Commitment to the general data protection principles

We (through officers) must:

  1. Process personal data fairly, transparently and only if there is a legal basis to do so.
    To comply with this officers must inform individuals when collecting their personal data (concisely and using clear and plain language so that they understand) of the following:
    1. that the council is the “data controller”
    2. our contact details
    3. why we are processing their information and in what way the law allows it
    4. if we [this will be rare] rely on our ‘legitimate interests’ for processing personal data we will tell them what those interests are
    5. the identity of any person/organisation to whom their personal data may be disclosed
    6. whether we intend to process their personal data outside the European Economic Area
    7. how long we will store their information
    8. their rights
  2. Only collect personal data for specified, explicit and legitimate purposes. Officers must not further process any personal data in a manner that is incompatible with the original purposes.
  3. Officers should be clear as to what the council will do with a person’s personal data and only use it in a way they would reasonably expect.
  4. Ensure that the personal data we collect is adequate, relevant and limited to what is necessary to carry out the purpose(s) it was obtained for.
  5. Officers should think about what the council is trying to achieve in collecting personal data. Officers must only collect the personal data that they need to fulfil that purpose(s) and no more. Officers must ensure that any personal data collected is adequate and relevant for the intended purpose(s).
  6. Ensure that the personal data we process is accurate and, where necessary, kept up to date.
  7. Officers must check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Officers must take all reasonable steps to destroy or amend inaccurate or out-of-date personal data.
  8. Keep personal data in a form that identifies individuals for no longer than is necessary for the purpose(s) that it was obtained.
  9. Officers should periodically review what personal data is held and erase/destroy or anonymise that which is no longer needed.
  10. Process personal data (whatever the source) in a manner that ensures appropriate security of the same including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

This is elaborated upon in our information security policy/procedures/guidelines.

Accountability

We are responsible for and must be able to demonstrate that it complies with all the above principles. Officers should, always, be mindful of the need to be able to prove that processing is in accordance with the above principles.