1. Introduction
2. Definitions
3. Legal requirements
The Act and regulations
The eight principles
Conditions for processing
4. Collection of data
5. Use of data
6. Notification
7. Rights of access
8. Exemptions
9. Offences and liability
10. Council policy
1. INTRODUCTION.
1.1 This policy sets out how the Isle of Wight Council complies with the Data Protection Act 1998, any Regulations made under it, and any guidance issued by the Information Commissioner.
1.2 All staff are required to read this policy and to comply with it. Failure to do so may be a disciplinary offence.
1.3 The Council has a Data Protection Officer, who is the Head of Legal and Democratic Services. In addition each directorate has at least one Data Protection Representative.
2. DEFINITIONS
2.1 “data” – information which is subject to the Act whether held on computer or in paper form. If in paper form it is only affected if it is held in a structured filing system which allows information relating to an individual to be readily accessible.
2.2 “personal data” – data which identifies a living individual.
2.3 “processing” includes obtaining, holding, using and disclosing data.
2.4 “data subject” is the individual who is the subject of personal data. Since he/she must be a living individual, companies and other corporations are not included.
2.5 “data controller” is the person who processes data or on whose behalf the processing takes place – in our context the Council is the data controller.
3. LEGAL REQUIREMENTS
3.1 The Act requires all personal data to be processed in accordance with the eight data protection principles. These are summarised below.
3.2 The Principles.
1. Personal data shall be processed fairly and lawfully, and only if one of the conditions in Schedule 2 is met (and in the case of sensitive personal data, one of the conditions in Schedule 3)
2. Personal
data shall be obtained only for specified and lawful purposes, and shall not be
further processed in any manner incompatible with that purpose or those
purposes.
3. Personal
data shall be adequate, relevant and not excessive in relation to the purpose
or purposes for which they are processed.
4. Personal
data shall be accurate and, where necessary, kept up to date.
5. Personal data shall not
be kept for longer than is necessary.
6. Personal
data shall be processed in accordance with the rights of data subjects under
the Act.
7. Appropriate
technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction
of, or damage to, personal data.
8. Personal
data shall not be transferred to a country or territory outside the European
Economic Area unless that country or territory ensures an adequate level of
protection for the rights and freedoms of data subjects.
3.3 The conditions in Schedule 2 are
summarised as follows –
1. The data subject has given his consent
to the processing.
2. The processing is necessary for the performance of a contract to which the data subject is a party.
3. The processing is necessary for
compliance with a legal obligation.
4. The
processing is necessary in order to protect the vital interests of the data
subject.
5.
The processing is necessary-
(a) for the administration of justice,
(b) for
the exercise of any functions conferred on any person by or under any
enactment,
(c) for
the exercise of any functions of the Crown, a Minister of the Crown or a
government department, or
(d) for
the exercise of any other functions of a public nature exercised in the public
interest by any person.
6. The
processing is necessary for the purposes of legitimate interests pursued by the
data controller or by the third party or parties to whom the data are
disclosed, except where the processing is unwarranted in any particular case by
reason of prejudice to the rights and freedoms or legitimate interests of the
data subject.
3.4 Sensitive
personal data can only be processed in accordance with the conditions in
Schedule 3 which are summarised as follows –
1. The data subject has
given his explicit consent .
2. The
processing is necessary for the purposes of exercising any right or obligation
imposed by law in connection with employment.
3. The
processing is necessary in order to protect the vital interests of the data
subject or another person
4. The processing— is carried out in the course of its legitimate activities by any body or association which is not established or conducted for profit, and (ii) exists for political, philosophical religious or trade-union purposes
5. The
information contained in the personal data has been made public as a result of
steps deliberately taken by the data subject.
6. The
processing is necessary for the purpose of, or in connection with, any legal
proceedings.
7. The processing is
necessary for the administration of justice.
8. The
processing is necessary for medical purposes and is undertaken by a health
professional.
4. COLLECTION OF PERSONAL DATA
4.1 The
Council has in some cases a statutory duty to collect personal data. In other
cases it has to collect such data in order to carry out its functions. It
should always be clear to individuals why the data is being collected, and if
it is to be used for other purposes, or might be used for other purposes, they
must be advised of this.
4.2 The data to be collected should be only
that required for the relevant purpose.
4.3 Any
form on which personal data is collected must advise the data subject that the
data may be used by the Council for other purposes. It is not necessary to give
them the opportunity to refuse. If, however, it is proposed to use the personal
data for other purposes wider than the Council, they must have an opportunity
to refuse permission, usually by a tick-box.
4.4 At
least one of the conditions in Schedule 2 must be met for every proposed use of
the personal data; and at least one of the conditions in Schedule 3 for
sensitive data.
4.5 The
Council’s notification to the Information Commissioner sets out the purposes
for which personal data is collected and used by the Council.
5. USE OF PERSONAL DATA
5.1 Personal
data once collected can only be used for the declared purpose or purposes. You
should check the council’s notification (see below), and what was said to the
data subject when the personal data was collected.
5.2 Guidance
from the Information Commissioner is that local authorities should consider
whether they have a lawful right to use the data for other purposes. Generally
the Council may use personal data collected by it for any of its functions. The
data subject should wherever possible be forewarned when they first supply the
personal data.
5.3 In
the case of personal data collected for Council Tax purposes, advice has been
given that this should not be used for other purposes unless the data subject
was so advised. Conversely, there is a specific right for the Council to use
for collecting Council Tax personal data collected for any other purpose; in
this case it is not necessary to advise the data subject.
5.4 For the purpose of the electoral roll the Council’s registration officers may inspect any other personal data held by the council under Reg. 35 of the Representation of the People (England and Wales) Regulations 2001 (SI 2001/341). It is not necessary to advise the data subject in advance.
5.5 Disclosure of personal data to Councillors follows the normal rules. They are part of the Council and disclosure to them is included in the Council’s notification. However disclosure should only take place where they have a “need to know” the information.
5.6 Disclosure to consultants and contractors working for the
council is also permitted under the council’s notification. Again this should
only happen where they need to have the personal data to carry out their
contracted tasks, and the contract must contain provisions protecting the
personal data.
6. NOTIFICATION
6.1 The Council as a data controller has to lodge a Notification
with the Information Commissioner. This specifies the personal data the Council
collects and uses, the purposes for which it is processed, and the persons to
whom the data is disclosed. This is the responsibility of the Data Protection
Officer.
6.2 The Information Commissioner maintains a public register
containing a copy of the council’s notification.
6.3 A link to the Council’s notification is published on Wightnet,
the Council’s intranet, and a paper copy is held by the Data Protection
Officer. Anyone collecting or using personal data should check that their
processing is covered by the Notification. If it appears not to be covered,
contact the Data Protection Officer immediately as you may not be able to
process the data until the Notification has been amended.
7. RIGHTS OF ACCESS
7.1 Individuals have the right to find out what personal data is
held about them, and to ask for it to be amended if they believe it is
inaccurate. If the data controller refuses to amend the data, the individual
can apply to the Court for an order. This is known as the right of subject
access.
7.2 In addition to inspecting the personal data, individuals have
the right to be given a copy. A charge not exceeding £10 may be made to cover
the cost of copying and providing the data.
7.3 A data subject may ask the data controller not to use their
personal data for direct marketing purposes. This is an absolute right.
7.4 There is a right to request that the data controller does not
process data where it causes or might cause damage or distress. This is not an
absolute right.
7.5 Children may ask for disclosure of their data in the same way
as adults. Disclosure of a child’s data
to a parent will not be permitted without the child’s consent. If the child is
too young to give such consent a decision will be made based on the criteria in
the Social Work order referred to in paragraph 8.4 below.
7.6 Each Directorate will appoint an officer who is responsible
for receiving and dealing with requests for subject access.
8. EXEMPTIONS
8.1 There are certain exemptions from the
right of access.
8.2 If the data would identify another individual, it may not be
disclosed unless that person’s consent is obtained, or unless it is reasonable
to disclose it without obtaining that consent. If possible the data should be
modified to exclude any reference which might identify another individual.
8.3 There are general exemptions for matters such as national
security, and a schedule of miscellaneous exemptions in the Act.
8.4 There are certain Regulations which modify the subject access
provisions of the Act. These relate to education, social work and health. In
summary, the Orders allow the Council not to disclose personal data on request
by the data subject
8.4.1 if the information has been disclosed to a court and the court
orders it not to be disclosed; or
8.4.2 if disclosure would be likely to cause serious harm to the
physical or mental health or condition of the data subject or any other person
(education); or
8.4.3 if that likely harm would be likely to prejudice the carrying out
of social work (social work).
8.5 Staff should refer to the relevant departmental policies for
full details, and in the case of any uncertainty advice should be sought from
the Data Protection Officer.
9. OFFENCES AND LIABILITY
9.1 The data controller (the Council) may be guilty of an offence
if it processes personal data without making a notification.
9.2 Individual staff may commit an offence if they obtain,
disclose, sell, advertise for sale or bring about the disclosure of personal
data without the consent of the data controller (the Council); or if they
access personal data or disclose it without proper authorisation.
9.3 It is a defence to have acted in the reasonable belief that
the disclosure was authorised by law, or that the consent of the data
controller would have been given if specifically requested. Council staff
acting properly in the course of their duties would therefore be protected from
prosecution.
10. COUNCIL POLICY
10.1 Council staff may process and may disclose personal data if and
so far as their duties require them to do so, provided this is within the terms
of the notification and of this policy.
10.2 The Council does not authorise any processing or disclosure of
personal data which is not permitted or authorised under the Act or any
Regulations. Nor are staff permitted to access personal data on behalf of any
person external to the Council (except as permitted under paragraph 10.1
above), or for their own personal use. Staff who act contrary to this policy
will be committing a disciplinary offence.
10.3 Any new systems using personal data must be notified to the Data
Protection Officer and if necessary must be added to the Council’s
notification.
10.4 The Council is not permitted to transfer any personal data
outside the European Economic Area. Any proposal to place personal data on the
internet must be cleared with the Data Protection Officer.
10.5 Each Directorate of the Council will have its own detailed
policy, which will relate to this policy, and will set out -
10.5.1 what personal data is collected and processed in that directorate:
10.5.2 the purposes for which that data is processed;
10.5.3 detailed policies for the processing and disclosure of data;
10.5.4 how the data is checked for accuracy and kept up-to-date;
10.5.5 how data is reviewed and disposed of when out-of-date;
10.5.6 security
procedures.
Legal
Services,
Isle of
Wight Council.
12 June 2002.