Data protection policy

1.0   Introduction

1.1   The Council takes the security and privacy of data seriously and is committed to being transparent about how we collect and use personal data and meet our data protection obligations. We are registered as a “data controller” with the Information Commissioner’s Office (IC0) (registration number: Z5439989) and will comply with our legal obligations under the Data Protection Act 2018 (the “Legislation") and the UK Data Protection Regulation (“ UK GDPR”).

1.2   This policy sets out the Council’s commitment to data protection and individual rights in relation to personal data and sensitive personal data. The policy explains how the Council will hold and process your personal information and explains your rights as a “data subject”.

1.3   This policy replaces any earlier policy under previous legislation.

2.0   Data Protection Officer

2.1   The Council has appointed a Data Protection Officer (DPO). Their role is to inform and advise the Council of its obligations under data protection legislation and to monitor the Council’s compliance. The Data Protection Officer also acts as the single point of contact for the Information Commissioner’s Office (ICO) and provides advice and assistance on Data Protection Impact Assessments.

2.2 The DPO is Chris Dyson, who can be contacted at dpo@croydon.gov.uk.

3.0 Data protection definitions

3.1   There are two types of data under the Legislation:

• “personal data” which means any information relating to a living individual who can be identified from that information (a “data subject”) on its own or when taken together with other information. This may include both facts and expressions of opinion about the person and indication of the intentions of the Council or others in respect of that person. It does not include anonymised data.
• “special category data” which means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.

3.2   Other definitions relevant to data protection:

• “criminal records data” means information about an individual’s criminal convictions and offences and information relating to criminal allegations and proceedings.
• “data processing” means any use that is made of personal data, including collecting, recording, organising, combining, structuring, storing, amending, retrieving or consulting, disclosing (by transmission, dissemination or otherwise making available) or restricting or destroying data.  This includes processing personal data held in manual form in a relevant filing system, accessible record or processed automatically.

3.3   More detailed definitions for ‘personal data’ ‘special category data’ ‘criminal records data’ ‘data processing’ ‘data subject’ ‘data controller’ and ‘data processor’ are set out in the Legislation.

4.0   Data Protection Principles

4.1    Principles

There are six ‘data protection principles’ that underpin the processing of data to ensure that it is done in accordance with the Legislation and to protect the interests of individuals. Under these Principles personal data must:

• Be processed fairly, lawfully and transparently (Fairness, lawfulness and transparency);
• Be collected and processed only for specified, explicit and legitimate purposes (Purpose limitation);
• Be adequate, relevant and limited to what is necessary for the purposes for which it is processed (Data minimisation);
• Be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay (Accuracy);
• Not be kept for longer than is necessary for the purposes for which it is processed (Storage limitation);
• Be processed securely. To that end the Council adopts appropriate measures to make sure that personal data is secure and protected against unauthorised or unlawful processing and accidental loss, distribution or damage (Integrity and confidentiality).

In addition there is an overarching principle of accountability:

• To be responsible for complying with the UK GDPR and being able to demonstrate this (Accountability).

4.2    Lawfulness of Processing

4.2.1   Personal data can only be lawfully processed if one or more of the following conditions apply:

• The data subject has given consent to the processing;
• Processing is necessary for the performance of a contract with the data subject;
• Processing is necessary for compliance with a legal obligation to which the data controller is subject;
• Processing is necessary to protect the vital interests of the data subject or another person;
• Processing is necessary for the performance of a task carried out in the public interest;
• Processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party; (This ground is not available to public authorities such as the Council)

4.2.2   Special category data can only be lawfully processed if one or more of the following conditions apply:

• The data subject has given explicit consent to the processing for one or more specified purpose;
• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;
• Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• Processing is carried out in the course of its legitimate activities by a foundation, association or any other not for profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects;
• Processing relates to personal data which are manifestly made public by the data subject;
• Processing is necessary for the establishment exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
• Processing is necessary for reasons of substantial public interest;
• Processing is necessary for the purposes of preventative or occupation medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
• Processing is necessary for reasons of public interest in the area of public health;
• Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

4.2.3   Criminal records data can only be lawfully processed if in accordance with the Appropriate Policy for the processing of special category data and criminal record data as required by Schedule 1 Part 4 and Sections 38, 39 and 40 of Data Protection Act 2018.

4.2.4   Once the Council has established that it has the right to process an individual’s personal data it will do so only within the framework of the 6 Data Protection Principles.

5.0   Individual rights

As a data subject individuals have a number of rights in relation to their personal data.

5.1    Data Subject Access Requests

5.1.1 - Individuals have the right to request a copy of their personal data being processed by the Council.  This will usually be in electronic form if the individual has made the request electronically unless they agree otherwise.

5.1.2 - A subject access request does not necessarily extend to all records or correspondence containing the individual’s name or personal identifier. To be included in a response to a subject access request the information needs to relate to be about or be linked to the individual. The Council may ask an individual to specify the information to which the request relates.

5.1.3 - The Council will respond within one month unless the request is complex or numerous in which case the period can be extended by a further two months. If an extension is necessary the Council will write to the individual within one month of receiving the original request to explain why an extension may be necessary.

5.1.4 - If a subject access request is manifestly unfounded or excessive the Council is not obliged to comply with it. Alternatively the Council may charge a fee based on the administrative cost of responding to the request.

5.1.5 - The Council will explain to an individual if they refuse to respond to a request and of their right to complain to the Information Commissioner’s office.

5.1.6 - Requests can be made by submitting a request to SAR@croydon.gov.uk. The Council will need to ask for identification before the request can be processed.

5.2 Other rights

5.2.1   Individuals have a number of other rights in relation to their personal data:

• The right to information about what personal data the Council processes, how and on what basis;
• To request that in-accurate data is rectified;
• With some exceptions individuals have the right to request that the Council stops processing or erases their personal data that is no longer necessary to process for the purpose if was collected;
• The right to object to data processing;
• With some exceptions the right to intervene and not be subject to automated decision making;
• The right to be notified of a data security breach concerning their personal data where there is a high risk of harm;
• Where consent is relied upon as a lawful ground to process data the right to not consent or withdraw consent later.
• The right to have your information moved to another provider.

5.2.2   To ask the Council to take any of these steps an individual should send the request to information.management@croydon.gov.uk

6.0   Data security  

6.1       The Council takes the security of personal data seriously. The Council has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure and to ensure that data is not accessed, except by those who have lawful authority in connection with the proper performance of their duties.

6.2       The Council recognises that the personal data it holds is valuable and must be managed properly as accidental loss, unlawful destruction or damage may cause distress to individuals concerned.

6.3       Examples of our security processes include:

• Encryption - meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what is called a “cypher”. The hidden information is said to then be “encrypted”.
• Pseudonymisation - meaning that we will use a different name so we can hide parts of personal information from view.
• Controlling access to systems and networks allows us to stop people who are not allowed to view personal information from getting access to it.
• Regular testing of technology and upgrading security measures including keeping up to date on the latest security updates (commonly called “patches”)
• Training of staff to make them aware of how to handle personal information and how and when to report when something goes wrong.

6.4       Where the Council engages third parties to process personal data on its behalf such parties do so on the basis of written instructions and are obliged to implement appropriate technical and organisational measures to ensure the security of data in accordance with the Council’s policies, the outcome of any Data Processing Impact Assessment and the standards required by the Legislation.

7.0   Data Protection Impact Assessments

7.1       Some of the processing that the Council carries out may result in risks to privacy. Where processing would result in a high risk to an individual’s rights and freedoms the Council will carry out a Data Protection Impact Assessment to determine the necessity and proportionality of processing.

7.2       This will include considering the purposes for which the activity is carried out, an assessment of necessity, proportionality and compliance measures, the risk for individuals and the measures that can be put in place to mitigate those risks.

7.3       The Council has in place a process and procedure guide for the recording of all Impact Assessments and the process which will be followed to ensure compliance with the Legislation.

7.4       The Data Protection Officer will be consulted in relation to all Data Protection Impact Assessments.

8.0   Data breaches

8.1       If the Council discovers that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals we will report it to the Information Commissioner’s Office within 72 hours of discovery. The Council will record all data breaches regardless of their effect.

8.2       If the breach is likely to result in a high risk to the rights and freedoms of individuals we will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures we have taken.

8.3       The Council has in place policy and procedures for handling suspected data breaches to ensure compliance with the Legislation.

8.4       Any suspected data breach should be reported immediately to data.breach@croydon.gov.uk

9.0   Staff training and guidance

9.1       Everyone who works for or on behalf of the Council has responsibility for ensuring data is collected, stored and processed appropriately in line with the Legislation and relevant policy.

9.2       The Council has in place a Workforce Data Protection Policy which explains the obligations of employees, workers, consultants, volunteers, interns and apprentices when obtaining, processing or storing personal data in the course of working for or on behalf of the Council.

9.3       Induction training for all new members of staff includes compulsory training on information management and data protection. Regular data protection updates are also provided to all staff and managers. All staff are required to complete a mandatory e-learning module on UK GDPR.  

9.4       Failure to observe data protection requirements can amount to a disciplinary offence by a member of staff and can be dealt with under the Council’s disciplinary procedure.

9.5       Significant negligent or deliberate breaches of council policies such as accessing employee or customer data without authorisation or a legitimate reason to do so may constitute gross misconduct and could lead to dismissal without notice.

10.   International data transfers

There are strict rules regarding the transfer of personal data to other countries. The Council will not transfer personal data outside of the UK without having appropriate contractual, security and privacy arrangements in place.

11.   Data sharing

11.1    The Council may need to share an individual’s personal data with third parties. When this is done it will be carried out in compliance with the Legislation including the 6 data protection principles.

11.2    The council will only share personal data if it is in compliance with those principles and is justified on the basis that the benefits (after taking into account any relevant safeguards) outweigh the risks of any possible negative effect on the data subject concerned. Where sharing is justified the council will take all reasonable steps to minimise any negative impact on the data subject. The amount of information shared and the extent of sharing will be limited to that which is necessary to carry out a particular function.

11.3    The threshold for sharing special category data is higher than for other sorts of personal information. Therefore the Council will only share this type of information where there is an overriding need to do so and/or where there is a specific provision to do so within the Legislation.

11.4    Further information regarding the sharing of personal information is contained in the Council’s Corporate Privacy Notice.

12.   Information Commissioner’s Office (ICO)

12.1    The ICO is responsible for upholding information rights in the public interest. The ICO can take action to change the behaviour of organisations and individuals that collect use and keep personal information. The ICO may use criminal prosecution, non-criminal enforcement and audit depending upon the circumstances.

12.2    The ICO maintains a public register of data controllers. The London Borough of Croydon is registered as a data controller with the ICO.

12.3    Independent advice regarding data protection can be obtained from the ICO by contacting casework@ico.org.uk

13.   Criminal offences

13.1    Breaches of the Legislation through loss or mishandling of personal data can result in large fines and significant reputational damage.

13.2    Officers and Councillors can also face disciplinary and/or enforcement action for misusing, unlawfully or recklessly accessing personal data which they have access to as part of their employment or appointment with the Council.

13.3    The Council recognises that its residents value their privacy and is committed to achieving high levels of compliance with all relevant data protection legislation.

14.   Policies and Procedures

A range of information management policies are in place to confirm the controls around data handling by the Council. Relevant polices include:

• This Policy;
• The Council’s Corporate Privacy Notice which can be accessed from the Council’s website 

which provides details regarding why the Council collects and uses personal information, how the Council will use personal information and who we may need to share personal information with.

• Individual Privacy Notices which are also published for key relevant service areas which can also be accessed via the council’s website 

and provide similar information in relation to specific service areas.

• In addition, the Council has in place a Policy and procedure guidance for handling Data Subject Access Requests, Guidance for handling Data Protection Impact Assessments, a Data Breach Policy and procedure guide, a Workforce Data Protection Policy and a Document Retention Policy; and
   
• Appropriate Policy for the processing of special category data and criminal record data as required by Schedule 1 Part 4 and Sections 38, 39 and 40 of Data Protection Act 2018.

15.   Further information

15.1    If you require any further assistance the Council’s website https://www.croydon.gov.uk/ contains a range of information regarding information management.

15.2    The Council’s Information Management team can also be contacted at information.management@croydon.gov.uk