Data Protection Policy

Cabinet
•    Approval of the policy framework (this document) within which data protection is governed by Welwyn Hatfield Borough Council.

Chief Executive
•    Formally designate/appoint a Data Protection Officer.

Senior Leadership Team
•    Ensure the importance of data protection is culturally embedded into the Council.
•    Allow unfettered access to the DPO to raise or report on any matters.
•    Receive update reports, as required, from the DPO in order to oversee compliance with the data protection legislation and policies.

Directors and Assistant Directors
•    Ensure that through the services managed, and associated forms and processes, individuals are aware of their rights under the UK GDPR and DPA.
•    Ensure data collected, retained, processed, shared and destroyed by services/employees is done so in line with the relevant policies.
•    Ensure their services have the processes in place for explicit consent to be requested and recorded where required.

Employees - Comply with the data protection and other associated Council policies and guidance
•    Act with due diligence with regards to the UK GDPR and DPA. If in any doubt, at any time, guidance should be sought from the Council’s DPO.
•    Report data breaches immediately to the DPO and co-operate with the DPO regarding the data breach reporting process.
•    Proactively identify areas of risk, and make suggestions on how compliance, security, and the protection of information can be enhanced and improved.

Client Support Services Manager
•    Maintenance of the Council’s data protection procedures and guidance, and other relevant policies.

Governance Services Manager
•    Maintenance of the Council’s Data Retention Policy and Guidelines.

Data Protection Officer (DPO)
•    Ensures that the Council's processing operations adequately safeguard personal data, in line with legal requirements.
•    To have unfettered access to the Corporate Management Team (CMT) on data protection matters.
•    Carries out a periodic review of the Data Protection Policy, with recommended changes being reported to CMT.
•    Monitor compliance with the Council’s Data Protection Policy.
•    Create, maintain and publish the Councils Privacy Notice.
•    Ensure regular training and guidance is available to employees and Councillors, and that it is up to date.
•    Advising the Council of its legal obligations in relation to data protection requirements.
•    Informing, supporting and advising employees, Councillors and third parties (as appropriate) of their data protection obligations and requirements.
•    Monitoring compliance with the policy, reporting findings to CMT.
•    Review of, maintaining logs of, and advising on privacy impact assessments.
•    Provide standardised templates and advice to managers on all data protection notifications/requirements including notification of individuals’ rights, consents, data sharing agreements, data and privacy impact assessment..
•    To report any data breaches to the regulators and individuals, as required.
•    Co-ordinating and responding to subject access requests and all other rights of individuals.
•    Decision maker in relation to whether a subject access request is considered to be manifestly unfounded or excessive.
•    Ensure sufficient organisational and technical policies are in place to protect personal data (and for the restoration of personal data where appropriate).
•    Co-ordinate data protection audits and maintain records of the audits.
•    Point of contact for and working with the supervisory authority in relation to the processing of personal data.
•    To maintain sufficient records (including all other registers and logs not identified separately above but set out in the policy) to demonstrate the Council is complying with data protection legislation.

Service Director (Resident and Neighbourhoods)
•    Maintenance of the Councils Patient Identifiable Information Policy and guidance.

Procurement Manager
•    Provide advice and support with the DPO in contractual provisions with third parties.