Data Protection & Information Security Policy

Stanway Parish Council Data Protection & Information Security Policy

This policy was last updated on: 30 January 2017

  1. Introduction
    1. Stanway Parish Council considers the security of electronic information to be very important.
    2. This Policy sets out how the Council will establish and maintain the security and confidentiality of information held within its care and how it will ensure the lawful and correct treatment of personal data.
    3. An up-to-date copy of this Policy shall be maintained on Stanway Parish Council’s website.
  2. Purpose
    1. The purpose of this Policy is to ensure that as far as is reasonable practicable:
      • The public and all users of the Council’s information systems are confident of the confidentiality, integrity, and availability of the information used and produced
      • Business damage and interruption caused by security incidents are minimised
      • All legislative and regulatory requirements are met
      • The Council’s ICT equipment and facilities are used responsibly, securely and with integrity at all times
  3. Scope
    1. This policy applies to all information held by employees, Members, and to any individual / organisation under contract to the Council.
    2. All Members and employees of Stanway Parish Council have a legal responsibility to maintain the confidentiality, integrity and security of data held.
    3. This policy applies throughout the lifecycle of the information, from creation, storage, use and disposal. It applies to all information including:
      • Information stored electronically on databases or applications e.g. e-mail
      • Information stored on computers, PDAs, mobile phones or removable media such as hard disks, CD ROM, memory sticks etc.
      • Information transmitted on networks
      • Information sent by fax or other communication methods
      • All paper records
      • Microfiche, visual and photographic materials including slides and CCTV
      • Spoken, including face-to-face, voicemail and recorded conversation
  4. Legal and Regulatory Requirements
    1. The Data Protection Act 1998 sets out high standards for the handling of personal information and protecting individuals’ rights to privacy. It also regulates the ways in which personal information can be collected, handled and used.
    2. The Parish Council fully endorsees and adheres to the principles of data protection as detailed in the Data Protection Act 1998. To this end, the Parish Council will ensure that personal data will be:-
      • processed fairly and lawfully
      • obtained only for lawful and specific purpose(s)
      • adequate, relevant and not excessive in relation to the purpose for which it was collected
      • accurate and where necessary kept up to date
      • kept for no longer than is necessary for the purpose for which it was collected
      • processed in accordance with the rights of the data subjects
      • kept securely
  5. Data Collection
    1. When collecting personal data the Parish Council will ensure that people know:
      • who we are
      • what the data will be used for
      • to whom it will be disclosed.
    2. The Parish Council will ensure that no more data is collected than that which is required for the purpose for which it is being collected.
  6. Data Handling
    1. When handling, collecting, processing or storing personal data the Parish Council will ensure that:
      • all personal data is both accurate and up to date
      • errors are corrected effectively and promptly
      • the data is deleted/destroyed when it is no longer needed,
      • the personal data is kept secure and at all times (protecting from unauthorised disclosure or access)
      • the Data Protection Act is considered when setting up new systems or when considering use of the data for a new purpose
      • written contracts are used when external bodies process / handle the data explicitly specifying the above requirements with respect to the data.
    2. Members or employees of the Parish Council will not:
      • access personal data that is not needed for the work of the Parish Council
      • use the data for any purposes it was not explicitly obtained for
      • keep data that would embarrass or damage the Council if disclosed
  7. Subject Access Requests
    1. Individuals, who the data relates to, have various rights:
      • to receive on request details of the processing relating to themselves. This includes any information about themselves including information regarding the source of the data and about the topic of certain “fully automated decisions”,
      • to have any inaccurate data corrected or removed in a timely fashion
      • in certain circumstances to stop processing likely to cause “substantial damage or substantial distress
      • to prevent their data being used for advertising or marketing
    2. The Parish Council will respond to a Subject Access Request within 40 calendar days, as required by the Data Protection Act 1998.
    3. Under the Data Protection Action, the Parish Council is entitled to request a £10 fee for a Subject Access Request.
  8. Information Security
    1. The Parish Council will ensure that all information whether stored electronically or as paper records will be stored securely to ensure that:
      1. only authorised people can access, alter, disclose or destroy any personal data
      2. members and employees of the Parish Council only act within the scope of their authority
      3. if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned.
    2. All personal information held by the Parish Council will be kept in a secure location and not available for public access.
    3. All data stored on a computer will be password protected.
  9. Policy Review
    1. Stanway Parish Council will review this policy as is necessary and appropriate, and at a minimum on an annual basis.