Purpose: For Decision
Committee: |
EXECUTIVE |
|
|
|
|
Date: |
30 JULY 2002 |
|
|
|
|
Title: |
DATA PROTECTION POLICY |
|
|
|
|
|
PORTFOLIO HOLDER - RESOURCES |
|
To approve a new Data Protection Policy for the Council.
The Data Protection Act 1998 is fully in force from 24 October 2001 and now applies to some paper records as well as records held on computer. It has therefore been necessary to draw up a new Data Protection Policy for the Council.
The new policy, a copy of which is attached, sets out how the Council complies with the legislation.
In response to a District Audit report produced in October 2001 work is being undertaken to identify and review all data sets held by the Council. This work will enable Directorates to finalise their own policies as referred to in paragraph 10.5 of the attached policy, and will also provide a means of checking that the Council’s registration with the Information Commissioner is up-to-date.
The draft policy has been agreed by the Strategic Directors.
There are no financial implications in adopting this policy.
The Council has a duty to comply with the Data Protection Act, and individual staff and councillors are also required to comply with it. The policy when adopted needs to be drawn to their attention.
1. To adopt the policy.
2. Not to adopt the policy.
To adopt the draft policy and to bring it to the attention of all staff and councillors.
District Audit report October 2001.
Contact Point: Peter Pilgrem, F 823207
M FISHER Strategic Director Corporate and Environment Services |
R BARRY Portfolio Holder for Resources |
1. Introduction
2. Definitions
3. Legal requirements
The Act and regulations
The eight principles
Conditions for processing
4. Collection of data
5. Use of data
6. Notification
7. Rights of access
8. Exemptions
9. Offences and liability
10. Council policy
1. INTRODUCTION.
1.1 This policy sets out how the Isle of Wight Council complies with the Data Protection Act 1998, any Regulations made under it, and any guidance issued by the Information Commissioner.
1.2 All staff are required to read this policy and to comply with it. Failure to do so may be a disciplinary offence.
1.3 The Council has a Data Protection Officer, who is the Head of Legal and Democratic Services. In addition each directorate has at least one Data Protection Representative.
2. DEFINITIONS
2.1 “data” – information which is subject to the Act whether held on computer or in paper form. If in paper form it is only affected if it is held in a structured filing system which allows information relating to an individual to be readily accessible.
2.2 “personal data” – data which identifies a living individual.
2.3 “processing” includes obtaining, holding, using and disclosing data.
2.4 “data subject” is the individual who is the subject of personal data. Since he/she must be a living individual, companies and other corporations are not included.
2.5 “data controller” is the person who processes data or on whose behalf the processing takes place – in our context the Council is the data controller.
3. LEGAL REQUIREMENTS
3.1 The Act requires all personal data to be processed in accordance with the eight data protection principles. These are summarised below.
3.2 The Principles.
1. Personal data shall be processed fairly and lawfully, and only if one of the conditions in Schedule 2 is met (and in the case of sensitive personal data, one of the conditions in Schedule 3)
2. Personal
data shall be obtained only for specified and lawful purposes, and shall not be
further processed in any manner incompatible with that purpose or those
purposes.
3. Personal data shall be
adequate, relevant and not excessive in relation to the purpose or purposes for
which they are processed.
4. Personal data shall be
accurate and, where necessary, kept up to date.
5. Personal data shall not
be kept for longer than is necessary .
6. Personal data shall be
processed in accordance with the rights of data subjects under the Act.
7. Appropriate
technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction
of, or damage to, personal data.
8. Personal
data shall not be transferred to a country or territory outside the European
Economic Area unless that country or territory ensures an adequate level of
protection for the rights and freedoms of data subjects.
3.3 The conditions in Schedule 2 are summarised
as follows –
1. The data subject has given his consent to the processing.
2. The processing is necessary for the performance of a contract to which the data subject is a party.
3. The processing is necessary for compliance with a legal obligation.
4. The processing is necessary in order to protect the vital interests of the data subject.
5. The processing is necessary-
(a) for the administration of justice,
(b) for the exercise of any functions conferred on any person by or under any enactment,
(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.
6. The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
3.4 Sensitive personal data can only be processed in accordance with the conditions in Schedule 3 which are summarised as follows –
1. The data subject has given his explicit consent .
2. The processing is necessary for the purposes of exercising
any right or obligation imposed by law in connection with employment.
3. The processing is necessary in order to protect the vital interests of the data subject or another person
4. The processing— is carried out in the course of its legitimate activities by any body or association which is not established or conducted for profit, and (ii) exists for political, philosophical religious or trade-union purposes
5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
6. The processing is necessary for the purpose of, or in connection with, any legal proceedings.
7. The processing is necessary for the administration of justice.
8. The processing is necessary for medical purposes and is undertaken by a health professional.
4. COLLECTION OF PERSONAL DATA
4.1 The Council has in some cases a statutory duty to collect personal data. In other cases it has to collect such data in order to carry out its functions. It should always be clear to individuals why the data is being collected, and if it is to be used for other purposes, or might be used for other purposes, they must be advised of this.
4.2 The data to be collected should be only that required for the relevant purpose.
4.3 Any form on which personal data is collected must advise the data subject that the data may be used by the Council for other purposes. It is not necessary to give them the opportunity to refuse. If, however, it is proposed to use the personal data for other purposes wider than the Council, they must have an opportunity to refuse permission, usually by a tick-box.
4.4 At least one of the conditions in Schedule 2 must be met for every proposed use of the personal data; and at least one of the conditions in Schedule 3 for sensitive data.
4.5 The Council’s notification to the Information Commissioner sets out the purposes for which personal data is collected and used by the Council.
5. USE OF PERSONAL DATA
5.1 Personal data once collected can only be used for the declared purpose or purposes. You should check the council’s notification (see below), and what was said to the data subject when the personal data was collected.
5.2 Guidance from the Information Commissioner is that local authorities should consider whether they have a lawful right to use the data for other purposes. Generally the Council may use personal data collected by it for any of its functions. The data subject should wherever possible be forewarned when they first supply the personal data.
5.3 In the case of personal data collected for Council Tax purposes, advice has been given that this should not be used for other purposes unless the data subject was so advised. Conversely, there is a specific right for the Council to use for collecting Council Tax personal data collected for any other purpose; in this case it is not necessary to advise the data subject.
5.4 For the purpose of the electoral roll the Council’s registration officers may inspect any other personal data held by the council under Reg. 35 of the Representation of the People (England and Wales) Regulations 2001 (SI 2001/341). It is not necessary to advise the data subject in advance.
5.5 Disclosure of personal data to Councillors follows the normal rules. They are part of the Council and disclosure to them is included in the Council’s notification. However disclosure should only take place where they have a “need to know” the information.
5.6 Disclosure
to consultants and contractors working for the council is also permitted under
the council’s notification. Again this should only happen where they need to
have the personal data to carry out their contracted tasks, and the contract
must contain provisions protecting the personal data.
6. NOTIFICATION
6.1 The Council
as a data controller has to lodge a Notification with the Information
Commissioner. This specifies the personal data the Council collects and uses,
the purposes for which it is processed, and the persons to whom the data is
disclosed. This is the responsibility of the Data Protection Officer.
6.2 The Information Commissioner maintains a public register
containing a copy of the council’s notification.
6.3 A link to
the Council’s notification is published on Wightnet, the Council’s intranet,
and a paper copy is held by the Data Protection Officer. Anyone collecting or
using personal data should check that their processing is covered by the
Notification. If it appears not to be covered, contact the Data Protection
Officer immediately as you may not be able to process the data until the
Notification has been amended.
7. RIGHTS OF ACCESS
7.1 Individuals
have the right to find out what personal data is held about them, and to ask
for it to be amended if they believe it is inaccurate. If the data controller
refuses to amend the data, the individual can apply to the Court for an order.
This is known as the right of subject access.
7.2 In addition
to inspecting the personal data, individuals have the right to be given a copy.
A charge not exceeding £10 may be made to cover the cost of copying and
providing the data.
7.3 A data subject may ask the data controller not to use their
personal data for direct marketing purposes. This is an absolute right.
7.4 There is a
right to request that the data controller does not process data where it causes
or might cause damage or distress. This is not an absolute right.
7.5 Children may
ask for disclosure of their data in the same way as adults. Disclosure of a child’s data to a parent
will not be permitted without the child’s consent. If the child is too young to
give such consent a decision will be made based on the criteria in the Social
Work order referred to in paragraph 8.4 below.
7.6 Each Directorate will appoint an officer who is responsible for
receiving and dealing with requests for subject access.
8. EXEMPTIONS
8.1 There are certain exemptions from the right of access.
8.2 If the data
would identify another individual, it may not be disclosed unless that person’s
consent is obtained, or unless it is reasonable to disclose it without
obtaining that consent. If possible the data should be modified to exclude any
reference which might identify another individual.
8.3 There are general exemptions for matters such as national
security, and a schedule of miscellaneous exemptions in the Act.
8.4 There are
certain Regulations which modify the subject access provisions of the Act.
These relate to education, social work and health. In summary, the Orders allow
the Council not to disclose personal data on request by the data subject
8.4.1 if the information has been disclosed to a
court and the court orders it not to be disclosed; or
8.4.2 if disclosure
would be likely to cause serious harm to the physical or mental health or
condition of the data subject or any other person (education); or
8.4.3 if that likely harm would be likely to
prejudice the carrying out of social work (social work).
8.5 Staff should
refer to the relevant departmental policies for full details, and in the case
of any uncertainty advice should be sought from the Data Protection Officer.
9. OFFENCES AND LIABILITY
9.1 The data controller (the Council) may be guilty of an offence
if it processes personal data without making a notification.
9.2 Individual
staff may commit an offence if they obtain, disclose, sell, advertise for sale
or bring about the disclosure of personal data without the consent of the data
controller (the Council); or if they access personal data or disclose it
without proper authorisation.
9.3 It is a
defence to have acted in the reasonable belief that the disclosure was
authorised by law, or that the consent of the data controller would have been
given if specifically requested. Council staff acting properly in the course of
their duties would therefore be protected from prosecution.
10. COUNCIL POLICY
10.1 Council staff
may process and may disclose personal data if and so far as their duties
require them to do so, provided this is within the terms of the notification
and of this policy.
10.2 The Council does not authorise any processing
or disclosure of personal data which is not permitted or authorised under the
Act or any Regulations. Nor are staff permitted to access personal data on
behalf of any person external to the Council (except as permitted under
paragraph 10.1 above), or for their own personal use. Staff who act contrary to
this policy will be committing a disciplinary offence.
10.3 Any new
systems using personal data must be notified to the Data Protection Officer and
if necessary must be added to the Council’s notification.
10.4 The Council
is not permitted to transfer any personal data outside the European Economic
Area. Any proposal to place personal data on the internet must be cleared with
the Data Protection Officer.
10.5 Each Directorate of the Council will have its own detailed
policy, which will relate to this policy, and will set out -
10.5.1 what
personal data is collected and processed in that directorate:
10.5.2 the
purposes for which that data is processed;
10.5.3
detailed
policies for the processing and disclosure of data;
10.5.4
how
the data is checked for accuracy and kept up-to-date;
10.5.5
how data is reviewed and
disposed of when out-of-date;
10.5.6 security
procedures.
Legal Services,
Isle of Wight Council.
12 June 2002.