Data Protection and Privacy Policy
Introduction
In order to conduct relevant business, services and duties as a public authority, Kingsnorth Parish Council processes a range of data relating to its own operations and some which it handles on behalf of partners.

In broad terms, this data can be classified as:

Data shared in the public arena about the services it offers, its mode of operations and other information it is required to make available to the public.
Confidential information and data not yet in the public arena such as ideas or policies in the process of being decided.
Information about other organisations that is confidential because of commercial sensitivity.
Personal data concerning its current, past and potential employees, councillors and volunteers.
Personal data concerning individuals who contact the Parish Council for information, to access its services or facilities or to make a complaint.
Kingsnorth Parish Council will adopt procedures and manage responsibly, all data which it handles and will respect the confidentiality of both its own data and that belonging to partner organisations it works with and members of the public. In some cases, it will have contractual obligations towards confidential data, but in addition will have specific legal responsibilities for personal and sensitive information under data protection legislation.

Kingsnorth Parish Council will periodically review and revise this policy in the light of experience, comments from data subjects and guidance from the Information Commissioners Office.

The Council will be as transparent as possible about its operations and will work closely with public, community and voluntary organisations. Therefore, in the case of all information which is not personal or confidential, it will be prepared to make it available to partners and members of the parish communities. Details of information which is routinely available is contained in the Council’s Publication Scheme which is based on the statutory model publication scheme for local councils and is available on the Kingsnorth Parish Council website.

Protecting Confidential or Sensitive Information

Kingsnorth Parish Council recognises it must at times, keep and process sensitive and personal information about employees and the public; it has therefore adopted this policy not only to meet its legal obligations but to ensure high standards.

This policy is based on the eight principles set out in the 1998 Act
Data shall:

Be processed fairly and lawfully;
Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with the purpose;
Be adequate, relevant and not excessive for the purpose;
Be accurate and up-to-date; Not be kept for longer than necessary for the purpose;
Be processed in accordance with the Data Subject’s rights;
Be kept safe from unauthorised processing and accidental loss, damage or destruction;
Not be transferred to a country outside the European Economic area, unless that country has the equivalent levels of protection for personal data, except in specified circumstances.
Definitions:
The Act – means the Data Protection Act 1998 which controls the use of personal information by organisations, businesses and government. Everyone responsible for using data has to follow the data protection principles (as above) and make sure the information is used fairly and lawfully.

General Data Protection Regulation (GDPR) – from 25th May 2018, the GDPR replaces the Data Protection Act 1998. Its aim is to give people more control over how organisations use their data and to ensure data protection law is almost identical across the EU.

Data subject – means the person whose personal data is being processed. This may be an employee, prospective employee, councillor, resident or customer. Other data subjects and third parties may include contractors, suppliers, contacts, referees, friends or family members.

Personal data – means any information relating to a natural person or data subject that can be used directly or indirectly to identify the person. It can be anything from a name, a photo, and an address, date of birth, an email address, bank details, and posts on social networking sites or a computer IP address.

Sensitive personal data – includes information about racial or ethnic origin, political opinions, and religious or other beliefs, trade union membership, physical or mental health or condition, sexual orientation, genetic and biometric data or criminal proceedings or convictions.

Data controller – is a ‘person’ who determines the purposes for which and the manner in which any personal data is to be processed. A ‘person’ as recognised in law may be an individual, organisation or body of persons.

Data processor – in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Processing – refers to any action involving personal information, including obtaining, viewing, copying amending, adding, deleting, extracting, storing, disclosing or destroying information.

Data Protection Officer – is an individual working on behalf of the Data Controller with responsibility for the data protection within that organisation.

Reasons for processing personal data
Kingsnorth Parish Council processes personal data in order to:

Fulfil its duties as an employer by complying with the terms of contracts of employment, safeguarding the employee and maintaining information required by law.
Pursue the legitimate interests of its business and its duties as a public body, by fulfilling contractual terms with other organisations, and maintaining information required by law.
Monitor its activities including the equality and diversity of its activities.
Fulfil its duties in operating the business premises including security.
Assist regulatory and law enforcement agencies’
Process information including recording and updating details about its Councillors, employees, partners and volunteers.
Process information including the recording and updating details about individuals who contact it for information, or to access a service, or make a complaint.
Undertake surveys, censuses and questionnaires to fulfil the objectives and purposes of the Council.
Undertake research, audit and quality improvement work to fulfil its objects and purposes.
Carry out Council administration.
Where appropriate and governed by necessary safeguards we may carry out the above processing jointly with other appropriate bodies from time to time.

Fair Process
The Council will ensure that at least one of the following conditions is met for personal information to be considered fairly processed:

The individual has consented to the processing
Processing is necessary for the performance of a contract or agreement with the individual
Processing is required under a legal obligation
Processing is necessary to protect the vital interests of the individual
Processing is necessary to carry out public functions
Processing is necessary in order to pursue the legitimate interests of the data controller or third parties.
Particular attention is paid to the processing of any sensitive personal information and the Parish Council will ensure that at least one of the following conditions is met:

Explicit consent of the individual
Required by law to process the data for employment purposes
A requirement in order to protect the vital interests of the individual or another person.
Responsibilities
Kingsnorth Parish Council is the Data Controller and must ensure that any processing of personal data for which they are responsible complies with the Act.

The Data Protection Officer is the Executive Officer, who acts on behalf of the Council and is responsible for:

Fully observing conditions regarding the fair collection and use of information;
Meeting the Council’s legal obligations to specify the purposes for which information is used;
Collecting and processing relevant information, only to the extent that is required to fulfil operational needs/to comply with legal requirements;
Ensuring the quality of information used;
Applying strict checks to determine the length of time that information is held;
Ensuring that the rights of the people whose information is held are able to be fully exercised under the Act;
Taking appropriate technical and organisational security measures to safeguard personal information;
Ensuring that personal information is not transferred abroad without suitable safeguards;
Ensuring that everyone managing and handling personal information –
a) Fully understands they are contractually responsible for following good practice in terms of protection;
b) Is adequately trained to do so;
c) Is appropriately supervised.
Appendix A of this policy sets out guidelines for staff members, volunteers and councillors that process or may have access to personal data.

Information provided to Kingsnorth Parish Council
Personal information such as name, address, email address, phone number provided to Kingsnorth Parish Council, will be processed and stored so that it is possible for the Council to contact, respond to or conduct the transaction requested by the individual.

By transacting with Kingsnorth Parish Council, individuals are deemed to be giving consent for the personal data they have provided to be used and transferred in accordance with this policy, however wherever possible specific written consent will be sought. It is the responsibility of those individuals to ensure the Parish Council can keep their personal data accurate and up-to-date. The personal information will be not shared or provided to any other third party or be used for any purpose other than that for which it was provided.

The Council’s Right to Process Information
General Data Protection Regulations (and Data Protection Act) Article 6 (1) (a) (b) and (e)

Processing is with consent of the data subject, or
Processing is necessary for compliance with a legal obligation.
Processing is necessary for the legitimate interests of the Council.
Storage and Retention
Personal data may exist in either paper-based format or electronically.

All paper-based documents are securely filed in lockable cabinets in an alarmed office premises that can be accessed only by the Data Protection Officer and nominated members of the parish council.

All electronic data is securely password protected on both the current operating system, off-site data storage and the separate hard-drive.

Different types of information will be kept for differing time periods, depending on legal and operational requirements. See the council’s Document Retention Policy for further details.

Access to Information
Any employee, councillor, resident, customer or other data subjects have a right to:

Ask what personal information the Council holds on them;
Ask what this information is used for;
Be provided with a copy of the information
Be given details of the purposes for which the Council uses the information and any other persons or organisations to whom it is disclosed;
Ask that any incorrect data held is corrected.
If the data subject believes that any personal information held is incorrect the individual may request that it be amended. The Council must advise the individual within 21 days whether or not the amendment has been made.

Breach of Policy
Compliance with the Act is the responsibility of all councillors and members of staff. Any deliberate or reckless breach of the policy may lead to disciplinary action and, where appropriate, legal proceedings.

Any individual, who believes that the Council has breached any of the requirements of the Data Protection Act 1998, including the GDPR 2018, should raise the matter with Marie Russell (Assistant Parish Clerk, Administration) admin@kingsnorthparishcouncil.gov.uk 01233 502969. Alternatively, a complaint can be made to the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; casework@ico.org.uk / Tel: 0303 123 1113

Kingsnorth Parish Council
Data Protection Policy
Adopted: 11th January 2022

Date of Review:
January 2022