GENERAL PRIVACY NOTICE

Your personal data – what is it?

“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address).  Identification can be directly using the data itself or by combining it with other information which helps to identify a living individual (e.g. a list of staff may contain personnel ID numbers rather than names but if you use a separate list of the ID numbers which give the corresponding names to identify the staff in the first list then the first list will also be treated as personal data).  The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR) and other legislation relating to personal data and rights such as the Human Rights Act.

Who are we?

This Privacy Notice is provided to you by the Rowley Parish Council which is the data controller for your data.

Other data controllers the council works with:

• East Riding of Yorkshire Council
• The Emergency Services
• Community groups
• Charities
• Other not for profit entities
• Contractors

We may need to share your personal data we hold with them so that they can carry out their responsibilities to the council.  If we and the other data controllers listed above are processing your data jointly for the same purposes, then the council and the other data controllers may be “joint data controllers” which mean we are all collectively responsible to you for your data. Where each of the parties listed above are processing your data for their own independent purposes then each of us will be independently responsible to you and if you have any questions, wish to exercise any of your rights (see below) or wish to raise a complaint, you should do so directly to the relevant data controller.

A description of what personal data the council processes and for what purposes is set out in this Privacy Notice.  

The council will process some or all of the following personal data where necessary to perform its tasks:

• Names, titles, and aliases, photographs;
• Contact details such as telephone numbers, addresses, and email addresses;
• Where they are relevant to the services provided by a council, or where you provide them to us, we may process information such as gender, age, marital status, nationality, education/work history, academic/professional qualifications, hobbies, family composition, and dependants;
• Where you pay for activities such as use of a council hall, financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers;
• The personal data we process may include sensitive or other special categories of personal data such as criminal convictions, racial or ethnic origin, mental and physical health, details of injuries, medication/treatment received, political beliefs, trade union affiliation, genetic data, biometric data, data concerning and sexual life or orientation.

How we use sensitive personal data  

• We may process sensitive personal data including, as appropriate:
  • information about your physical or mental health or condition in order to monitor sick leave and take decisions on your fitness for work;
  • your racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation;
  • in order to comply with legal requirements and obligations to third parties.
• These types of data are described in the GDPR as “Special categories of data” and require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.
• We may process special categories of personal data in the following circumstances:
  • In limited circumstances, with your explicit written consent.
  • Where we need to carry out our legal obligations.
  • Where it is needed in the public interest.
• Less commonly, we may process this type of personal data where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

Do we need your consent to process your sensitive personal data?

• In limited circumstances, we may approach you for your written consent to allow us to process certain sensitive personal data.  If we do so, we will provide you with full details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.

The council will comply with data protection law. This says that the personal data we hold about you must be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept and destroyed securely including ensuring that appropriate technical and security measures are in place to protect your personal data to protect personal data from loss, misuse, unauthorised access and disclosure.

We use your personal data for some or all of the following purposes:

• To deliver public services including to understand your needs to provide the services that you request and to understand what we can do for you and inform you of other relevant services;
• To confirm your identity to provide some services;
• To contact you by post, email, telephone or using social media (e.g. Facebook, Twitter, WhatsApp);
• To help us to build up a picture of how we are performing;
• To prevent and detect fraud and corruption in the use of public funds and where necessary for the law enforcement functions;
• To enable us to meet all legal and statutory obligations and powers including any delegated functions;
• To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments and generally as necessary to protect individuals from harm or injury;
• To promote the interests of the council;
• To maintain our own accounts and records;
• To seek your views, opinions or comments;
• To notify you of changes to our facilities, services, events and staff, councillors and other role holders;
• To send you communications which you have requested and that may be of interest to you.  These may include information about campaigns, appeals, other new projects or initiatives;
• To process relevant financial transactions including grants and payments for goods and services supplied to the council
• To be able to contact you in the event of an emergency;
• To manage our allotment gardens;
• To allow the statistical analysis of data so we can plan the provision of services.
• Our processing may also include the use of CCTV systems for the prevention and prosecution of crime.

Children

There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the council requires consent from young people under 13, the council must obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children age 13 plus, must be written in language that they will understand.

What is the legal basis for processing your personal data?

The council is a public authority and has certain powers and obligations.  Most of your personal data is processed for compliance with a legal obligation which includes the discharge of the council’s statutory functions and powers.  Sometimes when exercising these powers or duties it is necessary to process personal data of residents or people using the council’s services.   We will always take into account your interests and rights.  This Privacy Notice sets out your rights and the council’s obligations to you.

We may process personal data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract.  An example of this would be processing your data in connection with the use of sports facilities, or the acceptance of an allotment garden tenancy

Sometimes the use of your personal data requires your consent. We will first obtain your consent to that use.

Sharing your personal data

This section provides information about the third parties with whom the council may share your personal data.  These third parties have an obligation to put in place appropriate security measures and will be responsible to you directly for the manner in which they process and protect your personal data. It is likely that we will need to share your data with some or all of the following (but only where necessary):

• The data controllers listed above under the heading “Other data controllers the council works with”;
• Our agents, suppliers and contractors. For example, we may ask a commercial provider to publish or distribute newsletters on our behalf, or to maintain our database software;
• On occasion, other local authorities or not for profit bodies with which we are carrying out joint ventures e.g. in relation to facilities or events for the community.

How long do we keep your personal data?

We will keep some records permanently if we are legally required to do so.  We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 8 years to support HMRC audits or provide tax information.  We may have legal obligations to retain some data in connection with our statutory obligations as a public authority.  The council is permitted to retain data in order to defend or pursue claims.  In some cases, the law imposes a time limit for such claims (for example 3 years for personal injury claims or 6 years for contract claims).  We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim.  In general, we will endeavour to keep data only for as long as we need it.  This means that we will delete it when it is no longer needed.

Your rights and your personal data 

You have the following rights with respect to your personal data:

When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security.  In such cases we will need you to respond with proof of your identity before you can exercise these rights.

1. The right to access personal data we hold on you

a) At any point you can contact us to request the personal data we hold on you as well as why we have that personal data, who has access to the personal data and where we obtained the personal data from.  Once we have received your request we will respond within one month.

b) There are no fees or charges for the first request but additional requests for the same personal data or requests which are manifestly unfounded or excessive may be subject to an administrative fee.

• The right to correct and update the personal data we hold on you

If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated.

• The right to have your personal data erased

a) If you feel that we should no longer be using your personal data or that we are unlawfully using your personal data, you can request that we erase the personal data we hold.

b) When we receive your request, we will confirm whether the personal data has been deleted or the reason why it cannot be deleted (for example because we need it for to comply with a legal obligation).

• The right to object to processing of your personal data or to restrict it to certain purposes only

You have the right to request that we stop processing your personal data or ask us to restrict processing. Upon receiving the request, we will contact you and let you know if we are able to comply or if we have a legal obligation to continue to process your data.

• The right to data portability

You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.

• The right to withdraw your consent to the processing at any time for any processing of data to which consent was obtained

You can withdraw your consent easily by telephone, email, or by post (see Contact Details below).

• The right to lodge a complaint with the Information Commissioner’s Office.

You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/  or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Transfer of Data Abroad

Any personal data transferred to countries or territories outside the European Economic Area (“EEA”) will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union.  Our website is also accessible from overseas so on occasion some personal data may be accessed from overseas.

Further processing

If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.  Where and whenever necessary, we will seek your prior consent to the new processing.

Changes to this notice

We keep this Privacy Notice under regular review and we will place any updates on this web page https://www.rowleyparishcouncil.gov.uk.  This Notice was last updated in May 2018.

Contact Details

Please contact us if you have any questions about this Privacy Notice or the personal data we hold about you or to exercise all relevant rights, queries or complaints at:

The Data Controller: Rowley Parish Council, 9 Springdale Way, Newton Drive, Beverley HU17 8NU

Email: rowleyparish@littleweighton.karoo.co.uk

Adopted: May 2018 (RPC).

Rowley Parish Council

GDPR Privacy Policy

1. Your personal data – what is it?

“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address).  Identification can be by the personal data alone or in conjunction with any other personal data.  The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR) and other local legislation relating to personal data and rights such as the Human Rights Act.

• Council information

This Privacy Policy is provided to you by Rowley Parish Council which is the data controller for your data.

• Website address: www.www.rowleyparishcouncil.gov.uk

• Council address: 9 Springdale Way, Newton Drive, Beverley, HU17 8NU

• Who are the data controllers?
• Other Local Authorities
• Community groups
• Charities
• Other not for profit entities
• Contractors
• Credit reference agencies

• What personal is collected?
• Names, titles, and aliases, photographs;
• Contact details such as telephone numbers, addresses, and email addresses;
• Where they are relevant to the services provided by a council, or where you provide them to us, we may process demographic information such as gender, age, marital status, nationality, education/work histories, academic/professional qualifications, hobbies, family composition, and dependants;
• The data we process may include sensitive personal data or other special categories of data such as racial or ethnic origin, mental and physical health, details of injuries, medication/treatment received, political beliefs, trade union affiliation, genetic data, biometric data, data concerning and sex life or sexual orientation.
• Cookies are sometimes used to improve the web site experience of a visitor to a web site. We may sometimes use cookies on this web site to record aggregate statistical information about the visitors to our site and the use that our visitors make of the web site. When collected this information is used by us to improve our web site and further enhance the visitor experience and, may be shared with advertisers. Pease note that no personally identifiable information is recorded. We may also use the cookies to gather information about your general internet use to further assist us in developing or web site. Where used, these cookies are downloaded to your computer automatically. This cookie file is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive and then stored there and transferred to us where appropriate to help us to improve our web site and the service that we provide to you. Most browsers allow you to refuse to accept cookies. (For example, in Internet Explorer you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector.) This will, however, have a negative impact upon the usability of many websites. Our advertisers may also use cookies on their web site. We have no control over this and you should review the privacy policy of any advertiser that you visit as a result of an advert or link on this web site.

• The council will comply with data protection law. This says that the personal data we hold about you must be:
• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept and destroyed securely including ensuring that appropriate technical and security measures are in place to protect your personal data to protect personal data from loss, misuse, unauthorised access and disclosure.
• We use your personal data for some or all of the following purposes:
• To deliver public services including to understand your needs to provide the services that you request and to understand what we can do for you and inform you of other relevant services;
• To confirm your identity to provide some services;
• To contact you by post, email, telephone or using social media (e.g., Facebook);
• To help us to build up a picture of how we are performing;
• To prevent and detect fraud and corruption in the use of public funds and where necessary for the law enforcement functions;
• To enable us to meet all legal and statutory obligations and powers including any delegated functions;
• To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments and generally as necessary to protect individuals from harm or injury;
• To promote the interests of the council;
• To maintain our own accounts and records;
• To seek your views, opinions or comments;
• To notify you of changes to our facilities, services, events and staff, councillors and role holders;
• To send you communications which you have requested and that may be of interest to you.  These may include information about campaigns, appeals, other new projects or initiatives;
• To process relevant financial transactions including grants and payments for goods and services supplied to the council
• To allow the statistical analysis of data so we can plan the provision of services.

Our processing may also include the use of CCTV systems for the prevention and prosecution of crime.

• What is the legal basis for processing your personal data?

The council is a public authority and has certain powers and duties. Most of your personal data is processed for compliance with a legal obligation which includes the discharge of the council’s statutory functions and powers.  Sometime when exercising these powers or duties it is necessary to process personal data of residents or people using the council’s services.  We will always take into account your interests and rights.  This Privacy Policy sets out your rights and the council’s obligations to you in detail.

We may also process personal data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract.  An example of this would be processing your data in connection with the use of sports facilities, or the acceptance of an allotment garden tenancy.

Sometimes the use of your personal data requires your consent. We will first obtain your consent to that use.

• Sharing your personal data

The council will implement appropriate security measures to protect your personal data.  This section of the Privacy Policy provides information about the third parties with whom the council will share your personal data.  These third parties also have an obligation to put in place appropriate security measures and will be responsible to you directly for the manner in which they process and protect your personal data. It is likely that we will need to share your data with some or all of the following (but only where necessary):

• Our agents, suppliers and contractors. For example, we may ask a commercial provider to publish or distribute newsletters on our behalf, or to maintain our database software;
• On occasion, other local authorities or not for profit bodies with which we are carrying out joint ventures e.g.  in relation to facilities or events for the community.
• How long do we keep your personal data?

We will keep some records permanently if we are legally required to do so.  We may keep some other records for an extended period of time. For example, it is current best practice to keep financial records for a minimum period of 8 years to support HMRC audits or provide tax information.  We may have legal obligations to retain some data in connection with our statutory obligations as a public authority.  The council is permitted to retain data in order to defend or pursue claims.  In some cases the law imposes a time limit for such claims (for example 3 years for personal injury claims or 6 years for contract claims).  We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim.  In general, we will endeavour to keep data only for as long as we need it.  This means that we will delete it when it is no longer needed.

1. Children

There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the council requires consent from young people under 13, the council must obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children age 13 plus, must be written in language that they will understand.

1. Your rights and your personal data 

You have the following rights with respect to your personal data:

When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security.  In such cases we will need you to respond with proof of your identity before you can exercise these rights.

• The right to access personal data we hold on you
  • The right to correct and update the personal data we hold on you
  • The right to have your personal data erased
  • The right to object to processing of your personal data or to restrict it to certain purposes only
  • The right to data portability
  • The right to withdraw your consent to the processing at any time for any processing of data to which consent was obtained
  • The right to lodge a complaint with the Information Commissioner’s Office.

You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/  or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

1. Transfer of Data Abroad

Any personal data transferred to countries or territories outside the European Economic Area (“EEA”) will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union.  Our website is also accessible from overseas so on occasion some personal data may be accessed from overseas.

1. Further processing

If we wish to use your personal data for a new purpose, not covered by this Privacy Policy, then we will provide you with a Privacy Notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.  Where and whenever necessary, we will seek your prior consent to the new processing.

1. Changes to this policy

We keep this Privacy Policy under regular review and we will place any updates on this web page  https://www.rowleyparishcouncil.gov.uk  This Policy was last updated in May 2018.

1. Contact Details

Please contact us if you have any questions about this Privacy Policy or the personal data we hold about you or to exercise all relevant rights, queries or complaints at:

The Data Controller: Rowley Parish Council, 9 Springdale Way, Newton Drive, Beverley.

Email:  rowleyparish@littleweighton.karoo.co.uk

Adopted May 2018

Rowley Parish Council – Data Protection Policy

1. Introduction

ROWLEY Parish Council has a responsibility under the Data Protection Act 2018 to hold, obtain, record, use and store all personal data relating to an identifiable individual in a secure and confidential manner.  This Policy is a statement of what the Parish Council does to ensure its compliance with the Act.

The Data Protection Policy applies to all Parish Council employees, councillors, volunteers, and contractors.  The Policy provides a framework within which the Parish Council will ensure compliance with the requirements of the Act and will underpin any operational procedures and activities connected with the implementation of the Act.

2. Background

The Data Protection Act 2018 governs the handling of personal information that identifies living individuals directly or indirectly and covers both manual and computerised information. It provides a mechanism by which individuals about whom data is held (the “data subjects”) can have a certain amount of control over the way in which it is handled.

Some of the main features of the Act are:

• All data covered by the Act must be handled in accordance with the Six Data Protection Principles (see Appendix 1).
• The person about whom the information is held (the Data Subject) has various rights under the Act including the right to be informed about what personal data is being processed, the right to request access to that information, the right to request that inaccuracies or incomplete data are rectified, and the right to have personal data erased and to prevent or restrict processing in specific circumstances. Individuals also have the right to object to processing based on the performance of a task in the public interest/exercise of official authority (including profiling), direct marketing (including profiling); and processing for the purposes of scientific/historical research and statistics. There are also rights concerning automated decision making (including profiling) and data portability.
• Processing of special categories of data must be done under a lawful basis. This data includes information about race, ethnic origin, political persuasion, religious belief, trade union membership, genetics, biometrics (where used for identification purposes), health, sex life and sexual orientation.
• The Data Protection Act deals with criminal offence data in a similar way to special category data and sets out specific conditions providing lawful authority for processing it.
• There is a principle of accountability of data controllers to implement appropriate technical and organisational measures that include internal data protection policies and procedures, staff training and awareness of the requirements of the Act, internal audits of processing activities, maintaining relevant documentation on processing activities, appointing a data protection officer, and implementing measures that meet the principles of data protection by design and data protection by default, including data minimisation, transparency, and creating and improving security features on an ongoing basis.
• Data protection impact assessments are carried out where appropriate as part of the design and planning of projects, systems and programmes.
• Data controllers must have written contracts in place with all data processors and ensure that processors are only appointed if they can provide ‘sufficient guarantees’ that the requirements of the Act will be met and the rights of data subjects protected.
• Data breaches that are likely to result in a risk to the rights and freedoms of individuals must be reported to the Information Commissioner’s Office within 72 hours of the council becoming aware of the breach. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the council will notify those individuals concerned directly.
• The Information Commissioner is responsible for regulation and issue notices to organisations where they are not complying with the requirements of the Act. She also has the ability to prosecute those who commit offences under the Act and to issue fines.

3. Policy Statement

The Parish Council is committed to ensuring that personal information is handled in a secure and confidential manner in accordance with its obligations under the Data Protection Act 2018 and professional guidelines.  The Parish Council will use all appropriate and necessary means at its disposal to comply with the Data Protection Act and associated guidance.

4. Roles and Responsibilities

 4.1. Data Protection Officer  

The Data Protection Officer is (TO BE APPOINTED IF REQUIRED), and they are responsible for the following tasks:

• informing and advising the parish council, any processor engaged by the parish council as data controller, and any employee of the parish council who carries out processing of personal data, of that person’s obligations in the GDPR and other data protection laws;
• providing advice and monitoring for the carrying out of a data protection impact assessment
• co-operating with the Information Commissioner’s Office,
• acting as the contact point for the Information Commissioner’s Office
• monitoring compliance with policies of the parish council in relation to the protection of personal data
• monitoring compliance by the parish council with the legislation. In relation to the policies mentioned above, the data protection officer’s tasks include: –

(a) assigning responsibilities under those policies,

(b) raising awareness of those policies,

(c) training staff involved in processing operations, and

(d) conducting audits required under those policies.

The parish council must provide the Data Protection Officer with the necessary resources and access to personal data and processing operations to enable them to perform the tasks outlined above and to maintain their expert knowledge of data protection law and practice.

4.2. Parish Council 

The Parish Council will be responsible for ensuring that the organisation complies with its responsibilities under the Data Protection Act through monitoring of activities and incidents via reporting by the Data Protection Officer. The Parish Council will also ensure that there are adequate resources to support the work outlined in this policy to ensure compliance with the Data Protection Act.

4.3. All Staff and Councillors

All staff and councillors will ensure that:

• Personal information is treated in a confidential manner in accordance with this and any associated policies.
• The rights of data subjects are respected at all times.
• Privacy notices will be made available to inform individuals how their data is being processed.
• Personal information is only used for the stated purpose unless explicit consent has been given by the Data Subject to use their information for a different purpose.
• Personal information is only disclosed on a strict need to know basis, to recipients who are entitled to that information.
• Personal information held within applications, systems, personal or shared drives is only accessed in order to carry out work responsibilities.
• Personal information is recorded accurately and is kept up to date.
• They refer any subject access requests and/or requests in relation to the rights of individuals to the Data Protection Officer.
• They raise actual or potential breaches of the Data Protection Act to the Data Protection Officer as soon as the breach is discovered.

It is the responsibility of all staff and councillors to ensure that they comply with the requirements of this policy and any associated policies or procedures.

4.4. Contractors and Employment Agencies

Where contractors are used, the contracts between the Parish Council and these third parties should contain mandatory information assurance clauses to ensure that the contract staff are bound by the same code of behaviour as parish council members of staff and councillors in relation to the Data Protection Act.

4.5. Volunteers 

All volunteers are bound by the same code of behaviour as parish council members of staff and councillors in relation to the Data Protection Act.

5. Records Management

Good records management practice plays a pivotal role in ensuring that the parish council is able to meet its obligations to provide information, and to retain it, in a timely and effective manner in order to meet the requirements of the Act. All records should be retained and disposed of in accordance with the Parish Council retention schedule.

6. Consent

The parish council will take all reasonable steps to ensure that service users, members of staff, volunteers, and contractors are informed of the reasons the parish council requires information from them, how that information will be used and who it will be shared with. This will enable the data subject to give explicit informed consent to the parish council handling their data where the legal basis for processing is consent.

Should the parish council wish to use personal data for any purpose other than that specified when it was originally obtained, the data subject’s explicit consent should be obtained prior to using the data in the new way unless exceptionally such use is in accordance with other provisions of the Act.

Should the parish council wish to share personal data with anyone other than those recipients specified at the time the data was originally obtained, the data subject’s explicit consent should be obtained prior to sharing that data, failure to do so could result in a breach of confidentiality.

7. Children

There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the council requires consent from young people under 13, the council must obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children age 13 plus, must be written in language that they will understand.

8. Accuracy and Data Quality

The parish council will ensure that all reasonable steps are taken to confirm the validity of personal information directly with the data subject.

All members of staff and councillors must ensure that service user personal information is checked and kept accurate and up to date on a regular basis, for example, by checking it with the service user when they attend meetings or organised events that the information held can be validated.

Where a member of the public exercises their right for their data to be erased, rectified, or restricted, the parish council must ensure that records are updated accordingly.  Or where a member of the public objects to the processing of their data, the Data Protection Officer must be notified and the appropriate procedures followed.

9. Data Protection Impact Assessments

A data protection impact assessment is a process which helps to assess privacy risks to individuals in the collection, use and disclosure of information. They must be carried out at the early stages of projects and are embedded in to the parish council’s decision-making process.

10. Providers

The parish council must have written contracts in place with all suppliers who process personal data on behalf of the parish council as “data processors”. The parish council will ensure that processors are only appointed if they can provide ‘sufficient guarantees’ through the procurement process that the requirements of the Act will be met and the rights of data subjects protected.

11. Security and Confidentiality

All staff and councillors must ensure that information relating to identifiable individuals is kept secure and confidential at all times.  The parish council will ensure that its holdings of personal data are properly secured from loss or corruption and that no unauthorised disclosures of personal data are made.

Any personal data transferred to countries or territories outside the European Economic Area (“EEA”) will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union. Our website is also accessible from overseas so on occasion some personal data may be accessed from overseas.

12. Rights of Data Subjects

Individuals wishing to request their information as a subject access request should contact the parish council in writing, who will arrange for the information to be processed in accordance with the Data Protection Act.

Data Controller: ROWLEY Parish Council, 9 Springdale Way, Newton Drive, Beverley, HU17 8NU

Website: www.www.rowleyparishcouncil.gov.uk

Email: clerk@www.rowleyparishcouncil.gov.uk

APPENDIX 1

DATA PROTECTION PRINCIPLES

First Principle:

Processed lawfully, fairly and in a transparent manner in relation to individuals;

Second Principle:

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

Third Principle:

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

Fourth Principle:

Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

Fifth Principle:

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

 Sixth Principle:

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.