East Cambridgeshire District Council ('the Council') aims to ensure that personal information is treated lawfully and correctly.
The lawful and correct treatment of personal information is extremely important in maintaining the confidence of those with whom the Council deals and in achieving its objectives.
The Council fully endorse and adhere to the Data Protection principles set out below:-
The Eight Data Protection Principles
- shall be processed fairly and lawfully and shall not be processed unless specific conditions are met;
- shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose of those purposes;
- shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- shall be accurate and where necessary kept up to date;
- shall not be kept for longer than is necessary for that purpose or those purposes;
- shall be processed in accordance with the rights of data subjects under the Act;
- appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
- shall not transfer personal data to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
To ensure the Council continuously collies with all relevant legislation and good practice in order to successfully protect the data it holds.
To achieve the overall aim the Council will:
- provide adequate resources to support an effective corporate approach to Data Protection;
- empower relevant nominated staff to perform necessary tasks;
- comply with all relevant statutory obligations;
- respect the confidentiality of all personal data irrespective of source;
- publicise the Council's commitment to Data Protection;
- compile and maintain appropriate procedures and codes of practice;
- promote general awareness and provide specific training, advice and guidance at all levels to ensure standards are met;
- monitor and review compliance with legislation and introduce changes where necessary;
- assist the Information Commissioner and the external auditor as necessary.
Processing of Information:
The Council, through appropriate management and strict application of criteria and controls will, when processing personal information on any individual:
- observe fully conditions regarding the collection and use of information;
- meet the Council's legal obligations under the Data Protection Act 1998 ('the Act') to specify the purpose for which information is used;
- collect and process appropriate information only to the extent that it is needed to fulfil operational needs or to comply with any legal requirement;
- ensure the quality of information processed is accurate;
- apply strict checks to determine the length of time information is held, and identify destruction dates;
- ensure that the rights of people about whom information is held can be fully exercised under the Act including:-
- the right to be informed that processing is being undertaken
- the right of access to personal information
- the right to prevent processing in certain circumstances
- the right to correct, rectify, block or erase information, which is regarded as wrong information.
- ensure technical and organisational security measures are put in place to safeguard personal information;
- ensure that personal information is not transferred outside the European Economic area without suitable safeguards.
- ensure that staff are reminded that data covered by the Data Protection Act is exempt from disclosure under the Freedom of Information Act 2000.
Individuals whose data is collected by the Council must be made aware at the time of collection of all the processes that data may be subject to. No manual or automatic processing of an individual's data can take place unless reasonable steps have been taken to make that individual aware of that processing. Individuals must also be informed of likely recipients of their information, both internal and external, and also be given details of who to
contact in order to query the use or content of their information (normally Executive Director Legal and Democratic Services).
Data Uses and Purposes
All processing performed must be for a purpose that is necessary to enable the Council to perform its duties and services, and which has been notified by the Council to the Information Commissioner. Personal data can only be processed in line with notified purposes.
No new processing may take place UNTIL the Information Commissioner has been notified of the relevant purpose AND the data subjects have been informed and, if legally required, their consent obtained. All new occurrences of, or future developments for, processing of personal data shall therefore be reported to the Electoral Services Officer, who is responsible for maintaining Council's Data Protection registrations.
All personal data should be regarded as confidential and only disclosed to persons (internal and external) who are listed for the purpose concerned in the Council's current notification AND whose authority has been explicitly established.
Information owned by the Council must not be used for non-Council purposes. This applies when Council data is being processed at employees' homes. Employees may only remove personal data from a Council office with the authority of their Executive Director or the Chief Executive and will be held responsible for any misuse or unauthorised disclosures while the data is in their control.
Customer Relationship Management
The Council has implemented Customer Relationship Management ("CRM") to capture and manage information about our customers. Information collected is stored in a central database, allowing information to be collected once but used many times.
Each customer can make a call to Customer Services where staff will be able to find their details and advise of the progress made on their case. The information is stored safely and securely. It is not used for marketing purposes and is only used to provide a better service to our customers.
The sharing of this customer data across the Council allows the Council to make gains in both efficiency and effectiveness by improving the ability of front line staff to resolve issues at first contact or deal automatically with enquiries that originate over the web.
Information processed shall not be excessive or irrelevant to the notified purposes. Information will be held only for so long as is necessary for the notified purposes, after which it shall be deleted or destroyed. Whenever information is processed, reasonable measures shall be taken to ensure that it is up to date and accurate.
Organisational Responsibilities and Security
- All personal data should be kept secure, in a manner appropriate to its sensitivity and the likely harm should a breach of the Act occur. Security shall be applied to all stages of processing to prevent unauthorised access or disclosure (internal or external), damage (accidental or deliberate) or loss.
- Personal data must not be left on display or unsecured when unattended. Computer software shall be kept secure when not in use. System entry passwords should be known only to the holder and be changed regularly.
- Everyone managing and handling personal information is appropriately trained to do so.
- Everyone managing and handling personal information is appropriately supervised.
- Anybody wanting to make enquiries about handling personal information knows what to do.
- Queries about handling personal information are promptly and courteously dealt with.
- Methods of handling personal information are clearly described.
- A regular review and audit is made of the way personal information is managed.
- Methods of handling personal information are regularly assessed and evaluated.
- Performance with handling personal information is regularly assessed and evaluated.
- All Council employees and Members will be provided with a copy of the Policy as adopted by the Council together with an explanatory guide. Employees and Managers have a duty to follow the Policy and procedures and to co-operate with the Council to ensure this Policy is effective.
- Action may be taken against any employee/Member who fails to comply or commits breach of the Policy.
- It is the duty of individual employees and Members to ensure that personal information held by them is dealt with in accordance with the Act.
- Any breaches of security shall be reported to the Executive Director - Legal and Democratic Services for investigation and subsequent remedial action.
Processing carried out by a third party on behalf of the Council shall be subject to a contract, which stipulates compliance with the Principles of the Act and this Policy.
Similarly, when the Council is processing personal data on behalf of a third party it will need to demonstrate that the data is subject to the same standard of care.