Data protection policy

This document sets out Crawley Borough Council’s Data Protection Policy and how it complies with the Data Protection Act 2018 (the Act) and the General Data Protection Regulation (GDPR).

The Act and the GDPR regulates the way in which personal data about individuals, whether held in a computer or in a manual filing system, is obtained, stored, used, disclosed and destroyed. This policy applies to anyone working with personal data that is controlled or processed by or on behalf of Crawley Borough Council, all staff and elected members of the council.

The council expects all staff, elected members and anyone who processes personal data on its behalf to comply with this policy and the data protection principles.

The GDPR makes a distinction between personal data and special category data as set out in the GDPR.

‘Personal data’ means any data or information in paper or in digital format, relating to a living individual.

‘Special category data’ is defined as personal data consisting of information as to:

• racial or ethnic origin
• political opinion
• religious or philosophical beliefs
• trade union membership
• physical or mental health or condition
• sexual life or sexual orientation
• biometric data

The council needs to collect and use information about people with whom it works in order to operate and carry out its functions. These may include members of the public, current, past and prospective employees, elected members, customers and suppliers in addition the council may be required by law to collect and use information in order to comply with the requirements of central government. This personal information must be handled and dealt with properly, however it is collected, recorded and used.

Crawley Borough Council regards the lawful and appropriate treatment of personal information as very important to the success and effectiveness of its operations and essential to maintaining the confidence between the council and those whom it carries out business. It is essential that it respects the rights of all persons whose personal information it holds and treats personal information lawfully in accordance with the Act and the GDPR and that it is able to show that this is the case.
Crawley Borough Council will comply with the Act and the GDPR principles and ensure that personal data is:

• processed fairly and lawfully and in a transparent manner
• obtained for one or more specified, explicit and lawful purposes
• used in the most efficient and effective way to deliver better service
• adequate, relevant and only limited to what is required
• accurate and, where necessary, kept up to date
• not kept in a form which permits identification of data subjects for longer than is necessary
• processed in accordance with the rights of data subjects
• processed in a manner that ensures appropriate security of the personal data
• kept secure to safeguard information (including unauthorised or unlawful processing or accidental loss)

Crawley Borough Council will abide by the six data protection principles as set out below.

Personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) not be considered incompatible with the initial purposes (‘purposed limitation’)
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

The council is a data controller under the Act and the GDPR and must comply with the data protection principles and be able to demonstrate compliance.

The council’s Data Protection Officer (DPO) is the Head of Legal and Democratic Services, the Deputy Data Protection Officer (DDPO) is the Legal Services Manager.

The DPO is responsible for the provision of advice, guidance, training and monitoring of compliance with data protection legislation including liaison with the Information Commissioner. The DPO will be responsible for keeping this document up to date.

The council’s Corporate Information Governance Group is responsible for approving this policy and for managing compliance with the Act and the GDPR.

Overall responsibility for the Act and the GDPR will rest with the Chief Executive, Corporate Management team and the council’s Corporate Information Governance Group in consultation with the Data Protection Officer.

Heads of service will have overall responsibility for ensuring operational compliance with this policy for the services that they are responsible for.

All employees of the council will be responsible for ensuring that subject access requests are dealt with in accordance with this policy and that personal data is processed appropriately. All employees are responsible for ensuring that personal data which they use or process is kept secure and is not disclosed to any unauthorised person or organisation. Access to personal data should only be given to those who have and can show a need for access to the data for the purpose of their duties.

Personal data security breaches will be dealt with in accordance with the council’s data breach management process. All staff will be aware of this and will follow this process which is accessible on the Crawley Borough Council intranet. Serious breaches where there is a high risk to the rights of the individual will be reported to the Information Commissioner’s office by the Data Protection Officer.

Where an elected member has access to and processes information on behalf of the council, the member does so under the council’s registration and therefore must comply with this policy. When members process personal data whilst acting as representatives of their constituents in their wards or whilst representing a political party they do so as data controllers registered separately with the ICO.

Internal Audit will be responsible for undertaking reviews to assess the procedures and practices relating to data protection.

Data subjects, which include the public, staff and members, have the following rights in relation to their personal data:

• to be informed about what data is held, why it is being processed and who it is shared with
• to access their data
• to rectification of the record
• to erasure of their data
• to restrict processing
• to data portability
• to object to processing
• not to be subject to automated decision-making including profiling

The Data Protection Officer will ensure appropriate processes are in place to ensure the council enables the exercise of any of these rights.

Requests for access to personal data (SAR) are processed by the Data Protection Officer. There will be no charge for this provided that the request is not excessive or repetitive, manifestly unfounded or where you request copies of the same information, when the council will charge a fee based on the administrative cost.

Requests must be in writing.

The council aims to respond promptly to a subject access request and no later than the statutory time limit.

However, if the council considers the request to be complex, the time may be extended by up to two calendar months.
In this instance, the council will notify the applicant in writing that the SAR requires further time and will provide an estimate of a reasonable time by which they can expect a response. These estimates shall be realistic and reasonable, taking into account the circumstances of each particular case.

Personal data may need to be shared with other organisations or third parties in order for the council to deliver services or perform its duties. The council will only share personal data with other organisations and third parties where the sharing is necessary to achieve a clear objective and it is fair and lawful to do so. Data sharing agreements should be completed when setting up ‘on-going’ or ‘routine’ information sharing arrangements with third parties. However, these are not needed when information is shared in one-off circumstances but a record of the decision and the reasons for sharing the information should be kept.

The council will maintain a register of all data sharing agreements.

The council will ensure that services document what personal data is held by the service, where it came from, who it is shared with, how long it is to be kept, the purpose and legal basis for collecting that data.

The council has an overarching data protection privacy notice and a range of service specific privacy notices which explain the following:

• name and contact details of the Data Controller and Data Protection Officer
• the purpose and legal basis for processing the data
• retention periods
• the identity of those with whom data is shared
• individual’s rights

Where processing is reliant on consent from an individual whose data is held, the council will ensure consent is obtained and is current and actively managed. Consents will contain a positive opt-in with a mechanism to allow withdrawal of consent.

Legal advice, training and guidance will be given to council staff and elected members on data protection.

This policy will be reviewed at the end of the first six months following the implementation of the Act and the GDPR and thereafter annually by the Corporate Information Governance Group.

It will be the responsibility of staff to complete a Privacy Impact Assessment (PIA) in the following situations that involve personal data:

• at the beginning of a new project or when implementing a new system
• when major changes are introduced into a system or process

A PIA should be carried out at an early stage in the development of proposals.

Where an applicant is dissatisfied with the level of service they have received on data protection matters, they are entitled to complain about the actions of the council through the council’s complaints procedure. This can be done by email by way of completion of a feedback form or by writing to the council:

If you remain dissatisfied with the council’s reply, you have the option of taking your complaint to the Information Commissioner (at the address below) who will independently adjudicate each case and make a final decision.

To aid the understanding of this document and the provisions of the Data Protection Act the following definitions are provided for assistance:

Data - any information held or recorded in any form by a public authority

Automated decision-making - a decision made without human intervention solely by automatic means.

Data controller - the council as the organisation who determines how data is processed.

Data processor - any person, other than an employee of the council, who processes data on behalf of the data controller, for example someone contracted to the council to print documents containing personal data.

Data subject - the individual about whom personal data is processed.

Personal data - data which relates to a living individual who can be identified:

(a)    either directly from that data, or

(b)    indirectly from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Privacy notice - a notice created by the data controller and made available to the data subject which explains how personal data is being processed.

Special category data (sensitive personal data) - personal data consisting of information as to any of the following:

• racial or ethnic origin
• political opinion
• religious beliefs or other beliefs of a similar nature
• membership of a trade union
• genetics
• biometrics (where used for ID purposes)
• physical or mental health or condition
• sexual life or sexual orientation
• personal data relating to criminal allegations, proceedings or convictions

Processing - obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data including organisation, adaptation or alteration, disclosure and destruction of the information or data and includes onward disclosure or sharing.

Profiling - the creation, manipulation collation or bringing together of information held or acquired about an individual for the purpose of recording or predicting an individual’s conduct or behaviour.