Data Protection Policy
Data Collection & Use of Data
Personal Data should be collected only from the Data Subject unless one of the following apply:
- The nature of the business purpose necessitates collection of the Personal Data from other persons or bodies;
- The collection must be carried out under emergency circumstances in order to protect the vital interests of the Data Subject or to prevent serious loss or injury to another person.
If Personal Data is collected from someone other than the Data Subject, the Data Subject must be informed of the collection unless one of the following apply:
- The Data Subject has received the required information by other means;
- The information must remain confidential due to a professional secrecy obligation;
- UK law expressly provides for the collection, Processing or transfer of the Personal Data (National Derogations awaited).
Where it has been determined that notification to a Data Subject is required, notification should occur promptly, but in no case later than:
- One calendar month from the first collection or recording of the Personal Data;
- At the time of first communication is used for communication with the Data Subject;
- At the time of disclosure if disclosed to another recipient.
Lawfulness of Processing
In preparing for the introduction of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, the lawful basis of Processing (See Conditions of Processing, Appendix A) has been identified and documented across all services within the Council that Process Personal Data. This information has been captured within the Information Asset Register which is retained on the MKI System. The Data Protection Officer must be consulted and approve any changes to the lawful basis of Processing.
There are circumstances in which Personal Data may be further processed for purposes that go beyond the original purpose for which the Personal Data was collected. When making a determination as to the compatibility of the new reason for Processing, guidance and approval must be obtained from the Information Governance Team before any such Processing may commence.
In order to Process Personal Data Lawfully, at least one of the following conditions must apply:
- The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the Data Subject is party to or in order to take steps at the request of the Data Subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which Pembrokeshire County Council is subject;
- Processing is necessary in order to protect the vital interests of the Data Subject or of another living individual;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Pembrokeshire County Council;
- Processing is necessary for the purposes of the legitimate interests pursued by Pembrokeshire County Council or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, which require protection of personal data, in particular where the data subject is a child.
In order to Process Special Categories of Personal Data Lawfully, at least one of the following conditions must apply:
- The Data Subject has given explicit consent to the processing of those Personal Data for one or more specified purposes;
- Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of Pembrokeshire County Council or of the Data Subject in the field of employment and social security and social protection law in so far as it is authorised by National Law; (see Appendix A 1 for further guidance)
- Processing is necessary to protect the vital interests of the Data Subject or of another living individual where the Data Subject is physically or legally incapable of giving consent;
- Processing relates to Personal Data which are manifestly made public by the Data Subject;
- Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- Processing is necessary for reasons of substantial public interest; (See Appendix B for further details)
- Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State Law or pursuant to contract with a health professional and subject to conditions and safeguards (i.e. processed by or under the responsibility of a professional subject to the obligation of professional secrecy or by another person also subject to an obligation of secrecy by national competent bodies, e.g. professional codes of conduct); (See Appendix A for further guidance).
- Processing is necessary for reasons of public interest in the area of public health, such as protecting against cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Members State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; (see Appendix A 3 for further guidance)
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; (see Appendix A 4 for further guidance)
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. (see Appendix A 4 for further guidance)
The UK GDPR is more specific about the information we are required to provide to people about what we do with their personal data. We must provide this information to individuals in a way that is easy to access, read and understand.
Providing clear and concise privacy notices covers some of the key transparency requirements under the Data Protection legislation. The checklist in Appendix C provides guidance on what we are required to include within a privacy notice depending on whether the personal data was collected from the individual it relates to or from another source.
Privacy Notices for each service area are published on our website.
Pembrokeshire County Council will adopt all necessary measures to ensure that the Personal Data it collects and processes is complete and accurate in the first instance, and is updated to reflect the current situation of the Data Subject (as applicable). The measures adopted by Pembrokeshire County Council to ensure data quality include:
- Correcting Personal Data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the data subject does not request rectification;
- Keeping Personal Data only for the period necessary to satisfy the permitted uses or applicable statutory retention period;
- The removal of Personal Data if in violation of any of the Data Protection principles or if the Personal Data is no longer required;
- Restriction, rather than deletion of Personal Data, insofar as:
- A law prohibits erasure
- Erasure would impair legitimate interests of the Data Subject
- The Data Subject disputes that their Personal Data is correct and it cannot be clearly ascertained whether their information is correct or incorrect.
To ensure Fair Processing, Personal Data will not be retained by Pembrokeshire County Council for longer than necessary in relation to the purposes for which it was originally collected. Or for which it was further processed.
The length of time for which Pembrokeshire County Council need to retain Personal Data is set out in the Pembrokeshire County Council Records Retention Schedule. This is based on the National Archives Guidance for Local Authorities, which defines the statutory timescales for categories of Personal Data processing across the Authority by service/function. In the absence of a Statutory Timescale, record retention is minimised in order to protect the rights of the Data Subject.
Technical & Organisational Measures
Pembrokeshire County Council will adopt physical, technical, and organisational measures to ensure the security of Personal Data. This includes the prevention of loss or damage, unauthorised alteration, access or processing, and other risks to which it may be exposed by virtue of human action or the physical or natural environment.
Further details on the minimum set of security measures adopted by Pembrokeshire County Council are detailed within the following policies:
- IT Security and e-Mail/Internet Policy
- Records Management Policy
- Confidential Waste Policy
A summary of the Personal Data related security measures is provided below:
- Prevent unauthorised persons from gaining access to data processing systems in which Personal Data are processed;
- Prevent persons entitled to use a data processing system from accessing Personal Data beyond their needs and authorisations;
- Ensure that Personal Data in the course of electronic transmission during transport cannot be read, copied, modified on or removed from a data processing system;
- Ensure that in the case where processing is carried out by a Data Processor, the data can be processed only in accordance with the instructions of the Data Controller;
- Ensure that Personal Data is protected against undesired destruction or loss;
- Ensure that Personal Data collected for different purposes can and is processed separately;
- Ensure that Personal Data is kept no longer than is necessary.
There may be instances where requests to share information with third parties. This may be a one-off request or for systematic data sharing.
One-off Data Sharing
As a Data Controller we would not disclose personal data to any members of the public. Requests such as these would be dealt with under the Freedom of Information Act 2000, which provides an exemption for sharing of personal information.
However, there may be instances when it would be appropriate to share personal data with a third party, such as another professional, court, regulatory body, etc. The following points should be considered and documented to justify your rationale for decision-making:
- Do you think you should share the information?
- Have you assessed the potential benefits and risks to individuals and/or society of sharing or not sharing?
- Do you have concerns that an individual is at risk of serious harm?
- Do you need to consider an exemption in the DPA to share?
- Do you have the power to share?
- Do you have a legal obligation to share?
If you decide to share you need to:
- Only share what is necessary
- Distinguish fact from opinion
- Share the information securely
- Ensure that you are giving information to the right person
- Consider whether it is appropriate/safe to inform the data subject that you have shared their information.
Record your decision:
- What information was shared and for what purpose
- Who it was shared with
- When it was shared
- Your justification for sharing
- Whether the information was shared with or without consent.
Requests for information should be discussed with your Information Asset Owner – this will be your Head of Service or Service Manager.
Systematic Data Sharing
Many services will have reasons why they may wish to share personal data regularly with a third party. In these cases, you must have a data sharing agreement/information sharing protocol in place. As well as considering the key points above, the data sharing agreement/ information sharing protocol should cover the following issues:
- What information needs to be shared
- The organisations that will be involved
- What you need to tell data subject about the data sharing and how you will communicate that information (privacy notice)
- Measures to ensure adequate security is in place to protect the data
- What arrangement need to be in place to provide data subjects with access to their personal data if they request it
- Agreed common retention periods for the data
- Processes to ensure secure disposal/deletion takes place.
Pembrokeshire County Council has signed up to the Wales Accord on the Sharing of Personal Information (WASPI). This provides a good practice in data sharing and enables public services to meet their data protection responsibilities as they move to collaborative working. The Information Governance Team will be able to assist with the development of data sharing agreements/information sharing protocols and must be consulted at the outset.
The UK GDPR imposes a general prohibition on the transfer of personal data outside the EU, unless:
- The transfer is based on an adequacy decision;
- The transfer is subject to appropriate safeguards;
- The transfer is governed by Binding Corporate Rules; or
- The transfer is in accordance with specific exceptions.
In all cases, you should refer to the Data Protection Officer before transferring data outside of the EU. Accessing personal data remotely when outside of the EU would be included in this definition.
Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved. Services that process children’s personal data should consider the need to protect them and design systems and processes with this in mind (Data Privacy Impact Assessment).
If consent is being relied on as the lawful basis for processing then consideration needs to be given to the following:
- The competence of the child (whether they have the capacity to understand the implications of the collection and processing of their personal data). If a child isn’t deemed to be competent then consent is not ‘informed’ and therefore not valid;
- The imbalance of power in your relationship with the child, to ensure that if you accept their consent if is freely given;
- Are you providing on online service to children? If you are relying on consent then you must seek parental consent for children under the age of 13, unless the online service is a preventative or counselling service.
Transparency is key. You can raise children’s (and their parents’) awareness of data protection risks, consequences, safeguards and rights by:
- Telling them what you are doing with their personal data;
- Being open about the risks and safeguards involved; and
- Letting them know what to do if they are unhappy.
We must have age-appropriate privacy notices for children. They must be clearly written so that they are able to understand what will happen to their personal data, and what rights they have.
A Data Processor is responsible for processing personal data on behalf of a data controller. An example would be use of the Royal Mail to deliver post, Cloud provision or third parties contracted to undertake confidential waste disposal. The UK GDPR applies to both Data Controllers and Data Processors. Data Processors have specific legal obligations placed on them, for example, they are required to maintain records of personal data processing activities. Data Processors now have a legal liability if they are responsible for a data breach.
The UK GDPR places certain obligations on Data Controllers to have a contract in place with Data Processors and certain clauses must be included. The Data Controller must also be able to evidence that they have undertaken due diligence checks prior to entering into a contract and must undertake and evidence regular contract monitoring to gain appropriate assurance that the Data Processor is UK GDPR compliant.