Data Protection Policy

This Data Protection Policy was reviewed and adopted by the council at its meeting held on 26 March 2026, Minute Ref: 25/26.16c

Review: September 2026

Purpose

The council is committed to being transparent about how it collects and uses the personal data, and to meeting our data protection obligations. This policy sets out the council’s commitment to data protection, and your rights and obligations in relation to personal data in line with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).

Definitions

“Personal data” is any information that relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information. It includes both automated personal data and manual filing systems where personal data are accessible according to specific criteria. It does not include anonymised data.

“Processing” is any use that is made of data, including collecting, recording, organising, consulting, storing, amending, disclosing or destroying it.

“Special categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic or biometric data as well as criminal convictions and offences.

“Employees, councillors, residents and customers, and other data subjects” may include past, present and potential members of those groups. “Other data subjects” and “third parties” may include contractors, suppliers, contacts, referees, friends or family members. “Processing” refers to an action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.

“Data Controller” is a ‘person’ who determines the purposes for which and the manner in which any personal data are, or are to be, processed. A ‘person’ as recognised in law may be an individual, organisation or body of persons.

“Data Protection Officer” is an individual working on behalf of the Data Controller with responsibility for the data protection within that organisation.

1. Data protection principles

The council processes data in accordance with the following data protection principles the council:

  • processes data lawfully, fairly and in a transparent manner
  • collects data only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • processes data only where it is adequate, relevant and limited to what is necessary for the purposes of processing
  • keeps accurate and up to date data and takes all reasonable steps to ensure that inaccurate data is rectified or deleted without delay
  • keeps data only for the period necessary for processing
  • adopts appropriate measures to make sure that data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage

The council will tell you of the personal data it processes, the reasons for processing your personal data, how we use such data, how long we retain the data, and the legal basis for processing in our privacy notices. The Council is in the process of reviewing its privacy notices, and will carry out a data audit.

The council will not use your personal data for an unrelated purpose without telling you about it and the legal basis that the Council intend to rely on for processing it. The council will not process your personal data if it does not have a legal basis for processing.

2. Responsibilities

Water Orton Parish Council is the Data Councillor and must ensure that any processing of personal data for which they are responsible complies with the Act.

The Data Protection Officer is the Clerk, who acts on behalf of the Council, and is responsible for:

Fully observing conditions regarding the fair collection and use of information;

  • Meeting the Council’s legal obligations to specify the purposes for which information is used;
  • Collecting and processing relevant information, only to the extent that is required to fulfil operational needs/to comply with legal requirements.
  • Ensuring the quality of information used;
  • Applying strict checks to determine the length of time that information is held; Ensuring that the rights of the people whom information is held are able to be fully exercised under the Act;
  • Taking appropriate technical and organisational security measures to safeguard personal information;
  • Ensuring that personal information is not transferred abroad without suitable safeguards; ix.
  • Ensuring that everyone managing and handling personal information;
    • a) Fully understands that they are contractually responsible for following good practice in terms of protection;
    • b) Is adequately trained to do so;
    • c) Are appropriately supervised.

3. Storage and Retention

Personal data is kept in paper-based systems and/or on a password-protected computer system. The council will keep different types of information for differing lengths of time, depending on legal and operational requirements.

4. Access to Information

Any employee, councillor, resident, customer or other data subjects have a right to:

  • Ask what personal information the Council holds;
  • Ask what this information is used for;
  • Be provided with a copy of the information;
  • Be given details of the purposes for which the Council uses the information and any other persons or organisations to whom it is disclosed;
  • Ask that any incorrect data held is corrected.

If it is felt by the data subject that any personal information held is incorrect the individual may request that it be amended. The Council must advise the individual within 21 days whether or not the amendment has been made.

5. Breach of Policy

Compliance with the Act is the responsible of all councillors and Clerk. Any deliberate or reckless breach of the policy may lead to disciplinary action and where appropriate, legal proceedings. Any individual who believes that the council has breached any of the requirements of the Data Protection Act 1998 (or the GDPR 2018) should raise the matter with the Clerk.

6. Guidelines for Staff, Volunteers and Councillors

During your course of your duties with Water Orton Parish Council, you will be dealing with information such as names/addresses/phone numbers/email addresses of members of the public. You may be told or overhear sensitive information while working for Water Orton Parish Council.

The Data Projection Act 1998 (and the subsequent General Data Protection Regulations (GDPR) 2018) gives specific guidance on how this information should be dealt with by organisations such as Water Orton Parish Council. In short, to comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To help you meet the terms of the Data Protection Act (and GDPR 2018) while working for Water Orton Parish Council, the following guidelines are issued. Please read them carefully and ask the Data Protection Officer (Clerk) if you are in any doubt about any of them.

7. Sharing of Personal Information

“Personal information” includes such details as addresses/phone numbers and health details supplied by members of the public. Such information may be shared between staff and councillors at Water Orton Parish Council for work purposes, but should not be given to anyone outside of the council without explicit consent from the person concerned.

If such a situation arises, please ask the Clerk for advice.

8. Unlawful Disclosure of Personal Information

Under the Data Protection Act you are committing a criminal offence if you disclose personal information ‘knowingly or recklessly’ to anyone you are not supposed to, so please be careful. Give consideration to any conversations you are having containing personal or sensitive information that could possibly be overheard by people who should not have access to such information.

9. Use of files, books and other paper records

In order to prevent unauthorised access and accidental loss or damage to personal information held on paper, please take good care of the files, books and other paper records you use, and ensure that they are stored before you leave the building.

10. Use of Email

Please ensure that before sending emails that they contain no personal or sensitive information that the recipients should not have access to. This is a particular risk when forwarding emails or adding in new recipients to an email chain.

11. Disposal of Scrap Paper

Be aware that names/address/phone numbers and other information written on scrap paper are also considered to be confidential. Such notes must be shredded.

This is a non-contractual policy and procedure which will be reviewed from time to time