What is a Data Protection Policy?
A Data Protection policy sets out your Councils code of conduct for using personal information, making it a crucial data protection document you should have. This internal document shouldn't be confused with external-facing documents like Website Privacy Policies or Employee Privacy Notices.
Points to note:
- It applies to all individuals who collect and use personal data within the Council (e.g. councilors, staff, consultants, volunteers etc).
- It should not form part of an employment contract, enabling you to freely change and vary it as needed.
- It applies to all personal data and is not category specific (e.g. it's not just employee data, candidate data etc).
Does my Council Need a Data Protection Policy?
A Data Protection Policy is essential for any organisation that handles person data. As a Town, Parish or Community Council it is highly likely that you handle significant personal data, such as:
- Personal contact information for residents or members of the community.
- Employee records and payroll information.
- Data relating to the provision of public services.
- Information for town planning or local development.
It's therefore necessary to demonstrate that as a Council you are handling this data responsibly, and in compliance with the law.
Key Features of a Data Protection Policy:
- Lawfulness: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the person whose data is being processed. You must have a legitimate basis for processing data, and you must inform individuals about how and why you are using their data.
- Purpose Limitation: Personal data must be collected for specific and legitimate purposes and not further processed in a manner that is incompatible with those purposes. You should be clear about why you're collecting data and only use it for that purpose.
- Data Minimisation: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. You should not collect more data than you need for your specified purpose.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date. You should take reasonable steps to ensure that inaccurate data is erased or rectified.
- Storage Limitation: Personal data should not be held for longer than is necessary for the purposes of which the personal data is processed. You should consider policies for data deletion (which we'll look at in more detail later).
- Integrity and Confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. This emphasises the need for strong security measures to prevent data breaches.
- Accountability: The Council is responsible for, and must be able to demonstrate compliance with, the other six principles. You must not only comply with the principles but also be able to prove that you're compliant.
A robust Data Protection Policy should clearly outline each of the data protection principles, along with the practical steps your Council is taking to comply with each of those principles. This is crucial to meet the threshold of accountability.
For instance, under the principle of data minimisation, you might provide guidance for employees to collect only the information necessary for their tasks. The principle of accuracy might require a data audit every two years to ensure all stored information is correct. Under the principle of integrity and confidentiality, you could outline your Council's security measures, such as access controls, password protection, and encryption for sensitive documents.
Take a look at other key legal documents your Council should have here.