(GDPR) General Data Protection Regulations

The Data Protection law is changing from 25 May 2018. The General Data Protection Regulation (GDPR) is intended to strengthen and unify data protection for all individuals within the EU.

The Parish Council has worked with the National Association of Local Councils (NALC) and Leicestershire & Rutland Association of Local Councils (LRALC) in order to be compliant by the 25 May 2018.

The Information Commissioners Office (ICO) offered a '12 step' guidance sheet to assist with the changes. Steps 1 to 12 can be seen below:

Step 1 - Ensure Awareness

At the Parish Council Meeting held on Monday, 9 April 2018 an Agenda Item was included: General Data Protection Regulation (GDPR) – New Data Protection Laws. The aim was to ensure that all Councillors and staff were aware of the changes and that the Clerk was working with all relevant and appropriate external partners to ensure that the Council were compliant by the deadline date of 25 May 2018.

Step 2 - Document what information you hold

The Council need to know what personal information they hold as this will underpin the required Council's Privacy Notice. By keeping a written record of what information the Council is holding is a key requirement of the GDPR: the requirement to demonstrate accountability.

The Council followed the guidance and prepared a Data Audit, which can be seen below. This was approved at the Council meeting on Monday, 9 April 2018

Steps 3 and 4 - Update your Privacy Notices and Confirm Individuals' Rights

It was confirmed that Councils' would require at least two Privacy Notices in place; one for Councillors and staff and another for the public.

Two policies were taken to the Council meeting on Monday, 9 April 2018 where they were duly accepted and adopted. Copies of both polices are available below:

Step 5 -Subject Access Requests

This is the Councils procedure/policy for dealing with a Subject Access Requests

Step 6: Identifying the Lawful Basis for Processing Data

There are six available lawful bases for processing personal data and councils must select which one applies in each circumstance. For most councils several different lawful bases will apply at the same time, see the table below for more details.

Step 7: Data Security

To ensure that all data is kept securely, councils should ensure that:

  1. All computers, email accounts, phones, mobile devices, external hard drives and flash drives used by the Clerk and Councillors are password protected and that up to date anti-virus software is installed.

    A: The Parish Council has an IT provider that meets with the requirements of security and anti-virus. The Council's office computers, systems and email accounts are all password protected and backed up to 'cloud 365'.

  2. hard copy paperwork is held securely.

    A: Private and Confidential documents and HR records are kept in a locked cabinet and is only accessible by the Clerk. Burial records and files are kept in a secure fireproof cabinet in the Clerk's office.
  3. parish council correspondence is secure and kept separate by requiring Councillors and Clerks to use Parish Council assigned email addresses.

    A: emails sent from the office is secure, separate and is virus checked, Councillors are recommended to set up a separate and secure email address specifically for dealing with council business.

  4. Councillors who use a shared computer have a separate log in for Parish Council Business.

    A: Councillors should ensure that their council files and folders kept on a shared computer are password protected.

  5. Where cloud storage is used, adequate assurances are in place (and documented) that the data is secure.

    A: see answer to 1. above.

  6. If services such as payroll are outsourced to a third party, a written contract is in place with the processors.

    A: Assurances have been sought and a contract is in place.

Step 8: Know how to deal with a Data Breach

This is the Councils policy for dealing with a Data Breach

This is the Councils Data Protection Policy

Step 9: Decide on a Data Protection Officer

Further guidance on this is awaited from the Government who have tabled an amendment to its own Data Protection Bill to exempt all parish and town councils and parish meetings in England and community and town councils in Wales from the requirement to appoint a Data Protection Officer (DPO) under the General Data Protection Regulation.

Step 10: Children

If any council activities involve children, councils will need to ensure that they have the systems in place to verify ages and to obtain parental or guardian consent to collect and process any data relating to children, all copies of consents must be retained on file.

A: The council collects data and consent from the Parents, Carers and/or Guardians of all of the 8-11 year old members of the councils Youth Café. All documentation is kept on a password protected computer and the hard copies are in a secure locked cabinet in a locked office. The data is not shared with any outside bodies and is for consensual and emergency use only.

Step 11: Prepare for the May Annual Meeting

It was recommended that councils use the Annual Council Meeting in May to include an agenda item on GDPR compliance and approve the following:

  1. The Data Audit (see step 2)

    A: this was approved at the Parish Council meeting held on 9 April 2018

  2. Two Privacy Notices (see step 3)

    A: these were approved at the Parish Council meeting held on 9 April 2018

  3. A Subject Access Request Procedure (see step 5)

    A: this was approved at the Parish Council meeting held on 9 April 2018

  4. A Data Protection Policy (see step 8)

    A: this was approved at the Parish Council meeting held on 14 May 2018

  5. A Data Breach Policy (see step 8)

    A: this was approved at the Parish Council meeting held on 14 May 2018

The Parish Council is registered with the Information Commissioners Office (ICO) as a Data Controller, their Registration Reference Number is: Z8159754, the expiry date is September 2018.

Step 12: Ensure Ongoing Compliance

The Parish Council will carry out a Data Protection Impact Assessment (DPIA) for any new and/or online systems that they implement in the future and all GDPR documentation will be reviewed, updated and amended where necessary on an annual basis.