The processing of personal data is essential to many of our services and functions, and this processing will often involve sensitive personal data. Compliance with the Data Protection Act 1998 will ensure that this processing is carried out fairly and lawfully.
Both the Data Protection Act and Article 8 of the Human Rights Act 1998 stress that the processing of personal data needs to strike a balance between, on the one hand, the needs of the organisation to function effectively and efficiently and, on the other, respect for the rights and freedoms of the individual. This policy sets out how we will ensure that those rights and freedoms will be protected.
This policy applies to all personal data that we process.
For the purposes of the Act, personal data includes data held in manual files as well as on computer databases.
Personal data means data about a living individual who can be identified from those data (or from those and other information either in our possession, or likely to come into our possession). This can include not only personal details, details of family and social circumstances, education, employment, business and financial details, but also goods or services received, expressions of opinion or intentions, and images such as those recorded on CCTV.
Data controller means the organisation that determines how data is processed. Newcastle City Council is the data controller for personal data that it processes. We are legally required to comply with the Data Protection Principles.
Processing of personal data is defined very widely in the Data Protection Act. It covers all actions and processes involved in obtaining, recording, holding, carrying out any set of operations on, storing or destroying personal data.
Data subject is any living individual who is the subject of personal data.
We will comply with all requirements of the Data Protection Act 1998. We will notify all purposes of processing to the Information Commissioner and an up-to-date entry in the Public Register of Data Controllers will be maintained. We will also comply with Article 8 of the Human Rights Act in respect of processing of personal data.
We will aim to follow best practice in all personal data processing.
We will keep individuals informed of the purposes for which we are processing their personal data, and will seek their consent where appropriate and necessary. Where we use data for another purpose, we will inform people of this. We will also provide general information to the public on their rights under data protection legislation.
We will hold the minimum personal data necessary to carry out our functions, and we will make every effort to ensure accuracy of the data. Where we record opinions or intentions, these will be carefully and professionally expressed. Data which is no longer required will be securely destroyed in accordance with relevant retention and disposal schedules.
An appropriate level of technical and organisational measures needed to ensure the security of the personal data will be assessed in accordance with the corporate Information Asset Classification Policy.
We aim to respond to all requests from individuals to access their personal data within the timescales set out in the Data Protection Act.
We can only respond to such requests:
- Where they are received in writing
- Which provide adequate information to allow us to identify the person making the request and to locate the information that has been requested and
- Which are accompanied by the relevant fee where appropriate.
Fees will be charged for subject access requests in line with the corporate Freedom of Information and Data Protection Charging Policy.
We will only use personal data for the direct promotion or marketing of goods and services with the consent of the data subject.
When appropriate, we will carry out data sharing with external agencies under a written information sharing agreement setting out the scope and limits of the sharing, and the safeguards to be put in place.
We will only use data matching techniques for specific purposes, such as participating in the National Fraud Initiative and Troubled Families Programme, and in line with published Codes of Practice.
All Local Authorities have a duty to improve the health of the population they serve. To help with this, we use data and information from a range of sources including hospital episodes and births and death registrations to understand more about the nature and causes of disease and ill-health in the area, alongside health and care needs. This data is processed in order to fulfil our requirements with regards to public health.
Where we intend to use personal data for data matching, we will inform people of this.
We reserve the right to intercept and monitor the content of telephone calls, emails and Internet access of employees in compliance with the Lawful Business Practice Regulations 2000. This will be carried out within the guidelines in the Information Commissioner’s Employment Practices Code and Supplementary Guidance.
Elected Members and staff will be trained to an appropriate level in the use and security of personal data.
Relationship with other policies
The Data Protection policy is part of a set of Information Governance policies that form a basis for the correct management of the Council’s information resources.
The Information Governance Strategy sets out a framework for the effective management and protection of organisational and personal information.
The Freedom of Information Policy explains how we will comply with our obligations under the Freedom of Information Act and outlines our approach to responding to requests for information made under the Act.
The Information Security Policy ensures effective policing and secure management of all of our information assets, resources and IT systems.
The Records Management Policy establishes procedures for the effective management of records.
The Information Asset Classification Policy classifies information based on confidentiality, in order to decide on appropriate levels of protection for that information.
Directors / Heads of Service
- Appoint coordinators to be responsible for data protection compliance and requests
- Ensure that officers with responsibilities for data protection are supported in their work in terms of commitment and resources
- Ensure all staff comply with the agreed policy and procedures for data protection and attend training on these where necessary
- Recognise data protection issues in service planning and resource allocation
Freedom of Information and Data Protection Officer
- Develop and maintain the corporate data protection policy and procedures
- Provide advice and guidance on the data protection policy and procedures
- Provide training in data protection issues
- Co-ordinate subject access requests in conjunction with directorate coordinators
- Monitor and review the effectiveness of the policy and procedures
- Identify and communicate any data protection issues to directorates
- Report on compliance with the policy and procedures to BMG
- Ensure that the notification is renewed annually and kept up to date
FOI and data protection co-ordinators
- Promote the policy and procedures within their directorate
- Be aware of the requirements of the Data Protection Act and how they might impact on work within their directorate
- Ensure that subject access requests are handled effectively in their directorate, by logging and coordinating requests
- Be aware of the Data Protection Act and what it means to the Council
- Follow the policy and procedures for handling personal data
- Consult with the Freedom of Information and Data Protection Officer for advice and guidance when necessary
Monitoring and review
Compliance with this policy and related procedures will be monitored by the Freedom of Information and Data Protection Officer, working with the FOI and Data Protection Coordinators from each directorate.
Any deliberate breach of this policy or the Data Protection Act will be seen as misconduct and may be subject to action under the disciplinary procedure.
This policy will be reviewed by the Freedom of Information and Data Protection Officer on an annual basis.