Our responsibilities and commitments under GDPR

Our statement concerning the EU General Data Protection Regulation.

On 25 May 2018 the EU General Data Protection Regulation (GDPR) came into force. Its introduction had an impact on every organisation that holds or processes personal data. It introduced new responsibilities, including the need to demonstrate compliance, more stringent enforcement and a significant increase in penalties compared to the Data Protection Act 1998 that was superseded.

Under the regulations, since we hold and process personal information about clients, staff or suppliers, we are legally obliged to protect that information, making sure that:

  • processing is lawful and fair;
  • purposes of processing must be specified, explicit and legitimate;
  • personal data must be adequate, relevant and not excessive;
  • personal data must be accurate and kept up to date;
  • personal data must be kept for no longer than necessary; and
  • personal data must be processed in a secure manner.

Our commitment

We honour our residents’ right to data privacy and protection. We demonstrated our commitment by adhering to the Data Protection Act 1998, and we have been revising our own internal policies in order to meet the requirements of the current data protection legislation, including GDPR. 

Data protection officer

We have designated Veritau Ltd as our data protection officer.

The data protection officer is the statutory point of contact for all matters relating to data protection and GDPR compliance. The data protection officer will ensure that we are accountable and transparent in our processing of data, which includes overseeing the creation and maintenance of our records of processing activities as per article 30 of the GDPR.

All communication regarding data protection and information governance matters should be directed to:

GDPR compliance activities

We have been implementing an action plan to support the enactment of GDPR across the organisation, which has been broken down into several areas of significance where we have taken a variety of measures to demonstrate data protection.
 

  • We aim to continue our work in embedding data protection into our culture.
  • All staff have completed mandatory online GDPR training sessions, which needs to be retaken regularly.
  • We have undertaken a comprehensive internal communication campaign to raise staff awareness of GDPR using key message emails, intranet articles and team training sessions.
  • We will continue training all staff on how to recognise and respond to subject access requests, freedom of information requests, data breaches, and the rights of data.
  • Staff contracts require our employees to adhere to all council policies which include data protection and information security policies, which are reviewed annually. Also, all new starters undergo induction training which includes data protection and GDPR.
  • We are reviewing our systems, including cloud services, to ensure that they meet any specific requirements of GDPR, issuing contract variations where appropriate.
  • Our technology and change department administer all internally held systems and they operate an information security management system which is certified to ISO 27001:2013.
  • Technology and change are also ISO 20000 certified.  ISO 20000 provides quality assurance to the processes, policies and procedures operated in the delivery of ICT services to the council and is the only standard specifically aligned to information technology service delivery and service management.
  • We have an ongoing process of updating privacy notices for data subjects (including employees as well as service users).
  • We are reviewing all current policies and business processes and ensuring that they are GDPR compliant.
  • A retention policy is in place which stipulates the retention and destruction of both electronic and paper documents.
  • We are reviewing our information security incident procedure so that we are able to report breaches of data protection to the ICO, and potentially data subjects, within 72 hours.
  • We are replacing our existing data protection policies with a new suite of GDPR and Data Protection Act 2018 compliant policies.
  • Information security polices are reviewed annually under ISO 27001 requirements.
  • We are amending our procedures in regards to processing information requests and other data subject rights.

In order to adhere to the GDPR requirement that a data controller must appoint a data processor in the form of binding written agreement, where personal data is processed (including the activities of any sub- processors), and that it is done so only on documented instructions from the controller or within the requirements of EU law or the national laws of member states:

  • we are reviewing current data processor arrangements by informing our data processors of changes to legislation; 
  • inserting new data processor clauses in to new contracts and service level agreements, and
  • reviewing existing data processing contracts.

This will ensure that relevant wordings are in place to cover aspects such as: 

  • the duration, nature and purpose of the processing;
  • the types of data processed;
  • the obligations and rights of the controller; and
  • it will also, where applicable, cover cross border transfers and the use of any sub processors.

We continually seek to ensure the confidentiality, integrity and availability of the personal data we store or process. We maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.

The requirement to have organisational and technical safeguards in place to protect against breaches of confidentiality, integrity, and availability has remained intact through the migration from the Data Protection Act 1998 to the Data Protection Act 2018 and GDPR. Therefore while our security measures have been reviewed to ensure compliance under the Data Protection Act 2018 and GDPR, we have not deemed any changes to be necessary in this area.

  • We currently have a suite of information security policies in place which covers general information security, document and record management, IT usage etc. 
  • Our servers are held to ISO 27001 standards.
  • Connectivity to the data centre is secured.
  • Data storage is not shared and is under our control.
  • Network access for staff is controlled. Anti-virus is deployed across the network. 
  • We have a routine backup procedure with data also being backed-up offsite.
  • We use electronic access control in all of our buildings. 
  • Locked cupboards are located throughout all offices with a method for the secure disposal of physical documents provided.

Under the GDPR, where we process any personal or sensitive categories of data we must notify any data breach to the data protection officer without undue delay. We therefore have processes and procedures in place for identifying, reviewing and promptly reporting data breaches and where appropriate informing the ICO and the data subject(s) themselves.

We record:

  • a description of the nature of the breach;
  • severity analysis of the breach;
  • likely consequences of the breach; and
  • proposed and imposed measures that were taken to limit harmful effects.

We have comprehensive technical and organisational security measures in place to mitigate against a data breach.