APPENDIX

ISLE OF WIGHT COUNCIL

DATA PROTECTION POLICY

 

1. Introduction

2. Definitions

3. Legal requirements

            The Act and regulations

            The eight principles

            Conditions for processing

4. Collection of data

5. Use of data

6. Notification

7. Rights of access

8. Exemptions

9. Offences and liability

10. Council policy

 

 

1. INTRODUCTION.

1.1       This policy sets out how the Isle of Wight Council complies with the Data Protection Act 1998, any Regulations made under it, and any guidance issued by the Information Commissioner.

1.2       All staff are required to read this policy and to comply with it. Failure to do so may be a disciplinary offence.

1.3              The Council has a Data Protection Officer, who is the Head of Legal and Democratic Services. In addition each directorate has at least one Data Protection Representative.

 

2. DEFINITIONS

2.1       “data” – information which is subject to the Act whether held on computer or in paper form. If in paper form it is only affected if it is held in a structured filing system which allows information relating to an individual to be readily accessible.

2.2       “personal data” – data which identifies a living individual.

2.3       “processing” includes obtaining, holding, using and disclosing data.

2.4       “data subject” is the individual who is the subject of personal data. Since he/she must be a living individual, companies and other corporations are not included.

2.5       “data controller” is the person who processes data or on whose behalf the processing takes place – in our context the Council is the data controller.

 

3. LEGAL REQUIREMENTS

3.1       The Act requires all personal data to be processed in accordance with the eight data protection principles. These are summarised below.

3.2       The Principles.

1.         Personal data shall be processed fairly and lawfully, and only if one of the conditions in Schedule 2 is met (and in the case of sensitive personal data, one of the conditions in Schedule 3)

2.         Personal data shall be obtained only for specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3.         Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4.         Personal data shall be accurate and, where necessary, kept up to date.

5.         Personal data shall not be kept for longer than is necessary.

6.         Personal data shall be processed in accordance with the rights of data subjects under the Act.

7.         Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8.         Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects.

3.3       The conditions in Schedule 2 are summarised as follows –

            1.         The data subject has given his consent to the processing.

2.         The processing is necessary for the performance of a contract to which the data subject is a party.

            3.         The processing is necessary for compliance with a legal obligation.

4.         The processing is necessary in order to protect the vital interests of the data subject.       

            5.         The processing is necessary-

                  (a)        for the administration of justice,

(b)        for the exercise of any functions conferred on any person by or under any enactment,

(c)        for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or

(d)        for the exercise of any other functions of a public nature exercised in the public interest by any person.

6.         The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

                       

3.4       Sensitive personal data can only be processed in accordance with the conditions in Schedule 3 which are summarised as follows –

1.         The data subject has given his explicit consent .

2.         The processing is necessary for the purposes of exercising any right or obligation imposed by law in connection with employment.

3.         The processing is necessary in order to protect the vital interests of the data subject or another person

4.         The processing— is carried out in the course of its legitimate activities by any body or association which is not established or conducted for profit, and (ii)   exists for political, philosophical religious or trade-union purposes

 

5.         The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

6.         The processing is necessary for the purpose of, or in connection with, any legal proceedings.

7.         The processing is necessary for the administration of justice.

8.         The processing is necessary for medical purposes and is undertaken by a health professional.

 

 

4.         COLLECTION OF PERSONAL DATA

 

4.1       The Council has in some cases a statutory duty to collect personal data. In other cases it has to collect such data in order to carry out its functions. It should always be clear to individuals why the data is being collected, and if it is to be used for other purposes, or might be used for other purposes, they must be advised of this.

 

4.2       The data to be collected should be only that required for the relevant purpose.

 

4.3       Any form on which personal data is collected must advise the data subject that the data may be used by the Council for other purposes. It is not necessary to give them the opportunity to refuse. If, however, it is proposed to use the personal data for other purposes wider than the Council, they must have an opportunity to refuse permission, usually by a tick-box.

 

4.4       At least one of the conditions in Schedule 2 must be met for every proposed use of the personal data; and at least one of the conditions in Schedule 3 for sensitive data.

 

4.5       The Council’s notification to the Information Commissioner sets out the purposes for which personal data is collected and used by the Council.

 

 

5.         USE OF PERSONAL DATA

 

5.1       Personal data once collected can only be used for the declared purpose or purposes. You should check the council’s notification (see below), and what was said to the data subject when the personal data was collected.

 

5.2       Guidance from the Information Commissioner is that local authorities should consider whether they have a lawful right to use the data for other purposes. Generally the Council may use personal data collected by it for any of its functions. The data subject should wherever possible be forewarned when they first supply the personal data.

 

5.3       In the case of personal data collected for Council Tax purposes, advice has been given that this should not be used for other purposes unless the data subject was so advised. Conversely, there is a specific right for the Council to use for collecting Council Tax personal data collected for any other purpose; in this case it is not necessary to advise the data subject.

 

5.4       For the purpose of the electoral roll the Council’s registration officers may inspect any other personal data held by the council under Reg. 35 of the Representation of the People (England and Wales) Regulations 2001 (SI 2001/341). It is not necessary to advise the data subject in advance.

 

5.5       Disclosure of personal data to Councillors follows the normal rules. They are part of the Council and disclosure to them is included in the Council’s notification. However disclosure should only take place where they have a “need to know” the information.

 

5.6       Disclosure to consultants and contractors working for the council is also permitted under the council’s notification. Again this should only happen where they need to have the personal data to carry out their contracted tasks, and the contract must contain provisions protecting the personal data.

 

 

6.         NOTIFICATION

 

6.1       The Council as a data controller has to lodge a Notification with the Information Commissioner. This specifies the personal data the Council collects and uses, the purposes for which it is processed, and the persons to whom the data is disclosed. This is the responsibility of the Data Protection Officer.

 

6.2       The Information Commissioner maintains a public register containing a copy of the council’s notification.

 

6.3       A link to the Council’s notification is published on Wightnet, the Council’s intranet, and a paper copy is held by the Data Protection Officer. Anyone collecting or using personal data should check that their processing is covered by the Notification. If it appears not to be covered, contact the Data Protection Officer immediately as you may not be able to process the data until the Notification has been amended.

 

 

7.         RIGHTS OF ACCESS

 

7.1       Individuals have the right to find out what personal data is held about them, and to ask for it to be amended if they believe it is inaccurate. If the data controller refuses to amend the data, the individual can apply to the Court for an order. This is known as the right of subject access.

 

7.2       In addition to inspecting the personal data, individuals have the right to be given a copy. A charge not exceeding £10 may be made to cover the cost of copying and providing the data.

 

7.3       A data subject may ask the data controller not to use their personal data for direct marketing purposes. This is an absolute right.

 

7.4       There is a right to request that the data controller does not process data where it causes or might cause damage or distress. This is not an absolute right.

 

7.5       Children may ask for disclosure of their data in the same way as adults.  Disclosure of a child’s data to a parent will not be permitted without the child’s consent. If the child is too young to give such consent a decision will be made based on the criteria in the Social Work order referred to in paragraph 8.4 below.

 

7.6       Each Directorate will appoint an officer who is responsible for receiving and dealing with requests for subject access.

 

 

8.         EXEMPTIONS

 

8.1       There are certain exemptions from the right of access.

 

8.2       If the data would identify another individual, it may not be disclosed unless that person’s consent is obtained, or unless it is reasonable to disclose it without obtaining that consent. If possible the data should be modified to exclude any reference which might identify another individual.

 

8.3       There are general exemptions for matters such as national security, and a schedule of miscellaneous exemptions in the Act.

 

8.4       There are certain Regulations which modify the subject access provisions of the Act. These relate to education, social work and health. In summary, the Orders allow the Council not to disclose personal data on request by the data subject

 

8.4.1    if the information has been disclosed to a court and the court orders it not to be disclosed; or

8.4.2    if disclosure would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person (education); or

8.4.3    if that likely harm would be likely to prejudice the carrying out of social work (social work).

 

8.5       Staff should refer to the relevant departmental policies for full details, and in the case of any uncertainty advice should be sought from the Data Protection Officer.

 

 

9.         OFFENCES AND LIABILITY

 

9.1       The data controller (the Council) may be guilty of an offence if it processes personal data without making a notification.

 

9.2       Individual staff may commit an offence if they obtain, disclose, sell, advertise for sale or bring about the disclosure of personal data without the consent of the data controller (the Council); or if they access personal data or disclose it without proper authorisation.

 

9.3       It is a defence to have acted in the reasonable belief that the disclosure was authorised by law, or that the consent of the data controller would have been given if specifically requested. Council staff acting properly in the course of their duties would therefore be protected from prosecution.

 

 

10.       COUNCIL POLICY

 

10.1     Council staff may process and may disclose personal data if and so far as their duties require them to do so, provided this is within the terms of the notification and of this policy.

 

10.2     The Council does not authorise any processing or disclosure of personal data which is not permitted or authorised under the Act or any Regulations. Nor are staff permitted to access personal data on behalf of any person external to the Council (except as permitted under paragraph 10.1 above), or for their own personal use. Staff who act contrary to this policy will be committing a disciplinary offence.

 

10.3     Any new systems using personal data must be notified to the Data Protection Officer and if necessary must be added to the Council’s notification.

 

10.4     The Council is not permitted to transfer any personal data outside the European Economic Area. Any proposal to place personal data on the internet must be cleared with the Data Protection Officer.

 

10.5     Each Directorate of the Council will have its own detailed policy, which will relate to this policy, and will set out -

            10.5.1  what personal data is collected and processed in that directorate:

            10.5.2 the purposes for which that data is processed;

            10.5.3  detailed policies for the processing and disclosure of data;

            10.5.4  how the data is checked for accuracy and kept up-to-date;

            10.5.5  how data is reviewed and disposed of when out-of-date;

10.5.6  security procedures.

 

 

 

Legal Services,

Isle of Wight Council.

12 June 2002.