Data Protection Policy
Data Protection Policy
Introduction & Scope
Pembrokeshire County Council is committed to conducting its business in accordance with all applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct. To demonstrate our commitment, Pembrokeshire County Council has signed up to the Personal Information Promise with the Information Commissioners Office.
This policy stipulates the expected behaviours of Pembrokeshire County Council Employees, Councillors, Volunteers, Partners, Contractors and commissioned Service Providers in relation to the collection, use, retention, sharing, disclosure and destruction of any Personal Data belonging to a Pembrokeshire County Council Contact (i.e. the Data Subject).
Personal Data is defined as any information relating to an identified or identifiable living individual (Data Subject). An identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. Personal Data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process Personal Data. An organisation that handles Personal Data and makes decisions about its use is known as a Data Controller. Pembrokeshire County Council, as a Data Controller, is responsible for ensuring compliance with the Data Protection requirements outlined in this policy. Non-compliance may expose Pembrokeshire County Council to complaints, regulatory action, fines and/or reputational damage.
As a Public Authority, Pembrokeshire County Council has a number of roles including (but not limited to) an Employer, Service Provider, exercising Statutory duties, Partner, and Commissioner. In order to undertake its business, the Council manages vast amounts of Personal Data. This Policy outlines the legal framework by which Personal Data will be managed by Pembrokeshire County Council.
Legislative Background
The General Data Protection Regulation (GDPR) was adopted on 14 April 2016 and came into force on 25 May 2018. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and European Economic Area. The GDPR provided national derogations for Member States to make exemptions for certain purposes. In light of the requirement to determine national derogations along with Britain’s planned exit from the European Union, the Data Protection Act 2018 came into force on 25 May 2018. The Data Protection Act 2018 enshrined the GDPR in British law and extended it to cover legal areas for which the EU did not have oversight.
As a result of the 2016 United Kingdom European Union membership referendum, the UK left the EU on 31 December 2020. After Brexit, the UK was no longer regulated domestically by the GDPR, which governs processing of personal data from individuals inside the EU. Instead, the UK now has its own version known as the UK GDPR (United Kingdom General Data Protection Regulation). The new UK GDPR and amended Data Protection Act 2018 took effect on 31 January 2021 {note that the EU GDPR still applies if an organisation is operating in the European Economic Area (EEA), offering goods or services to individuals in the EEA, or monitoring the behaviour of individuals in the EEA}.
In June 2021, the EU Commission announced that adequacy decisions for the UK had been approved. This meant the EU determined the UK’s data protection laws to be robust enough to ensure data can safely flow to the UK from the EU (the UK government has also approved transfers of data from the UK to the EU).
Application
This policy applies to all services, processes and functions undertaken by or on behalf of Pembrokeshire County Council where personal data is processed.
This will include personal data that forms part of a filing system, which is defined as any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographic basis. Manual (not automated) unstructured data (which does not form part of a file or formal record) is exempt from most of the act. All automated data (including emails, skype conversations, etc.) must comply with this policy.