1. Our GDPR principles
we will process all personal data fairly and lawfully
we will only process personal data for specified and lawful purposes
we will endeavor to hold relevant and accurate personal data, and where practical, we will keep it up to date
we will not keep personal data for longer than is necessary
we will keep all personal data secure
we will endeavor to ensure that personal data is not transferred to countries outside of the European Economic Area (EEA) without adequate protection
2. GDPR compliance
As part of our GDPR preparation process, we are reviewing and updating all our internal processes, procedures, data systems and documentation in order to help ensure that we are ready when GDPR comes into force in May 2018.
The Brington and Molesworth Parish Council will be complying with the GDPR as a controller and processor of data and have been planning and developing a programme of works which will deliver what is required by the legislation. This will involve working with our suppliers and partner organisations to ensure they can meet these obligations.
We will implement the relevant policies and practices to ensure we protect any data handled by the Brington and Molesworth Parish Council – for its employees, customers, suppliers, partners and stakeholders, specifically including the following:
Each member will have completed an awareness course and staff with key data protection responsibilities a GDPR Awareness Workshop
suppliers who process personal data on behalf of the Brington and Molesworth Parish Council have been identified and asked to provide details of their state of compliance with the GDPR and where appropriate agree to new contractual arrangements.
3. Our GDPR actions to date
we have appointed a Data Protection Officer
our internal project is maintaining a log of GDPR compliance work, which will be available to scrutiny if/when asked
we undertook a gap analysis of all our business processes where personal data is either held or collected and produced an action plan
we are reviewing and updating our range of policies, including our Data Protection Policy and Subject Access Requests Policy
we have introduced mechanisms to identify a potential personal data breach, how these will be investigated and reported.
we are undertaking a systematic review of the personal data we store, manage, maintain, collect, process and control
we have introduced legitimate interest assessments where we rely on legitimate interest as the lawful basis for processing any personal data
we have conducted data mapping of all our processes involving personal data
we are providing training to our employees and generally raising the awareness and importance of GDPR to our business and their individual responsibilities arising from this
we are and will continue to look at ways of improving our systems and procedures to better comply with GDPR best practice
we will continue to monitor our GDPR plans
4. Contact us
Should you require any further information about the Brington and Molesworth Parish Council’s GDPR plans and preparation, please feel free to contact us using the ‘Report It’ tab
Existing Statement of Policy
In order to operate efficiently, the Parish Council needs to collect information about people with whom it has dealings. These may include members of the public, current, past and prospective employees, hirers of Council premises, other customers and suppliers. The Council will ensure that it treats such personal data and especially sensitive personal data in accordance with the Data Protection Act 1998 and, in particular, the principles of data protection (see below).
Principles of Data Protection
The Data Protection Act 1998 stipulates that anyone processing personal data must comply with eight principles of data protection which require that such data:
- Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met.
- Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
- Shall be accurate and, where necessary, kept up to date.
- Shall not be kept for longer than is necessary for that purpose or those purposes.
- Shall be processed in accordance with the rights of data subjects under the Act.
- Shall be kept secure, i.e. protected by an appropriate degree of security.
- Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.
Personal data is defined as data relating to a living individual who can be identified from that data alone, or that data and any other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.
Sensitive personal data is defined as personal data consisting of information as to:
- Racial or ethnic origin.
- Political opinions.
- Religious beliefs or other beliefs of a similar nature.
- Trade union membership.
- Physical or mental health or condition.
- Sexual life.
- Offences committed or alleged to have been committed.
- Criminal proceedings or convictions.