Fair Processing – Newcastle City Council
The processing of personal data is essential to many of our services and functions, and this processing will often involve sensitive personal data. Compliance with the Data Protection Act 2018 will ensure that this processing is carried out fairly and lawfully.
Both the Data Protection Act and Article 8 of the Human Rights Act stress that the processing of personal data needs to strike a balance between, on the one hand, the needs of the organisation to function effectively and efficiently and, on the other, respect for the rights and freedoms of the individual. This policy sets out how we will ensure that those rights and freedoms will be protected.
This policy applies to all personal data that we process.
For the purposes of the Act, personal data includes data held in manual files as well as on computer databases.
Personal data means data about a living individual who can be identified from those data (or from those and other information either in our possession, or likely to come into our possession). This can include not only personal details, details of family and social circumstances, education, employment, business and financial details, but also goods or services received, expressions of opinion or intentions, and images such as those recorded on CCTV.
This includes all the obvious details the council might hold about you like name, address, date of birth, NHS number, Council Tax reference number, rent payment records, details of family and social circumstances, education, employment, business and financial details, but also goods or services received, expressions of opinion or intentions, and images such as those recorded on CCTV . Some data can be personal even if it refers to more than one individual, like joint tenancies, Council Tax assessment records, etc.
The Act recognises that some types of personal data are more sensitive than others. There are extra rules for processing data about your ethnic origin, religious beliefs, trade union membership, party political opinions, sexuality, health, involvement in court proceedings, etc.
Data controller means the organisation that determines how data is processed. Newcastle City Council is the data controller for personal data that it processes. We are legally required to comply with the Data Protection Principles.
Processing of personal data is defined very widely in the Data Protection Act. It covers all actions and processes involved in obtaining, recording, holding, carrying out any set of operations on, storing or destroying personal data.
Processing personal data includes collecting, storing, accessing, changing and destroying any information about you. The amount of personal data we have about you and how we process it depends on which council services you use.
Sometimes we collect personal data for one council service and need to use it to give you another service. We will always try to tell you if we share your personal data between different council services.
Data subject is any living individual who is the subject of personal data.
- We will comply with all requirements of the Data Protection Act 2018. We will notify all purposes of processing to the Information Commissioner and an up-to-date entry in the Public Register of Data Controllers will be maintained. We will also comply with Article 8 of the Human Rights Act in respect of processing of personal data.
- We will aim to follow best practice in all personal data processing.
- We will keep individuals informed of the purposes for which we are processing their personal data, and will seek their consent where appropriate and necessary. Where we use data for another purpose, we will inform people of this. We will also provide general information to the public on their rights under data protection legislation.
- We will hold the minimum personal data necessary to carry out our functions, and we will make every effort to ensure accuracy of the data. Where we record opinions or intentions, these will be carefully and professionally expressed. Data which is no longer required will be securely destroyed in accordance with relevant retention and disposal schedules.
- An appropriate level of technical and organisational measures needed to ensure the security of the personal data will be assessed in accordance with the corporate Information Asset Classification Policy.
- We will only use personal data for the direct promotion or marketing of goods and services with the consent of the data subject.
- When appropriate, we will carry out data sharing with external agencies under a written information sharing agreement setting out the scope and limits of the sharing, and the safeguards to be put in place.
- We will only use data matching techniques for specific purposes, such as participating in the National Fraud Initiative and Troubled Families Programme, and in line with published Codes of Practice.
- All Local Authorities have a duty to improve the health of the population they serve. To help with this, we use data and information from a range of sources including hospital episodes and births and death registrations to understand more about the nature and causes of disease and ill-health in the area, alongside health and care needs. This data is processed in order to fulfil our requirements with regards to public health. The legal basis for the flow of health data is covered by Section 42(4) pf the SRSA (2007) as amended by section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2012.
- Where we intend to use personal data for data matching, we will inform people of this.
If you have any questions about your rights under the Data Protection Act 2018 or want to make a subject access request please contact the council's Information Governance Officer. Contact via email address email@example.com or write to Data Protection, Civic Centre, Newcastle upon Tyne NE1 8QH.
You can also get information leaflets from the Information Commissioner's web site at www.dataprotection.gov.uk or by telephone on 01625 545745.
You have the right to request that Newcastle City Council stop processing your personal data in relation to any council service. However, if this request is approved this may cause delays or prevent us delivering a service to you. Where possible we will seek to comply with your request but we may need to hold or process information in connection with one or more of the Council’s legal functions.
Newcastle City Council is a data controller required to notify under the Data Protection Act 2018. Our registration number is Z5827702 and you can view a copy of our register entry at www.ico.org.uk/esdwebpages/search or by appointment at the Civic Centre.
Relationship with other policies
The Data Protection policy is part of a set of Information Governance policies that form a basis for the correct management of the Council’s information resources.
The Information Governance Strategy sets out a framework for the effective management and protection of organisational and personal information.
The Freedom of Information Policy explains how we will comply with our obligations under the Freedom of Information Act and outlines our approach to responding to requests for information made under the Act.
The Information Security Policy ensures effective policing and secure management of all of our information assets, resources and IT systems.
The Records Management Policy establishes procedures for the effective management of records.
The Information Asset Classification Policy classifies information based on confidentiality, in order to decide on appropriate levels of protection for that information.
Directors / Heads of Service
- Appoint coordinators to be responsible for data protection compliance and requests
- Ensure that officers with responsibilities for data protection are supported in their work in terms of commitment and resources
- Ensure all staff comply with the agreed policy and procedures for data protection and attend training on these where necessary
- Recognise data protection issues in service planning and resource allocation
Freedom of Information and Data Protection Officer
- Develop and maintain the corporate data protection policy and procedures
- Provide advice and guidance on the data protection policy and procedures
- Provide training in data protection issues
- Co-ordinate subject access requests in conjunction with directorate coordinators
- Monitor and review the effectiveness of the policy and procedures
- Identify and communicate any data protection issues to directorates
- Report on compliance with the policy and procedures to BMG
- Ensure that the notification is renewed annually and kept up to date
FOI and data protection co-ordinators
- Promote the policy and procedures within their directorate
- Be aware of the requirements of the Data Protection Act and how they might impact on work within their directorate
- Ensure that subject access requests are handled effectively in their directorate, by logging and coordinating requests
- Be aware of the Data Protection Act and what it means to the Council
- Follow the policy and procedures for handling personal data
- Consult with the Freedom of Information and Data Protection Officer for advice and guidance when necessary
Monitoring and review
Compliance with this policy and related procedures will be monitored by the Freedom of Information and Data Protection Officer, working with the FOI and Data Protection Coordinators from each directorate.
Any deliberate breach of this policy or the Data Protection Act will be seen as misconduct and may be subject to action under the disciplinary procedure.
This policy will be reviewed by the Freedom of Information and Data Protection Officer on an annual basis.