| Bathley Parish Council |
| Data Breach Policy |
| (adopted on June 2018) |
| GDPR defines a personal data breach as “a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Examples include: |
| · Access by an unauthorised third party · Deliberate or accidental action (or inaction) by a controller or processor · Sending personal data to an incorrect recipient · Computing devices containing personal data being lost or stolen · Alteration of personal data without permission · Loss of availability of personal data |
| Bathley Parish Council takes the security of personal data seriously, computers are password protected and hard copy files are kept in locked cabinets. |
| Consequences of a personal data breach |
| A breach of personal data may result in a loss of control of personal data, discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data, damage to property or social disadvantage. Therefore a breach, depending on the circumstances of the breach, can have a range of effects on individuals. |
| Bathley Parish Council’s duty to report a breach |
| If the data breach is likely to result in a risk to the rights and freedoms of the individual, the breach must be reported to the individual and lCO without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. The Data Protection Officer must be informed immediately so they are able to report the breach to the ICO in the 72 hour timeframe. |
| If the ICO is not informed within 72 hours, Bathley Parish Council via the DPO must give reasons for the delay when they report the breach. |
| When notifying the ICO of a breach, Bathley Parish Council must: |
| i. Describe the nature of the breach including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned ii. Communicate the name and contact details of the DPO iii. Describe the likely consequences of the breach |
| iv. Describe the measures taken or proposed to be taken to address the personal data breach including, measures to mitigate its possible adverse affects. |
| When notifying the individual affected by the breach, Bathley Parish Council must provide the individual with (ii)-(iv) above. |
| Bathley Parish Council would not need to communicate with an individual if the following applies: |
| · It has implemented appropriate technical and organisational measures (i.e.encryption) so those measures have rendered the personal data unintelligible to any person not authorised to access it; · It has taken subsequent measures to ensure that the high risk to rights and freedoms of individuals is no longer likely to materialise, or · It would involve a disproportionate effort |
| However, the ICO must still be informed even if the above measures are in place. |
| Data processors duty to inform Bathley Parish Council |
| If a data processor (i.e. payroll provider) becomes aware of a personal data breach, it must notify Bathley Parish Council without undue delay. It is then Bathley Parish Council’s responsibility to inform the ICO, it is not the data processors responsibility to notify the ICO. |
| Records of data breaches |
| All data breaches must be recorded whether or not they are reported to individuals. This record will help to identify system failures and should be used as a way to improve the security of personal data. |
| Record of Data Breaches |
| Date | of | Type of breach | Number of | Date reported | to | Actions to |
| breach | individuals affected | ICO/individual | prevent breach | |||
| recurring |
| To report a data breach use the ICO online system: |
| https://ico.org.uk/for-organisations/report-a-breach/ |
| Records Retention Policy |
| Bathley Parish Council recognizes that the efficient management of its records is necessary to comply with its legal and regulatory obligations and to contribute to the effective overall management of the association. This document provides the policy framework through which this effective management can be achieved and audited. |
| It covers: · Scope · Responsibilities · Retention Schedule |
| This policy applies to all records created, received or maintained by Bathley Parish Council in the course of carrying out its functions. Records are defined as all those documents which facilitate the business carried out by Bathley Parish Council and which are thereafter retained (for a set period) to provide evidence of its transactions or activities. These records may be created, received or maintained in hard copy or electronically. A small percentage of Bathley Parish Council records may be selected for permanent preservation as part of the Councils archives and for historical research |
| Responsibilities |
| Bathley Parish Council has a corporate responsibility to maintain its records and record management systems in accordance with the regulatory environment. The person with overall responsibility for this policy is the Clerk. The person responsible for records management will give guidance for good records management practice and will promote compliance with this policy so that information will be retrieved easily, appropriately and timely. Individual staff and employees must ensure that records for which they are responsible are accurate, and are maintained and disposed of in accordance with Bathley Parish Council’s records management guidelines. |
| Retention Schedule |
| The retention schedule refers to record series regardless of the media in which they are stored. |
| Document | Minimum Retention Period | Reason |
| Minutes | ||
| Minutes of Council meetings | Indefinite | Archive |
| Minutes of committee | Indefinite | Archive |
| meetings | ||
| Employment | ||
| Staff employment contracts | 6 years after ceasing employment | Management |
| Staff payroll information | 3 years | Management |
| Staff references | 6 years after ceasing employment | Management |
| Application forms (interviewed | 6 months | Management |
| – unsuccessful) | ||
| Application forms (interviewed | 6 years after ceasing employment | Management |
| – successful) | ||
| Disciplinary files | 6 years after ceasing employment | Management |
| Staff appraisals | 6 years after ceasing employment | Management |
| Finance | ||
| Scales of fees and charges | 6 years | Management |
| Receipt and payment accounts | 6 years | VAT |
| Bank statements | Last completed audit year | Audit |
| Cheque book stubs | Last completed audit year | Audit |
| Paid invoices | 6 years | VAT |
| Paid cheques | 6 years | Limitation Act 1980 |
| Payroll records | 12 years | HMRC |
| Petty cash accounts | 6 years | HMRC |
| Insurance | ||
| Insurance policies | 6 years after policy end | Management |
| Certificates for Insurance | 40 years after policy end | Employer’s Liability |
| against liability for employees | Regs 1998 | |
| Certificates for Public Liability | 6 years after policy end | Management |
| Insurance claim records | 6 years after policy end | Management |
| Health and Safety | ||
| Accident books | 3 years from date of last entry | Statutory |
| Risk assessment | 3 years | Management |
| General Management | ||
| Councillors contact details | Duration of membership | Management |
| Lease agreements | Indefinite | Audit/Management |
| Contracts | Indefinite | Audit/Management |
| Email messages | At end of useful life | Management |
| Consent forms | 5 years | Management |
| GDPR Security Compliance form | Duration of membership | Management |
| BATHLEY PARISH COUNCIL |
| PRIVACY NOTICE |
| Bathley Parish Council complies with the General Data Protection Regulation (GDPR) law which comes into effect on 25 May 2018 and supercedes the Data Protection Act 1998. We are committed to keeping your personal information accurate and up to date. We will not keep your information longer than necessary. |
| This privacy notice explains how we use your personal information and the ways in which we protect your privacy. This notice applies to all personal data collected for or on behalf of the Bathley Parish Council. This includes information collected by letter, email, face to face, telephone or online. You may also receive a privacy notice specific to the service you are receiving. |
| By using our site you agree to accept this privacy notice. This notice may be reviewed from time to time so please check back here each time you submit personal data to us. |
| How we use your personal information We collect and use your personal information so we can provide you with statutory and other services. We use your information for the purpose for which you provided the information, including the delivery of services for you. We also use this information to monitor our performance in responding to your request. |
| We use your information in the following ways: |
| · to tell you about services and provide services appropriate to you, for example highlighting additional help or services available to you. · for insight purposes to allow us to analyse patterns and trends of service usage for service and financial planning, to help us create policy and inform decision making, e.g. identifying where new facilities/infrastructure are most needed · to process financial transactions including payments involving the Parish Councilor where the Council is acting on behalf of other government bodies, eg Newark & Shewood District Council · to help us to verify your identity if you ask us for services · to ensure that the council meets its duties, including those imposed by the Equality and Health and Safety Acts · where necessary for law enforcement functions, eg licensing, planning enforcement, trading standards and food safety where the Parish Council is legally obliged to carry out such processing. · to help investigate any concerns or complaints you have may have about the services you receive · where otherwise allowed under law. For further information on the General Data Protection Regulation (GDPR) which comes into effect on 25 May 2018, please refer to the Information Commissioner’s website |
| Services such as education and social care, protection of vulnerable children and adults, and the support of public health and wellbeing may involve collecting, using and sharing sensitive personal data as defined by law. We do not disclose or share sensitive or confidential information without your explicit consent except in a small number of situations where disclosure is allowed by law, or where we have good reason to believe that failing to do so would put you or someone else at risk. |
| The Parish Council is obliged to protect public funds. We may use personal information and data-matching techniques to help us to detect and prevent fraud and ensure public money is spent in the most appropriate and cost-effective way. In order to achieve this, we may share information with other organisations which audit or administer public funds. This includes the Audit Commission, other local authorities, HM Revenue and Customs, and the Police. |
| The Parish Council may record some telephone conversations. The reasons for this include to help with staff training, to maintain records of conversations, to help with the detection, investigation and prevention of crime. We will tell you if your call is being recorded. |
| We may use personal information to identify people who will need extra support during emergencies or major incidents e.g. emergency evacuation. |
| We are keen to ensure that we are providing the services that are needed and may contact you to make you aware of services or support which could be of interest to you. We may invite you to sign up for other services at the same time (for example, a regular mailing list). You can choose not to accept this invitation. |
| We may also ask for feedback on how we are performing, or ask for your views on services which you have been using. |
| You may not want us to collect or share your personal information, or you may set conditions on how we can use it. In these cases we may not be able to provide you with the service you need, or may only be able to provide it in a limited way. There are occasions when we have a statutory obligation to collect or use personal information. In those cases we will not be able to agree to your request. |
| We may use ethnic, gender, sexual orientation and age information (ie, equalities data) to compile statistics in order to comply with equality legislation and assist in planning and service provision. Such data does not identify individuals or affect your entitlement to services. |
| Third parties The information we collect may be shared between Parish Council services and with other organisations, such as government bodies, the Police, health and social care organisations providing you with services and educational establishments. |
| We will only share your personal information when we are permitted to or are required to by law or we have your consent to do so as required by law. |
| The Parish Council does not pass personal data to other organisations for marketing purposes without your consent. Your personal information may be processed by an external service provider acting on our behalf to provide services. |
| Email Emails that we send to you or you send to us may be kept as a record of contact. We may also store your email address for future use. If we need to email sensitive or confidential information to you, we will check that we are using the correct email address and may use additional security measures. If you need to send us sensitive information, we recommend using encrypted email or the postal service. |
| Your rights You can ask us to stop processing your personal data in relation to any Parish Council service. This may delay or prevent us delivering a service to you. We will try to meet your request but we may be required to hold or process information to meet our legal duties. |
| You are entitled to request access to and a copy of any information we hold about you. |
| If you find that the information that the Parish Council holds about you is no longer accurate, you have the right to ask to have this corrected. We may not always be able to change or remove the information. However, we will correct factual inaccuracies and may include your comments in the records. |
| Queries and complaints If you would like further information or have a complaint about any of the details in this notice, please contact us by email or post: |
| Email: bathleyparishcouncil@outlook.com |
| Write to: Clerk to the Council, c/o Bathley House, Bathley, Newark, Notts NG23 6DJ |
| Phone: 07887 244077 |
| External links This website contains external links to third party sites. Our privacy notice applies only to information collected by or on behalf of the Parish Council. If you go to another website, you should read their privacy notice before you give them any personal details. |
| BATHLEY PARISH COUNCIL CONSENT FORM |
| Your privacy is important to us and we would like to communicate with you about the council and its activities. To do so we need your consent. Please fill in your name and address and other contact information below and confirm your consent by ticking the boxes below. |
| If you are aged 13 or under your | ||
| parent or guardian should fill in their | ||
| details below to confirm their consent | ||
| Name | ||
| Address | ||
| Signature | ||
| Date |
| Please confirm your consent below. You can grant consent to any or all of the purposes listed. You can find out more about how we use your data from our “Privacy Notice” which is available from our website or from the council Office or at [insert URL]. |
| You can withdraw or change your consent at any time by contacting the council office. |
| o We may contact you to keep you informed about what is going on in the council’s area or other local authority areas including news, events, meetings, clubs, groups and activities. These communications may also sometimes appear on our website, or in printed or electronic form (including social media). |
| o We may contact you about groups and activities you may be interested in participating in. |
| o We may use your name and photo in our newsletters, bulletins or on our website |
| o [Optional Additional Activities for councils to add if not included above.] Keeping in touch: o Yes please, I would like to receive communications by email o Yes please, I would like to receive communications by telephone o Yes please, I would like to receive communications by mobile phone including text message o Yes please, I would like to receive communications by post |
| GDPR Security Compliance Checklist |
| ~- |
| All councillors should complete the security checklist below to show compliance. Records should be retained whilst they remain in office. |
| Yes/No* | |
| Computer is password protected | |
| Email is password protected | |
| Mobile devices are password protected | |
| Flash drives are password protected | |
| External hard drives are password protected | |
| Cloud access is password protected | |
| Hard copy files are held securely | |
| Anti-virus software is up to date | |
| No one outside the council has access to your council | |
| information |
| *If you have put ‘No’ to any of the above please add that date by which you expect to have these measures in place: |
| Councillor name: ____________________________________ _ |
| Councillor signature: ____________________________________________ _ |
| Date: ____________________ _ |
| Data Protection Policy |
| The Data Protection Policy |
| Bathley Parish Council recognizes its responsibility to comply with the General Data Protection Regulations (GDPR) 2018 which regulates the use of personal data. This does not have to be sensitive data; it can be as little as a name and address. |
| General Data Protection Regulations (GDPR) |
| The GDPR sets out high standards for the handling of personal information and protecting individuals’ rights for privacy. It also regulates how personal information can be collected, handled and used. The GDPR applies to anyone holding personal information about people, electronically or on paper. Bathley Parish Council has also notified the Information Commissioner that it holds personal data about individuals. |
| When dealing with personal data, Bathley Parish Council staff and members must ensure that: |
| • Data is processed fairly, lawfully and in a transparent manner This means that personal information should only be collected from individuals if staff have been open and honest about why they want the personal information. |
| • Data is processed for specified purposes only This means that data is collected for specific, explicit and legitimate purposes only. |
| • Data is relevant to what it is needed for Data will be monitored so that too much or too little is not kept; only data that is needed should be held. |
| • Data is accurate and kept up to date and is not kept longer than it is needed Personal data should be accurate, if it is not it should be corrected. Data no longer needed will be shredded or securely disposed of. |
| • Data is processed in accordance with the rights of individuals Individuals must be informed, upon request, of all the personal information held about them. |
| • Data is kept securely There should be protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. |
| Storing and accessing data |
| Bathley Parish Council recognises its responsibility to be open with people when taking personal details from them. This means that staff must be honest about why they want a particular piece of personal information. |
| Bathley Parish Council may hold personal information about individuals such as their names, addresses, email addresses and telephone numbers. These will be securely kept at the Bathley Parish Council Clerk’s home office and are not available for public access. All data stored on the Bathley Parish Council Office computers are password protected. Once data is not needed any more, is out of date or has served its use and falls outside the minimum retention time of Council’s document retention policy, it will be shredded or securely deleted from the computer. |
| Bathley Parish Council is aware that people have the right to access any personal information that is held about them. Subject Access Requests (SARs) must be submitted in writing (this can be done in hard copy, email or social media). If a person requests to see any data that is being held about them, the SAR response must detail: |
| · How and to what purpose personal data is processed · The period Bathley Parish Council tend to process it for · Anyone who has access to the personal data |
| The response must be sent within 30 days and should be free of charge. |
| If a SAR includes personal data of other individuals, Bathley Parish Council must not disclose the personal information of the other individual. That individuals’ personal information may either be redacted, or the individual may be contacted to give permission for their information to be shared with the Subject. |
| Individuals have the right to have their data rectified if it is incorrect, the right to request erasure of the data, the right to request restriction of processing of the data and the right to object to data processing, although rules do apply to those requests. |
| Please see “Subject Access Request Procedure” for more details. |
| Confidentiality |
| Bathley Parish Council members and staff must be aware that when complaints or queries are made, they must remain confidential unless the subject gives permission otherwise. When handling personal data, this must also remain confidential. |