Data protection policy

Introduction

The London Borough of Enfield (LBE) is required as part of its overall information governance structure to ensure that appropriate controls are implemented and maintained in relation to the collection, use and retention of personal information pertaining to its customers, clients and staff and that these are in accordance with the requirements of the current data protection law as enacted. (The Data Protection Act 2018 and the UK version of the GDPR, along with other legislation)

This document provides a framework for LBE officers to meet legal and corporate requirements in relation to information requests that fall within the scope of the legislation.

The Policy applies to all personal information created, received, stored, used and disposed of by the council irrespective of where or how it is held.

It must be noted that compliance is a legal requirement and that individuals can face prosecution for breaches of its Principles.

Aim of the policy

The aim of this document is to clarify LBE’s legal obligations and requirements for the processing of personal data and to ensure that all such data is:

• collected, stored and processed for justifiable business reasons
• has appropriate legal basis or informed consent for use, and is not combined with other data or used for other purposes without appropriate legal basis or consent
• used only by those persons with a legitimate reason for access
• stored safely
• retained only for the defined time period
• not disclosed to unauthorised persons, and transfers to authorised persons recorded

LBE will actively seek to meet its obligations and duties in accordance with the law and in so doing will not infringe the rights of its employees, customers, third parties or others.

Scope

The scope of this policy requires compliance with the principles defined in law.

Personal data is defined as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (UK GDPR Article 4).

Special category personal data is defined as personal data relating to any of the following. GDPR calls this 'special categories of personal data' (UK GDPR Article 9):

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic or biometric data for the purpose of uniquely identifying a natural person
• Data concerning health
• Sex life or sexual orientation

Special category personal data may only be stored or processed for a limited variety of purposes. All processing of special category personal data without a legal basis for use must be cleared by the Information Commissioner.

Criminal offence data is personal data relating to criminal convictions and offences or related security measures. (UK GDPR Article 10).

Criminal offence data can only be processed:

• under the control of official authority, or
• if authorised by domestic law - this means that one of the conditions in Schedule 1 of the DPA 2018 is met

All personal data must be protected. Special category personal data and criminal offence data may require special protection measures.

Changes to use or new uses of personal data require consultation with the Data Protection Officer. Their advice must be recorded and if dissented from, the dissent and alternate action taken recorded.

Data protection principles

The UK GDPR includes principles which must be adhered to whenever personal data is processed. Processing includes obtaining, recording, using, holding, disclosing and deleting personal data.

All personnel processing personal information must ensure they adhere to the principles as defined in the data protection law which require that information is:

• used fairly, lawfully and transparently
• used for specified, explicit purposes
• used in a way that is adequate, relevant and limited to only what is necessary
• accurate and, where necessary, kept up to date
• kept for no longer than is necessary
• handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

Further information on the principles can be found on the Information Commissioner’s Office website.

The Information Commissioner’s Office

The Information Commissioner administers data protection in the UK. The role and duties of the Commissioner include:

• ensuring compliance with the law
• ensuring that individuals rights to privacy are respected
• ensuring that individuals have access to data held about themselves
• establishing and maintaining a Register of data users and making it publicly available
• investigating complaints, serving notices on registered data users who are contravening the principles of the regulations, and where appropriate prosecute offenders

The law gives the Information Commissioner wide powers to ensure compliance, including warrants to search and seize documents and equipment.

Access and use of personal data

This policy applies to everyone that has access to personal data, and includes any third party or individual who conducts work on behalf of LBE or who has access to personal data for which LBE is responsible and who will be required contractually or otherwise to comply with this policy.

The Policy is also applicable to Members who create records in their capacity as representative of the council. When Members create records when acting as representatives of a resident in their ward they are recommended to apply the policy but officers should consider whether it has been correctly applied on receipt of a member’s’ enquiry. It does not apply to those records Members create when acting as a representative of a political party. Note that Members processing personal data not on behalf of the council will need their own registration with the ICO.

Deliberate unauthorised access to, copying, disclosure, destruction or alteration of or interference with any computer equipment or data is strictly forbidden and may constitute a criminal and/or a disciplinary offence.

It is an offence for any person to knowingly or recklessly obtain, procure or disclose personal data, without the permission of the data controller (LBE) subject to certain exceptions.

It is also an offence for someone to sell or offer to sell personal data.

All data subjects are entitled to:

• be informed about how data is being used
• access personal data
• have incorrect data updated
• have data erased
• stop or restrict the processing of data
• data portability (allowing subjects to get and reuse data for different services)
• object to how data is processed in certain circumstances

These rights are not absolute, and only apply in certain circumstances. The Data Protection Officer should be consulted where rights exercise is unclear.

Data subjects have additional rights when the council is using personal data for:

• automated decision-making processes (without human involvement)
• profiling, for example to predict behaviour or interests

LBE will ensure that compliance with this policy is monitored and the council is able to evidence that it is complying with its legal responsibilities with respect to its staff and customers.

Council’s commitment

To achieve the overall aim of the Data Protection Policy the council will:

• provide adequate resources to support an effective corporate approach to Data Protection
• respect the confidentiality of all personal information irrespective of source
• publicise the council's commitment to Data Protection
• compile and maintain appropriate procedures and codes of practice
• promote general awareness and provide specific training, advice and guidance to its staff at all levels and to its Members to ensure standards are met

Monitor and review compliance with legislation and introduce changes to policies and procedures where necessary.

Roles and responsibilities

The Data Subjects are those natural persons about whom the authority retains information.

Ultimate accountability for all decisions made relating to Data Protection lies with the Chief Executive.

The Executive Management Team (EMT) is responsible for ensuring that sufficient resources are provided to support the requirements of this policy as well as making strategic level decisions which impact on how LBE carries out its obligations under the legislation. Each Director is responsible for monitoring compliance within their service area and taking any necessary corrective action.

The Information Governance Board (IGB) monitors, oversees, reports and makes recommendations to EMT on all strategic level data protection issues.

The Complaints and Information Manager (CIM) has the role of handling requests for data (SARs, FOIs, EIRs etc.) and complaints about the authority’s use of data. The officer will also maintain and provide reporting to IGB/EMT/council on these issues. The CIM acts as the liaison between the ICO and council on complaints concerning SARs, FOIs, EIRs etc. and acts as independent reviewer/advisor on these issues.

The Data Protection Officer (DPO) will provide advice and guidance in conjunction with Legal Services on legal compliance and best practice. Advice of the DPO must be sought for all new or changed data uses. This advice must be formally recorded and if not followed, this fact must also be recorded. The DPO acts as the liaison between the ICO and the council on complaints concerning Data Breaches, and acts as independent reviewer/advisor on these issues. The officer also provides a lead for raising awareness of Data Protection issues.

Departmental Data Coordinators (DDC) are the central contact within their respective department with respect to compliance. DDCs will process requests and complaints as required by the CIM and ensure that the Register of Processing Activities (Departmental Data Registers) required for compliance with GDPR Article 30 are maintained. The DDCs also represent their department in the monthly corporate Information Governance Board meetings.

Information/System Owners have a responsibility to ensure that data stored on systems is captured, stored, processed, accessed and deleted in line with the law and the council’s Retention schedule. They are additionally responsible for ensuring that the recording of all statutory requirements are kept up to date, and reviewed at least annually.

The Manager of a team/s or service is directly responsible for compliance with the Act within their business areas and ensuring adherence by their staff

All LBE employees and personnel working with personal data have a responsibility to ensure that they have sufficient awareness of the DPA so that they are able to comply with the requirements of the DPA.

Responsibilities of staff and members

The processing of personal data is to be compliant with legal, industry, regulatory and business requirements. It is the responsibility of staff and Members to be aware of and conversant with these requirements for the processing and management of personal data in an appropriate manner.

Staff and Members will need to be aware of how LBE safeguards its data and ensure that the appropriate protective marking is applied to all information. In most cases personal information about any living individual will attract the classification of OFFICIAL, but in some cases it will be OFFICIAL-SENSITIVE, for example when the information could put someone at risk. For more information on the classification and handling of personal information please refer to LBE’s Information Classification and Handling Policy.

Some data supplied by others will have handling requirements beyond LBE’s OFFICIALSENSITIVE criteria. Staff involved must be made aware of this by the Information/System Owners and are then responsible for handling it correctly.

The following minimum requirements are applied to everyone who comes into contact with personal data:

• Staff/Members are to ensure that personal data is to be processed accurately
• When not required for immediate use personal data is to be secured from unauthorised viewing and access
• Personal data must not be sent to/from personal/staff/member home email accounts
• Personal information can only be distributed externally if it is:
  • being sent to someone with an appropriate data sharing or processing agreement with the council, a legal right to access and a need to know
  • sent via encrypted email or otherwise securely distributed as set in policy by the Information Governance Board
• Computer systems that process, access or store such data are to have password protected screen savers activated when left unattended, and all data should be encrypted at rest and in transit
• The carrying of personal, special category or confidential information outside secure office environments should be avoided wherever possible. If this is unavoidable, then encryption of the device and device management by LBE is mandatory. Paper based documents holding personal or special category information must be concealed from public view in transit and held securely when stored.
• The use of personal data in test or training environments is expressly forbidden. If test data is required, anonymised or dummy data should be used in accordance with ICO guidelines.
• When no longer required to be retained all personal data is to be disposed of securely, by shredding or via secure waste disposal
• Personal data may not be stored on removable media devices without explicit management approval and appropriate encryption controls. Such data is to be removed from the removable media in accordance with council’s IT Waste Handling recommendations as soon as practically possible.
• The discussion of personal data with unauthorised persons either inside or outside LBE is expressly prohibited. This also includes, but is not limited to, email, social networking sites, blogs, forums, instant messaging services, chat rooms.
• Staff are required to complete the Data Privacy and Cyber Security training on joining the organisation and as required thereafter

Data Controller

In accordance with the DPA, LBE as a corporate body is the Data Controller and is therefore ultimately responsible, through the appointed Data Protection Officer or the person fulfilling that role, for the implementation of this policy.

LBE will also appoint designated Departmental Data Coordinators who are responsible for the day-to-day management of the data within their business areas of responsibility to ensure that compliance with law and documentation of personal data use is maintained.

Designated Departmental Data Coordinators will be present in all departments.

Data Protection Officer

The DPO is responsible for fulfilling the role as documented in the data protection regulations.

The DPO must be involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

The DPO is invited to participate regularly in meetings of senior and middle management. His or her presence is recommended where decisions with data protection implications are taken. All relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide adequate advice.

The opinion of the DPO must always be given due weight. In case of disagreement, the reasons for not following the DPO’s advice must be recorded and formally communicated.

The DPO must be promptly consulted once a data breach or another incident has occurred.

The DPO will keep DDCs and Business Managers informed of data protection issues pertaining to LBE, including any changes in legislation that might impact business processes.

The DPO will ensure that Data Privacy and Cyber Security training is available to staff and that a record of completion is maintained.

Departmental data coordinator

DDCs will work with the respective business areas in their Department to facilitate the daily activities and management responsibilities under the law.

DDCs must inform the DPO of any proposed new or changed uses of personal information within their business unit before any change in process or additional information collection is authorised. Any changes must be reflected in the Register of Processing Activities (Departmental Data Registers). The DDCs are responsible for ensuring this is carried out and passing the revisions to the DPO for review.

DDCs must regularly review the content and use(s) of personal information within their Department’s business units, and confirm to the DPO that the information held is complaint with current law by updating the Register of Processing Activities (Departmental Data Registers) on at least a biennial basis (every 2 years).

DDCs must ensure that members of staff and contractors under the control of their Departmental business units are conversant with their responsibilities under the law, and that they know the procedures to follow when handling, releasing and disposing of information

The CIM is responsible to ensure that SARs and other requests for information are processed within the required time limits.

Training and awareness

All council employees have a responsibility to ensure that they and the staff they manage have undertaken the corporate Data Privacy and Cyber Security training and have sufficient awareness of the law so that they are able to comply with the requirements.

It is mandatory that all LBE staff (including temporary or casual workers and volunteers) that have access to personal data or to the corporate network to undertake the corporate Data Privacy and Cyber Security training. New entrants will be expected to undertake and successfully complete the module as part of the corporate induction process. Established staff will be expected to undertake and complete refresher training as directed.

Managers should encourage and make time for their staff to attend any further Data Privacy and Cyber Security training or awareness opportunities that may arise.

Failure to complete the courses within the prescribed period could result in disciplinary action proceedings.

Collection of data

LBE collects and records personal data from various sources, including that obtained or provided by the data subjects themselves.

In some instances data may be collected indirectly through monitoring devices, including but not limited to: door access control systems, CCTV, personal recording devices and physical security logs or electronic monitoring systems. For further detail refer to LBE’s Information Security Policy.

Accuracy and relevance

It is the responsibility of those who receive personal information to ensure so far as possible, that it is accurate and up to date. Personal information should be checked at regular intervals, to ensure that it is still accurate.

Rights to access, correct and remove information

If the information is found to be inaccurate, steps must be taken to rectify it. Individuals who input or update information must also ensure that it is adequate, relevant, unambiguous and professionally worded. Data subjects have a right to access personal data held about them and have inaccuracies corrected.

Data subjects have the right to access any personal information (data) about them that is held.

Data subjects also have the right to have data about themselves corrected or erased subject to certain conditions.

LBE aims to comply with requests as quickly as possible but will ensure that it is provided within one calendar month unless there is a good reason for any delay. In such cases the reason for a delay will be explained in writing to the person making the request.

A record of requests relating to corrections and erasure is held by the CIM where such requests were formally made.

Fair and lawful processing

When LBE processes personal data, it must have a legal basis for doing so or a freely given, positive consent. The law provides a list of conditions to ensure that personal information is processed fairly and lawfully:

• Personal information is only processed where it is justified, and this is transparent to the data subject
• Information on the processing is easily accessible and easy to understand, in clear and plain language
• That data subject are aware of risks, rules, safeguards and rights in respect of processing and how to exercise their rights
• That the minimum amount of personal data is kept, and for as short a period as possible
• That special category personal information is processed only where necessary and justified, and with permission for this from the ICO unless a legal basis for processing is used

Individuals that supply LBE with personal information are provided with a ‘Privacy Notice’ (or online privacy statement) at time of data collection, repeated at time of SAR, which communicates the following:

• Purposes, categories, recipients (esp. outside country)
• Period of storage
• Existence of the right to request rectification, erasure and to object to processing
• Right to complain to supervisory authority and contact
• Information on communication and source
• Information on significance and consequences of processing

Data sharing

Where LBE shares personal information with any third party a ‘Data Sharing Agreement’ or ‘Data Processing Agreement’ must exist as part of a formally documented written agreement or contract.

A ‘Data Sharing Agreement’ is required if the information supplied is being used to fulfil requirements of the recipient.

A ‘Data Processing Agreement’ is required if the information supplied is being used only to fulfil LBE requirements and not used otherwise by the recipient.

Where the other party uses the personal information for its own purposes (Data Sharing):

• The agreement or contract will clearly describe the purposes for which the information may be used and any limitations or restrictions on the use of that information
• The other party is to provide an undertaking or provide other evidence of its commitment to process the information in a manner that will not contravene the law

Where the processing of personal information with a third party is required by law, procedures are to ensure that the protocols and controls for the sharing of the data are documented, regularly reviewed and verified.

Requests for personal information from the Police or other enforcement agencies can be considered where the purpose is for the prevention or detection of a crime and or the collection of taxes. It should be noted however that the council is generally under no obligation to do so. Before providing the information, the requesting agency must provide a sufficient explanation of why the information is necessary to the extent that not providing it may prejudice an investigation. This is to satisfy the relevant information holder that the disclosure is necessary. The request must be formally authorised by a senior officer from the requesting agency. If the information is to be disclosed, the disclosure must be authorised by the relevant Head of service (or above) and a note for the record should be made of the details about the disclosure with an explanation of why the disclosure is appropriate.

NHS national data opt-out

The NHS has adopted a national data opt-out policy that we are required to follow.

This requirement applies to all data sharing agreements involving NHS data under section 18 above where data is for planning and research purposes including data released under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002.

The consultation with the Data Protection Officer noted in 3.4 above will include reviewing any such use to ensure that the National Data Opt-Out does not apply. If it does, processes will be required to ensure that the opt-out is respected.

Data retention and disposal

LBE must ensure that personal information is not kept for any longer than is necessary. This is to adhere to any legal, regulatory or specific business justification.

LBE will retain some forms of information longer than others, but all decisions are to be based upon business requirements - details can be found in the Record Retention Schedule.

Data relating to clients is only to be retained for as long as a business justification remains.

When disposing of information, equipment or media, the Confidential Waste Disposal Policy should be adhered to.

The retention criteria must be imposed on third parties with who data is shared.

Transfer outside of the UK

To ensure an adequate level of protection is applied to personal information transferred or processed outside the UK contracts are to include conditions relating to the specific requirements for the protection of the information.

LBE is responsible for ensuring that ‘due diligence’ is conducted on the other party, and that adequate and appropriate controls and safeguards are applied for the transfer of the personal information.

Companies outside the UK are to be required to apply the same controls and requirements as applied within the UK unless they can demonstrate other adequate procedures are implemented to protect the personal information as part of the ‘due diligence’ process. Periodic reviews of the same are to be conducted to ensure adherence is maintained.

Processing is only permissible in countries with a decision of adequacy from the UK Information Commissioner, unless other measures are put in place.

There are specific issues with Cloud processing covered in the Use of Cloud Security Policy.

Data received by LBE from third parties may have specific storage and use rules that may further restrict where it can be stored or processed (for example, health data cannot be stored outside England and Wales).

Violations

Unauthorised disclosure of personal data is a disciplinary matter that may be considered a gross misconduct and could lead to termination of employment.

In the case of third parties unauthorised disclosure could lead to termination of the contractual relationship and in certain circumstances this could give rise to legal proceedings.

Any failure to follow this Policy must be treated as an incident and investigated in accordance with the Security Incident Reporting Procedure.

Supporting policies

This policy should be read in conjunction with the following policies and procedures:

• Information Classification and Handling Policy
• Staff Acceptable Use Policy
• Freedom of Information Policy
• Security Incident Reporting Procedure
• Use of Cloud Services Security Policy

Glossary

CIM - Complaints and Information Manager. Responsible for handling requests for data and complaints for the authority in conjunction with the DPO.

DDC - Departmental Data Coordinators - the central contact within their respective department with respect to compliance.

DPA - Data Protection Act 2018.

DPO - Data Protection Officer. The role created by Article 38 of the GDPR and formally tasked by Article 39 to:

• inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions
• monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits
• provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35
• cooperate with the supervisory authority
• act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter

EEA - European Economic Area.

EIR - Environmental Information Request. A formal request for information about environmental matters under the statutory instrument Environmental Information Regulations 2004 (which is sometimes also called EIR).

EMT - Executive Management Team - is responsible for ensuring that sufficient resources are provided to support the requirements of this policy as well as making strategic level decisions which impact on how LBE carries out its obligations under the legislation.

FOI - Freedom of Information Request. A formal request for information about authority business under FOIA.

FOIA - Freedom of Information Act 2000.

GDPR - The General Data Protection Regulation. Formally REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The UK GDPR applies in the UK for UK residents, and the original EU GDPR for any processing relating to a person resident in the EEA after that date.

ICO - Information Commissioner or Office of the Information Commissioner. The UK responsible authority for data protection.

IGB - Information Governance Board - monitors, oversees, reports and makes recommendations to EMT on all strategic level data protection issues.

Information or system owners - Have responsibility to ensure that data stored on systems is captured, stored, processed, accessed and deleted in line with the law and the council’s Retention Schedule. They are additionally responsible for ensuring that the recording of all statutory requirements are kept up to date, and reviewed at least annually.

LBE - London Borough of Enfield.

SAR - Subject Access Request. A formal request for information about a person made under Article 15 of the GDPR.

UK GDPR - The adopted version of the GDPR from the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and subsequent regulations.

Policy details

Author - Data Protection Officer
Owner - Information and Data Governance Board
Version - 2.5
Reviewer - Information and Data Governance Board
Classification - Official
Issue status - Final
Date of first issue - 04.10.2012
Date of latest re-issue - 30.05.2023
Date approved by IGB - 19.05.2023
Date of next review - 30.04.2024