The law is complex, but there are a number of underlying principles, including that of personal data:
1. will be processed lawfully, fairly and transparently
2. is only used for a specific processing purpose that he data subject has been made aware of and no other, without further consent.
3. collected on a data subject it should be 'adequate, relevant and limited. " i.e only the minimum amount of data should be kept for specific processing.
4. must be "accurate and where necessary kept up to date"
5. should not be stored for longer than is necessary, and that storage is safe and secure.
The General Data Protection Regulation (GDPR) is a Europe wide law - as a public authority ALL parish councils come within its remit. The GDPR's main concepts and principles are very similar to those in the current DPA and the Information Commissioners Office (ICO) will still be the organisation in charge of data protection and privacy issues. Therefore, as we are complying with the DPA, much of what we do will still apply.
Shillingstone Parish Council (SPC) is both the Data Controller and the Data Processor.
The legal basis for the Parish Council to Collect data is 'Public Task' - i.e the processing is necessary for SPC to perform a task in the public interest, or for the council's official functions, and the task or function has a clear basis in law.
It processes this data to carry out its public tasks such as administering allotments (and associated waiting lists).
The GDPR requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner
(b) collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes. This means that individuals should be told what you are going to do with their personal data before you use it and consent to such use.
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are used.
(d) accurate, and where necessary kept up to date. Personal data that is found to be inaccuarate should be deleted or corrected without delay. All personal data should be periodically checked to make sure that it remains up to date and relevant.
(e) kept in a form which permits identification of data subjects for no longer than is necessary
(f) kept securely
Individuals who have data collected about them have the following rights:
- Right to be informed
- Right of access
- Right of rectification
- Right of erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision making including profiling
DATA PRIVACY NOTICE:
SHILLINGSTONE PARISH COUNCIL
1. Your personal data - what is it?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with other information in the data controller's possession or likley to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (The "GDPR")
2. Who are we? Shillingstone Parish Council is the Data Controller and the Data processor. This means it decides how your [personal data is processed for what purposes and undertakes the processing of that data.
3. How do we process your personal data?
SPC complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
- to enable us to provide a service for the benefit of the public in a particular geographical area as defined by the Electoral Commission:
- to administer financial records of the hiring of our chargeable facilities
- to manage our employees and volunteers to maintain our own accounts and records to inform you of news, events, activities being run by the parish council
4. What is the legal basis for processing your personal data? Public Task is the legal basis of our data handling Processing is necessary for carrying out legal obligations in relation to managing the letting of our facilities or under employment, social security or a collective agreement There is no disclosure to a third party without consent
5. Sharing your personal data Your personal data will be treated a strictly confidential and will only be shared with other officers of the council in order to carry out a function or for purposes connected with the council. We will only share your data with third parties outside of the parish council with your consent.
6. How long will we keep your personal data? We keep data in accordance with the requirements of HMRC for invoices, and for as long as required (as a tenant or on a waiting list) for allotments Specifically, we retain electoral roll data while it is still current; hiring records and associated paperwork for 7 years after the calendar year to which they relate
7. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
- The right to request a copy of your personal data which SPC holds about you
- The right to request that SPC corrects any personal data if it is found to be inaccurate or out of date
- The right to request your personal data is erased where it is no longer necessary for SPC to retain such data
- The right to withdraw your consent to the processing at any time
- The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller.
- The right where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing.
- The right to object to the processing of personal data (where applicable) (Only applies where processing is based on legitimate interests (or the performance of a task in the public interest/exercise of official authority); direct marketing and processing for the purposes of scientific/historical research and statistics)
8. Further processing If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with anew notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
9. Contact Details.
To exercise all relevant rights, queries or complaints please in the first instance contact the Parish Clerk at email@example.com or 01258 472011
You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/