Principles of data protection

The basic principles of data protection are governed by the Data Protection Act 2018;

• Lawfulness, fairness and transparency

The Council has established a lawful basis for processing the personal data that it processes. 

The lawful bases for processing are set out in Article 6 of the UK GDPR.  At least one of these must apply whenever the Council processes personal data.

• Purpose limitation

The Council is clear to individuals about the purposes for which personal data is processed, such purposes are recorded and the data is not used for any purpose other than what it was obtained for. There are some exceptions in line with other legislation such as in the case of safeguarding or law enforcement.

• Data minimisation

The Council only processes personal data that is adequate, relevant, and limited to what is necessary for each purpose.

For example, data is not collected in the event that it might be useful one day.

• Accuracy

The Council takes all reasonable steps to ensure the personal data we hold is not incorrect or misleading.  If we discover personal data is inaccurate, we take reasonable steps to make corrections. 

• Storage limitation

Retention schedules are in place and publicly available so that individuals are informed as to how long their data will be retained.

• Integrity and confidentiality

All staff contracts include clauses on confidentiality.  The council identifies, assesses and manages information security risks and has various Information Security Policies that staff have to comply with.  The Council has written agreements with all third party service providers and processors that ensure the personal data that they access and process is protected and secure.

• Accountability

The Council has an organisational structure for managing data protection.  The Council's DPO is independent, an expert in data protection, and reports to the highest management level.