Data Protection Policy

3.1    The Council will only process personal data where it has a legitimate business need to do so, and at least one of the following conditions are met:
•    it is required under a legal obligation to which it is party;
•    the individual has given their express consent;
•    it is necessary in the protection of the vital interests of the individual or another person;
•    it is necessary for the performance of a contract with the individual;
•    it is necessary for a task carried out in the public interest or in the exercise of official duties.

3.2    The Council will identify the minimum amount of information required in performing its activities, and gain explicit consent, as required, when collecting special category (sensitive) personal data.

3.3    Personal data will:
•    be anonymised when not required for business need;
•    be retained and destroyed in line with legal requirements and the Council’s Data Retention Guidelines;
•    be accurate and up to date, with notifications of inaccuracy being investigated and corrected swiftly;
•    not be held for longer than is considered reasonable for business need.

3.4    The Council’s Data Retention Policy and Guidelines will:
•    identify the categories of data held by the Council;
•    clearly state the reasons for holding the data;
•    identify how long data is held for;
•    detail how the council manages disposal of data
•    be subject of regular review.

3.5    The Council will ensure, where appropriate, that it is able to restore the availability of, and access to data in a timely manner in the event of a physical or technical incident.

3.6    The Council will maintain an information assets register, which details the software used to process personal data.

3.7    The Council will maintain records of explicit consent, where necessary.

3.8    Our Privacy Notice explains how we use information about individuals and how we protect their privacy.