on computer databases.

All Local Authorities have a duty to improve the health of the population they serve. To help with this, we use data and information from a range of sources including hospital episodes and births and death registrations to understand more about the nature and causes of disease and ill-health in the area, alongside health and care needs. This data is processed in order to fulfil our requirements with regards to public health.


Our Policy

We are committed to ensuring the confidentiality and security of all personal data we come into contact with. This is successfully achieved by acting in accordance with the following 8 principles of the Data Protection Act 1998;

  • Personal data shall be processed fairly and lawfully
  • Personal data shall only be obtained for one or more specified and lawful purposes
  • Personal data shall be adequate, relevant and not excessive
  • Personal data shall be accurate
  • Personal data shall not be kept for longer than is necessary
  • Personal data shall be processed in accordance with the rights of the data subject
  • Personal data shall be kept secure
  • Personal data shall not be transferred outside of the European Economic Area unless an adequate level of data protection is ensured
We will notify the Information Commissioner of details of our Personal Data processing activities and maintain an accurate entry in the Public Register of Data Controllers.

All data subjects will be informed of the purposes for which their personal data are to be processed and where necessary will be asked to consent to further processing. With regards to processing sensitive personal data, explicit consent must be given.

We will only hold the minimum amount of personal data to carry out the processes specified. We will ensure that all data is accurate and up-to-date and where no longer required it will be destroyed in line with Retention Legislation, Council Policies or best practice.

Personal data will be collected, stored and processed safely and securely and will only be made available to those who need it in order to carry out the functions.

All Staff, Members and Agents are responsible for ensuring that they adhere to the Data Protection Act in the course of their employment and when handling personal data. Elected Members and staff will be trained to an appropriate level in the use and security of personal data.

Deliberate unauthorised access to, copying of, alteration of, deletion of or interference with data held by the Council is forbidden. Compliance with this policy and related procedures will be monitored and any deliberate breach of this policy or the Data Protection Act will be seen as misconduct and may be subject to action under the disciplinary procedure.

Data matching, which involves comparing computer records from one body against those from another body, will only take place in instances where it is permitted by Legislation and will be carried out in line with the Code of Practice. The National Fraud Initiative is an example of where data matching is required by law.

If on any occasion personal data is lost, stolen or compromised, the designated officers of the authority will be notified. Should this occur, all Staff, Members and Agents are aware of the appropriate procedure to follow. On more serious occasions the Information Commissioner's Office will also be notified.


Responsibilities

The overall responsibility for the notification to the Information Commissioner of the Council as a Data Controller and as a Data Processor, for publication of the Councils Publication Scheme and for ensuring compliance with the appropriate statutes rests with the Chief Executive. The Chief Executive must be provided with details of any existing information systems and any proposal to introduce a new information system or to make a change to an existing system in order that any implications for personal data and information security and publication may be assessed and approved before implementation. This will include any necessary amendments to the Council's notifications under the DPA.

Schools are separate entities from the Council and are responsible for their own arrangements. Elected Members have separate notifications covering their constituency work.

Directorates must ensure that contracts with organisations such as data processors, computer suppliers and maintenance companies contain adequate safeguards regarding access to personal data by those organisations.

Individual Directorates are responsible for ensuring any confidential documentation no longer required is disposed of in an appropriate manner and with due regard to its sensitivity. Strict procedures for the distribution, storage and disposal of documentation must be established by individual departments, having regard to the peculiarities of the particular system.


Rights of the individual

Personal data will be processed in accordance with the rights of the individual which are set out in the act. These rights are as follows:

  • The right of subject access to personal data we hold;
  • The right to prevent processing likely to cause damage or distress;
  • The right to prevent processing for the purpose of direct marketing;
  • The right to request cessation of (purely) automated decision-making;
  • The right to correct, block, erase or destroy data; and
  • The right to seek compensation through the courts

Subject Access Requests

Where any individual submits a valid subject access request (which requires the request in writing, proof of identification and provision of the relevant fee) we aim to provide the requester with a copy of their records within the time limits set out by the Data Protection Act 1998. The Data Protection Act 1998 contains certain exemptions one of these being the provision of confidential references about members of staff written by the Council.

Further information on Subject Access Requests can be found on the Guidance for data subjects page on our website.


Freedom of Information

Where any person submits a request under the Freedom of Information Act 2000 or Environmental Information Regulations 2004 we will aim to provide a response to this request with the statutory time limit (20 working days).

We maintain an accurate Publication Scheme which enables access to documents we are required to publish by law and other documents which we think you will be interested in. All information will be disclosed upon receipt of a valid request provided that no exemptions/exceptions apply. For more detailed information on how to submit a request under this legislation please see the guidance on our website.


The Caldicott Guardian

A Caldicott Guardian is a senior person who is responsible for the oversight of the arrangements in that organisation for the use and sharing of clinical information.

The role of the Caldicott Guardian is based around the following 6 principles:

  • Justify the purpose(s) for using confidential information
  • Only use it when absolutely necessary
  • Use the minimum that is required
  • Access should be on a strict need-to-know basis
  • Everybody must understand his or her responsibilities
  • Understand and comply with the law
Further information on our Caldicott Guardian and contact details for them can be found on our website under The Role of the Caldicott Guardian


Definitions

For the purposes of our policy the following definitions apply:

Personal Data is data about a living individual, who can be identified from either those data alone, or those data and other information which is in our possession, or is likely to come into our possession.

Sensitive Personal Data includes the race or ethnic origin of the data subject, their political or religious beliefs, membership of a trade union, physical or mental health, sexual life and orientation, criminal offences either alleged or proven and any sentences they have received.

Relevant filing System is described as any set of information structured by reference to individuals or that can be accessed by reference to criteria relating to individuals.

Processing covers all actions involved in obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data.

"Data Controller means the person or organisation that determines how data is processed. Redcar and Cleveland Borough Council is the Data Controller for personal data that it processes.

Back to Data Protection & Freedom of Information

Bookmark and Share


Live Chat Software by Click4Assistance UK
Tags
No Tags have been submitted for this page. Why not submit one?
What is a Tag?
SUBMIT TAG



Last updated:
16/08/2017

Assigned review date:
24/08/2016

Awaiting page content review by the allocated team


Page Section:
The Council
Data Protection & FOI

Footer images
Resident Business The Council Visit Jobs #skip_navigation News A to Z Access Keys Homepage What's New Site Map FAQs Help Complaints Terms & Conditions Contact Us Search