Data Protection Policy
Governance
Information Governance Team
To demonstrate our commitment to Data Protection and to enhance the effectiveness of our compliance efforts, Pembrokeshire County Council has established an Information Governance Team within the Audit, Risk & Information Service, which operates independently of other Council Services and support functions.
The role of the Data Protection Officer is to undertake either directly or via the Information Governance Team, the following tasks:
- To inform and advise Pembrokeshire County Council and its employees who carry out Processing pursuant to Data Protection Regulations, National Law or Union based Data Protection Provisions;
- Ensuring alignment of this policy with Data Protection Regulations, National Law or Union based Data Protection Provisions;
- Providing guidance with regards to carrying out Data Protection Impact Assessments (DPIA’s) and monitor performance;
- Acting as a point of conduct for and cooperating with the Information Commissioners Office (ICO);
- Determining the need for notifications to the Information Commissioners Office (ICO) as a result of Pembrokeshire County Council’s current or intended Personal Data Processing activities;
- Have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing;
- The establishment and operation of a system providing prompt and appropriate responses to Data Subjects requests;
- Informing Senior Management, Members, and Officers of any potential corporate, civil and criminal penalties which may be levied against Pembrokeshire County Council and/or its Employees or Members for violation of applicable Data Protection laws;
- Ensuring establishment of procedures and standard contractual provisions for obtaining compliance with this Policy by any Third Party who:
- Provide Personal Data to Pembrokeshire County Council
- Receives Personal Data from Pembrokeshire County Council
- Has access to Personal Data collected or processed by Pembrokeshire County Council.
Policy Dissemination & Enforcement
The Corporate Management Team of Pembrokeshire County Council must ensure that all Pembrokeshire County Council Employees and Members responsible for the Processing of Personal Data are aware of and comply with the contents of this policy.
Senior Management must make sure that all Third Parties engaged, on either a contractual or voluntary basis, to process personal data on behalf of the Council (i.e. Data Processors) are aware of and comply with the contents of this policy. Assurance and evidence of such compliance (including a site visit) must be obtained from all Third Parties, whether companies or individuals, prior to granting them access to Personal Data controlled by Pembrokeshire County Council.
Data Protection Training
All Pembrokeshire County Council employees will be required to undertake Data Protection Training on induction and as part of ongoing workplace training and development. There is a requirement to undertake the e-Learning training on an annual basis (based on expectations of the ICO). It is the responsibility of Service Managers to ensure that their staff have undertaken the training, understand their responsibilities and adhere to the Data Protection Policy, the IT Security Policy and supporting Procedural guidance.
Information Asset Owners will be provided with additional training on their responsibilities to ensure continued compliance with Data Protection requirements.
Data Protection by Design
To ensure that all Data Protection requirements are identified and addressed when designing new systems or processes and/or when reviewing or expanding existing systems or processes, the Data Protection Officer should be advised and will need to approve the process before the change is implemented. The involvement of the Data Protection Officer must be sought at the outset.
As part of this process a Data Protection Impact Assessment (DPIA) must be conducted, the Information Governance Team will be able to assist with this. The subsequent findings of the DPIA must then be submitted to the Data Protection Officer for review and approval. The IT department will work closely with the Information Governance Team to assess the impact of any new technology uses on the security of Personal Data.
Compliance Monitoring
To confirm compliance with this policy and the requirements of the Data Protection Act 2018 and other Data Protection legislation, the Information Governance Team will undertake annual risk based compliance checks across the Council. The annual programme of compliance checks will be informed by the risk rating on the Information Asset Register and will be approved by the Data Protection Officer. Each compliance check will, as a minimum, assess:
- Compliance with Policy in relation to the protection of Personal Data, including:
- The assignment of responsibilities
- Raising awareness
- Training of Employees
- The effectiveness of Data Protection related operational practices, including:
- Security
- Data Subject rights
- Personal Data transfers
- Personal Data incident management
- Personal Data complaints handling
- The level of understanding of Data Protection policies and Privacy Notices
- The accuracy of Personal Data being stored
- Monitoring arrangements of Data Processor activities
- The adequacy of procedures for redressing poor compliance and Personal data Breaches.
The Information Governance Team, in cooperation with Heads of Service, will devise an action plan for correcting any identified deficiencies within a defined and reasonable timeframe. This will be monitored through the MKI automated system. Major deficiencies identified and non-compliance with agreed timescales will be reported to the Senior Information Risk Owner and Corporate Management Team.
Breach Reporting
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to, personal data. A data incident, is a breach of security that could have, but did not lead to one of the above.
All data breaches must be reported immediately to the Data Protection Officer via the Information Governance Team. To assist, an online form is available on the Intranet, please complete with as much information as possible and email it to dataprotection@pembrokeshire.gov.uk. The Data Protection Officer is responsible for assessing data breaches and making a decision on reporting to the Information Commissioners Office. Under the UK GDPR reportable data breaches must be reported to the Information Commissioners Office within 72 hours of the Council becoming aware that the breach has occurred. A risk assessment is undertaken by the Data Protection Officer to determine whether the breach is reportable, this will include undertaking preliminary investigations into the circumstances of the breach, therefore it is critical that the Data Protection Officer is notified immediately via the Information Governance Team. Failure to notify the ICO of a reportable breach within 72 hours of the Council becoming aware of it could result in a substantial fine, as well as a fine for the breach itself.
Please inform the Information Governance Team of any data incidents. This is really useful so that we can measure our risk and learn from such incidents and further strengthen our security arrangements.
Complaints
The Council is committed to providing the highest standards of integrity and security of personal data that it processes. However, if you are unhappy about the way that your personal data has been processed or the application of your rights under the Data Protection legislation, then please address your concerns to:
Data Protection Officer
Pembrokeshire County Council
County Hall
Haverfordwest
Pembrokeshire
SA61 1TP
Email: DataProtection@pembrokeshire.gov.uk
The Information Commissioner’s Office has developed a letter template (opens in a new tab) to assist you in raising your concerns.
We will endeavour to respond to your concerns within one calendar month of receipt.
If you remain unsatisfied with how we are managing your personal data or applying your rights under the Data Protection legislation then you may contact the Information Commissioners Office (opens in a new tab), or write to:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF