Why does West Wratting Parish Council need to worry about data protection?
As part of its work West Wratting Parish Council and particularly its Clerk come into contact with information about individuals. As such the council and individual councilors are subject to data protection legislation. On 25th May 2018 the Data Protection Act (1998) was replaced by a Europe-wide law called the General Data Protection Regulation (GDPR), which includes the Data Protection Act 2018 (DPA 2018). The GDPR sets out requirements for how organizations like Parish Councils need to handle personal data.
All parish councilors and the clerk must abide by the regulations on data protection. If we do then it means that:
- We know what personal data we hold and why we need it.
- We carefully consider and can justify how long we keep personal data.
- We regularly review our information and erase or anonymise personal data when we no longer need it.
- We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’.
- We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.
As a small organization undertaking occasional low-risk data processing West Wratting Parish Council does not need a documented retention policy. However, we must still regularly review the data we hold, and delete or anonymize anything we no longer need.
Under the GDPR, the Parish Council is both a Data Controller and a Data Processor. As a Data Controller, we must provide Privacy Notices explaining to individuals how their data will be used and what rights they have. These Privacy Notices may be viewed in the document table below.
The Parish Council intends to adopt a number of policy statements with regard to the collection, storage and use of personal data. These policy statements may be viewed in the document table below. They will be ratified at a forthcoming full council meeting.
Data Protection Officer
Section 7(3) of the DPA 2018 says that Parish Councils are not public authorities for the purposes of the GDPR, so WWPC does not need to appoint a Data Protection Officer (DPO). However, we are still subject to data protection legislation and we must ensure that we have sufficient understanding and resources to discharge our obligations under the GDPR.
Information Commissioner’s Office (ICO)
The Parish Council is registered as a Data Controller with the ICO. Our reference number is Z1387439. Our details can be seen on the public register here and in our registration entry details documents below.
Security under the GDPR
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
The Parish Council is currently carrying out a review in order to complete this assessment document, which details what data is held, how and why it is collected, and how the data is protected. To complement this log of personal data, we will also complete a GDPR risk assessment to identify how any risk to the security of personal data is managed. Both of these documents will be regularly reviewed.
Document Table
- ICO certificate
- General Privacy Policy
- Assessment of Personal Data Held (work in progress)
- GDPR Risk Assessment (work in progress)
- Checklist for Councilors