Data protection policy

Introduction

The London Borough of Enfield (LBE) is required as part of its overall information governance structure to ensure that appropriate controls are implemented and maintained in relation to the collection, use and retention of personal information pertaining to its customers, clients and staff and that these are in accordance with the requirements of the current data protection law as enacted. (The Data Protection Act 2018 and the UK version of the GDPR, along with other legislation)

This document provides a framework for LBE officers to meet legal and corporate requirements in relation to information requests that fall within the scope of the legislation.

The Policy applies to all personal information created, received, stored, used and disposed of by the council irrespective of where or how it is held.

It must be noted that compliance is a legal requirement and that individuals can face prosecution for breaches of its Principles.

Aim of the policy

The aim of this document is to clarify LBE’s legal obligations and requirements for the processing of personal data and to ensure that all such data is:

LBE will actively seek to meet its obligations and duties in accordance with the law and in so doing will not infringe the rights of its employees, customers, third parties or others.

Scope

The scope of this policy requires compliance with the principles defined in law.

Personal data is defined as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (UK GDPR Article 4).

Special category personal data is defined as personal data relating to any of the following. GDPR calls this 'special categories of personal data' (UK GDPR Article 9):

Special category personal data may only be stored or processed for a limited variety of purposes. All processing of special category personal data without a legal basis for use must be cleared by the Information Commissioner.

Criminal offence data is personal data relating to criminal convictions and offences or related security measures. (UK GDPR Article 10).

Criminal offence data can only be processed:

All personal data must be protected. Special category personal data and criminal offence data may require special protection measures.

Changes to use or new uses of personal data require consultation with the Data Protection Officer. Their advice must be recorded and if dissented from, the dissent and alternate action taken recorded.

Data protection principles

The UK GDPR includes principles which must be adhered to whenever personal data is processed. Processing includes obtaining, recording, using, holding, disclosing and deleting personal data.

All personnel processing personal information must ensure they adhere to the principles as defined in the data protection law which require that information is:

Further information on the principles can be found on the Information Commissioner’s Office website.

The Information Commissioner’s Office

The Information Commissioner administers data protection in the UK. The role and duties of the Commissioner include:

The law gives the Information Commissioner wide powers to ensure compliance, including warrants to search and seize documents and equipment.

Access and use of personal data

This policy applies to everyone that has access to personal data, and includes any third party or individual who conducts work on behalf of LBE or who has access to personal data for which LBE is responsible and who will be required contractually or otherwise to comply with this policy.

The Policy is also applicable to Members who create records in their capacity as representative of the council. When Members create records when acting as representatives of a resident in their ward they are recommended to apply the policy but officers should consider whether it has been correctly applied on receipt of a member’s’ enquiry. It does not apply to those records Members create when acting as a representative of a political party. Note that Members processing personal data not on behalf of the council will need their own registration with the ICO.

Deliberate unauthorised access to, copying, disclosure, destruction or alteration of or interference with any computer equipment or data is strictly forbidden and may constitute a criminal and/or a disciplinary offence.

It is an offence for any person to knowingly or recklessly obtain, procure or disclose personal data, without the permission of the data controller (LBE) subject to certain exceptions.

It is also an offence for someone to sell or offer to sell personal data.

All data subjects are entitled to:

These rights are not absolute, and only apply in certain circumstances. The Data Protection Officer should be consulted where rights exercise is unclear.

Data subjects have additional rights when the council is using personal data for:

LBE will ensure that compliance with this policy is monitored and the council is able to evidence that it is complying with its legal responsibilities with respect to its staff and customers.

Council’s commitment

To achieve the overall aim of the Data Protection Policy the council will:

Monitor and review compliance with legislation and introduce changes to policies and procedures where necessary.

Roles and responsibilities

The Data Subjects are those natural persons about whom the authority retains information.

Ultimate accountability for all decisions made relating to Data Protection lies with the Chief Executive.

The Executive Management Team (EMT) is responsible for ensuring that sufficient resources are provided to support the requirements of this policy as well as making strategic level decisions which impact on how LBE carries out its obligations under the legislation. Each Director is responsible for monitoring compliance within their service area and taking any necessary corrective action.

The Information Governance Board (IGB) monitors, oversees, reports and makes recommendations to EMT on all strategic level data protection issues.

The Complaints and Information Manager (CIM) has the role of handling requests for data (SARs, FOIs, EIRs etc.) and complaints about the authority’s use of data. The officer will also maintain and provide reporting to IGB/EMT/council on these issues. The CIM acts as the liaison between the ICO and council on complaints concerning SARs, FOIs, EIRs etc. and acts as independent reviewer/advisor on these issues.

The Data Protection Officer (DPO) will provide advice and guidance in conjunction with Legal Services on legal compliance and best practice. Advice of the DPO must be sought for all new or changed data uses. This advice must be formally recorded and if not followed, this fact must also be recorded. The DPO acts as the liaison between the ICO and the council on complaints concerning Data Breaches, and acts as independent reviewer/advisor on these issues. The officer also provides a lead for raising awareness of Data Protection issues.

Departmental Data Coordinators (DDC) are the central contact within their respective department with respect to compliance. DDCs will process requests and complaints as required by the CIM and ensure that the Register of Processing Activities (Departmental Data Registers) required for compliance with GDPR Article 30 are maintained. The DDCs also represent their department in the monthly corporate Information Governance Board meetings.

Information/System Owners have a responsibility to ensure that data stored on systems is captured, stored, processed, accessed and deleted in line with the law and the council’s Retention schedule. They are additionally responsible for ensuring that the recording of all statutory requirements are kept up to date, and reviewed at least annually.

The Manager of a team/s or service is directly responsible for compliance with the Act within their business areas and ensuring adherence by their staff

All LBE employees and personnel working with personal data have a responsibility to ensure that they have sufficient awareness of the DPA so that they are able to comply with the requirements of the DPA.

Responsibilities of staff and members

The processing of personal data is to be compliant with legal, industry, regulatory and business requirements. It is the responsibility of staff and Members to be aware of and conversant with these requirements for the processing and management of personal data in an appropriate manner.

Staff and Members will need to be aware of how LBE safeguards its data and ensure that the appropriate protective marking is applied to all information. In most cases personal information about any living individual will attract the classification of OFFICIAL, but in some cases it will be OFFICIAL-SENSITIVE, for example when the information could put someone at risk. For more information on the classification and handling of personal information please refer to LBE’s Information Classification and Handling Policy.

Some data supplied by others will have handling requirements beyond LBE’s OFFICIALSENSITIVE criteria. Staff involved must be made aware of this by the Information/System Owners and are then responsible for handling it correctly.

The following minimum requirements are applied to everyone who comes into contact with personal data:

Data Controller

In accordance with the DPA, LBE as a corporate body is the Data Controller and is therefore ultimately responsible, through the appointed Data Protection Officer or the person fulfilling that role, for the implementation of this policy.

LBE will also appoint designated Departmental Data Coordinators who are responsible for the day-to-day management of the data within their business areas of responsibility to ensure that compliance with law and documentation of personal data use is maintained.

Designated Departmental Data Coordinators will be present in all departments.

Data Protection Officer

The DPO is responsible for fulfilling the role as documented in the data protection regulations.

The DPO must be involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

The DPO is invited to participate regularly in meetings of senior and middle management. His or her presence is recommended where decisions with data protection implications are taken. All relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice.

The opinion of the DPO must always be given due weight. In case of disagreement, the reasons for not following the DPO’s advice must be recorded and formally communicated.

The DPO must be promptly consulted once a data breach or another incident has occurred.

The DPO will keep DDCs and Business Managers informed of data protection issues pertaining to LBE, including any changes in legislation that might impact business processes.

The DPO will ensure that Data Privacy and Cyber Security training is available to staff and that a record of completion is maintained.

Departmental data coordinator

DDCs will work with the respective business areas in their Department to facilitate the daily activities and management responsibilities under the law.

DDCs must inform the DPO of any proposed new or changed uses of personal information within their business unit before any change in process or additional information collection is authorised. Any changes must be reflected in the Register of Processing Activities (Departmental Data Registers). The DDCs are responsible for ensuring this is carried out and passing the revisions to the DPO for review.

DDCs must regularly review the content and use(s) of personal information within their Department’s business units, and confirm to the DPO that the information held is complaint with current law by updating the Register of Processing Activities (Departmental Data Registers) on at least a biennial basis (every 2 years).

DDCs must ensure that members of staff and contractors under the control of their Departmental business units are conversant with their responsibilities under the law, and that they know the procedures to follow when handling, releasing and disposing of information

The CIM is responsible to ensure that SARs and other requests for information are processed within the required time limits.

Training and awareness

All council employees have a responsibility to ensure that they and the staff they manage have undertaken the corporate Data Privacy and Cyber Security training and have sufficient awareness of the law so that they are able to comply with the requirements.

It is mandatory that all LBE staff (including temporary or casual workers and volunteers) that have access to personal data or to the corporate network to undertake the corporate Data Privacy and Cyber Security training. New entrants will be expected to undertake and successfully complete the module as part of the corporate induction process. Established staff will be expected to undertake and complete refresher training as directed.

Managers should encourage and make time for their staff to attend any further Data Privacy and Cyber Security training or awareness opportunities that may arise.

Failure to complete the courses within the prescribed period could result in disciplinary action proceedings.

Collection of data

LBE collects and records personal data from various sources, including that obtained or provided by the data subjects themselves.

In some instances data may be collected indirectly through monitoring devices, including but not limited to: door access control systems, CCTV, personal recording devices and physical security logs or electronic monitoring systems. For further detail refer to LBE’s Information Security Policy.

Accuracy and relevance

It is the responsibility of those who receive personal information to ensure so far as possible, that it is accurate and up to date. Personal information should be checked at regular intervals, to ensure that it is still accurate.

Rights to access, correct and remove information

If the information is found to be inaccurate, steps must be taken to rectify it. Individuals who input or update information must also ensure that it is adequate, relevant, unambiguous and professionally worded. Data subjects have a right to access personal data held about them and have inaccuracies corrected.

Data subjects have the right to access any personal information (data) about them that is held.

Data subjects also have the right to have data about themselves corrected or erased subject to certain conditions.

LBE aims to comply with requests as quickly as possible but will ensure that it is provided within one calendar month unless there is a good reason for any delay. In such cases the reason for a delay will be explained in writing to the person making the request.

A record of requests relating to corrections and erasure is held by the CIM where such requests were formally made.

Fair and lawful processing

When LBE processes personal data, it must have a legal basis for doing so or a freely given, positive consent. The law provides a list of conditions to ensure that personal information is processed fairly and lawfully:

Individuals that supply LBE with personal information are provided with a ‘Privacy Notice’ (or online privacy statement) at time of data collection, repeated at time of SAR, which communicates the following:

Data sharing

Where LBE shares personal information with any third party a ‘Data Sharing Agreement’ or ‘Data Processing Agreement’ must exist as part of a formally documented written agreement or contract.

A ‘Data Sharing Agreement’ is required if the information supplied is being used to fulfil requirements of the recipient.

A ‘Data Processing Agreement’ is required if the information supplied is being used only to fulfil LBE requirements and not used otherwise by the recipient.

Where the other party uses the personal information for its own purposes (Data Sharing):

Where the processing of personal information with a third party is required by law, procedures are to ensure that the protocols and controls for the sharing of the data are documented, regularly reviewed and verified.

Requests for personal information from the Police or other enforcement agencies can be considered where the purpose is for the prevention or detection of a crime and or the collection of taxes. It should be noted however that the council is generally under no obligation to do so. Before providing the information, the requesting agency must provide a sufficient explanation of why the information is necessary to the extent that not providing it may prejudice an investigation. This is to satisfy the relevant information holder that the disclosure is necessary. The request must be formally authorised by a senior officer from the requesting agency. If the information is to be disclosed, the disclosure must be authorised by the relevant Head of service (or above) and a note for the record should be made of the details about the disclosure with an explanation of why the disclosure is appropriate.

NHS national data opt-out

The NHS has adopted a national data opt-out policy that we are required to follow.

This requirement applies to all data sharing agreements involving NHS data under section 18 above where data is for planning and research purposes including data released under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002.

The consultation with the Data Protection Officer noted in 3.4 above will include reviewing any such use to ensure that the National Data Opt-Out does not apply. If it does, processes will be required to ensure that the opt-out is respected.

Data retention and disposal

LBE must ensure that personal information is not kept for any longer than is necessary. This is to adhere to any legal, regulatory or specific business justification.

LBE will retain some forms of information longer than others, but all decisions are to be based upon business requirements - details can be found in the Record Retention Schedule.

Data relating to clients is only to be retained for as long as a business justification remains.

When disposing of information, equipment or media, the Confidential Waste Disposal Policy should be adhered to.

The retention criteria must be imposed on third parties with who data is shared.

Transfer outside of the UK

To ensure an adequate level of protection is applied to personal information transferred or processed outside the UK contracts are to include conditions relating to the specific requirements for the protection of the information.

LBE is responsible for ensuring that ‘due diligence’ is conducted on the other party, and that adequate and appropriate controls and safeguards are applied for the transfer of the personal information.

Companies outside the UK are to be required to apply the same controls and requirements as applied within the UK unless they can demonstrate other adequate procedures are implemented to protect the personal information as part of the ‘due diligence’ process. Periodic reviews of the same are to be conducted to ensure adherence is maintained.

Processing is only permissible in countries with a decision of adequacy from the UK Information Commissioner, unless other measures are put in place.

There are specific issues with Cloud processing covered in the Use of Cloud Security Policy.

Data received by LBE from third parties may have specific storage and use rules that may further restrict where it can be stored or processed (for example, health data cannot be stored outside England and Wales).

Violations

Unauthorised disclosure of personal data is a disciplinary matter that may be considered a gross misconduct and could lead to termination of employment.

In the case of third parties unauthorised disclosure could lead to termination of the contractual relationship and in certain circumstances this could give rise to legal proceedings.

Any failure to follow this Policy must be treated as an incident and investigated in accordance with the Security Incident Reporting Procedure.

Supporting policies

This policy should be read in conjunction with the following policies and procedures:

Glossary

CIM - Complaints and Information Manager. Responsible for handling requests for data and complaints for the authority in conjunction with the DPO.

DDC - Departmental Data Coordinators - the central contact within their respective department with respect to compliance.

DPA - Data Protection Act 2018.

DPO - Data Protection Officer. The role created by Article 38 of the GDPR and formally tasked by Article 39 to:

EEA - European Economic Area.

EIR - Environmental Information Request. A formal request for information about environmental matters under the statutory instrument Environmental Information Regulations 2004 (which is sometimes also called EIR).

EMT - Executive Management Team - is responsible for ensuring that sufficient resources are provided to support the requirements of this policy as well as making strategic level decisions which impact on how LBE carries out its obligations under the legislation.

FOI - Freedom of Information Request. A formal request for information about authority business under FOIA.

FOIA - Freedom of Information Act 2000.

GDPR - The General Data Protection Regulation. Formally REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The UK GDPR applies in the UK for UK residents, and the original EU GDPR for any processing relating to a person resident in the EEA after that date.

ICO - Information Commissioner or Office of the Information Commissioner. The UK responsible authority for data protection.

IGB - Information Governance Board - monitors, oversees, reports and makes recommendations to EMT on all strategic level data protection issues.

Information or system owners - Have responsibility to ensure that data stored on systems is captured, stored, processed, accessed and deleted in line with the law and the council’s Retention Schedule. They are additionally responsible for ensuring that the recording of all statutory requirements are kept up to date, and reviewed at least annually.

LBE - London Borough of Enfield.

SAR - Subject Access Request. A formal request for information about a person made under Article 15 of the GDPR.

UK GDPR - The adopted version of the GDPR from the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and subsequent regulations.


Policy details

Author – Data Protection Officer
Owner – Information and Data Governance Board
Version – 2.5
Reviewer – Information and Data Governance Board
Classification – Official
Issue status – Final
Date of first issue – 04.10.2012
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025

Council news directly to you

The latest news in your inbox every week. Council news, community updates, local events and more.

Sign up Sign up