Leven Parish Council –- General Data Protection Regulations (GDPR)
Subject Access Requests (SARS)
This procedure is to be followed when an individual contacts Leven Parish Council to request access to their personal information held by the Council. Requests must be completed within 1 month, so it should be actioned as soon as it is received. SAR’s should be provided free of charge, however, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
The steps below will be followed to action the request:
Is it a valid subject access request? The request must be in writing (letter, email, social media).
Has the person requesting the information provided the Council with sufficient information to allow a search for the information?
Verify the identity of the requestor.
The Council must be confident that the person requesting the information is indeed the person the information relates to. The Council will ask for the person to provide their passport/photo driving licence and confirmation of their address (utility bill/bank statement).
The Council will determine where the personal information will be found
The Council will consider the type of information requested and determine where the records are stored. (Personal data is data which relates to a living individual who can be identified from the data (name, address, email address, database information) and can include expressions of opinion about the individual).
If the Parish Council does not hold any personal data, it will inform the requestor. If it does hold personal data, the Council will:
Screen the information
Some of the information may not be disclosable due to exemption
Examples of exemptions are:
References you have given
Publicly available information
Crime and taxation
Management information (restructuring/redundancies)
In some cases, emails and documents may contain the personal information of other individuals who have not given their consent to share their personal information with others. If this is the case, the other individual’s personal data will be redacted before the SAR is sent out.
The Council will prepare the SAR response (using the sample letters at the end of this document) and will include as a minimum the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom personal data has been or will be disclosed
where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with the Information Commissioners Office (ICO);
if the data has not been collected from the data subject: the source of such data;
the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The Council will also provide a copy of the personal data undergoing processing.
All SAR’s will be logged to include the date of receipt, identity of the data subject, summary of the request, indication of if the Council can comply, date information is sent to the data subject.
Sample letters:
Replying to a subject access request providing the requested personal data
“[Name] [Address]
[Date]
Dear [Name of data subject]
Data Protection subject access request
Thank you for your letter of [date making a data subject access request for [subject]. We are pleased to enclose the personal data you requested.
Include 6(a) to (h) above.
Copyright in the personal data you have been given belongs to the council or to another party. Copyright material must not be copied, distributed, modified, reproduced, transmitted, published or otherwise made available in whole or in part without the prior written consent of the copyright holder.
Yours sincerely”
Release of part of the personal data, when the remainder is covered by an exemption
“[Name] [Address]
[Date]
Dear [Name of data subject]
Data Protection subject access request
Thank you for your letter of [date] making a data subject access request for [subject]. To answer your request, we asked the following areas to search their records for personal data relating to you:
[List the areas]
I am pleased to enclose [some/most] of the personal data you requested. [If any personal data has been removed]. We have removed any obvious duplicate personal data that we noticed as we processed your request, as well as any personal data that is not about you. You will notice that [if there are gaps in the document] parts of the document(s) have been blacked out. [OR if there are fewer documents enclose] I have not enclosed all the personal data you requested. This is because [explain why it is exempt].
Include 6(a) to (h) above.
Copyright in the personal data you have been given belongs to the council or to another party. Copyright material must not be copied, distributed, modified, reproduced, transmitted, published, or otherwise made available in whole or in part without the prior written consent of the copyright holder.
Yours sincerely”
Replying to a subject access request explaining why you cannot provide any of the requested personal data
“[Name] [Address]
[Date]
Dear [Name of data subject]
Data Protection subject access request
Thank you for your letter of [date] making a data subject access request for [subject].
I regret that we cannot provide the personal data you requested. This is because [explanation where appropriate].
[Examples include where one of the exemptions under the data protection legislation applies. For example, the personal data might include personal data is ‘legally privileged’ because it is contained within legal advice provided to the council or relevant to on-going or preparation for litigation. Other exemptions include where the personal data identifies another living individual or relates to negotiations with the data subject. Your data protection officer will be able to advise if a relevant exemption applies and if the council is going to rely on the exemption to withhold or redact the data disclosed to the individual, then in this section of the letter the council should set out the reason why some of the data has been excluded.]
Yours sincerely”
Leven Parish Council
Publication Scheme
The table below details information that Leven Parish Council can provide to meet its commitments under the model publication scheme.
Before a request is made for information, it may be helpful to see if the information required is already available on the Leven Parish Council website Levenpc.co.uk For instance, Parish Council decisions, spend and planning responses can be found in the council’s minutes.
Please note that Leven Parish Council’s information is available unless:
it does not hold the information;
the information is exempt under one of the Freedom of Information Act exemptions or Environmental Information Regulations exceptions, or its release is prohibited by another statute;
the information is readily and publicly available from an external website; such information may have been provided by the public authority or on its behalf.
the information is archived, out of date or otherwise inaccessible; or,
it would be impractical or resource-intensive to prepare the material for routine release.
Class 1 – Who we are and what we do
(Organisational information, structures, locations and contacts)
Information to be published
How the information can be obtained
Who’s who on the Council and its Committees
Published on website:
Contact details for Parish Clerk and Council members
Published on website: Displayed on Parish Council Notice Boards
Location of main Council office and accessibility details
Leven Parish Council does not have an office but contact details for the Parish Clerk are published on the website: Displayed on Parish Council Notice Boards
Staffing structure
Leven Parish Council has 2 part time employee2, the Parish Clerk and the Handy Person
Class 2 – What we spend and how we spend it
(Financial information relating to projected and actual income and expenditure, procurement, contracts and financial audit)
Information to be published
How the information can be obtained
Annual return form and report by auditor
Published on website Displayed on Parish Council Notice Boards
Finalised budget
Published on website Displayed on Leven Parish Council Notice Boards
Precept
Published on website
Borrowing Approval letter
Not applicable
Financial Standing Orders and Regulations
Published on website
Grants given and received
Published on website
List of current contracts awarded and value of contract
Available on request by email
Members’ allowances and expenses
Not applicable
Class 3 – What our priorities are and how we are doing
(Strategies and plans, performance indicators, audits, inspections and reviews)
Information to be published
How the information can be obtained
Annual Chairmans Report to the Parish
Published on website
Quality status
Not applicable
Action Tracker Update
Contact the Clerk
Class 4 – How we make decisions
(Decision making processes and records of decisions)
Information to be published
How the information can be obtained
Timetable of meetings
Published on website
Agendas of meetings
Published on website Displayed on Parish Council Notice Boards
Minutes of meetings – n.b. this will exclude information that is properly regarded as private to the meeting.
Published on website
Reports presented to council meetings – n.b. this will exclude information that is properly regarded as private to the meeting.
Not applicable
Responses to consultation papers
Published on website
Responses to planning applications
Published on website
Bye-laws
Not applicable
Class 5 – Our policies and procedures
(Current written protocols, policies and procedures for delivering our services and responsibilities)
Information to be published
How the information can be obtained
Policies and procedures for the conduct of council business: Procedural standing orders Committee terms of reference Delegated authority in respect of officers Code of Conduct Policy statements and procedures
Published on website Published on website
GDPR policy and assessments
Published on website
Records management policies (records retention, destruction and archive)
Not applicable
Schedule of charges (for the publication of information)
As below, final item
Class 6 – Lists and Registers
Information to be published
How the information can be obtained
Any publicly available register or list (if any are held this should be publicised; in most circumstances existing access provisions will suffice)
Not applicable
Assets register
Published on website
Disclosure log (indicating the information that has been provided in response to requests)
Available from Clerk by email
Register of members’ interests
Published on website:
Register of gifts and hospitality
Available on request by email or hard copy
Class 7 – The services we offer
(Information about the services we offer, including leaflets, guidance and newsletters produced for the public and businesses)
Information to be published
How the information can be obtained
Cost
Community centres and village halls
The parish council does not have a community centre or village hall but Leven Recreation Hall , which is a registered charity, owns and manages a similar venue.
–
Seating, litter bins, clocks, memorials and lighting
Available on request by email or hard copy from the Clerk
–
Bus shelters
Available on request by email or hard copy from the Clerk
–
Jubilee Gardens and planters
Available on request by email or hard copy from the Clerk
Please note that no charge will be made for documents sent via e-mail except in rare cases where the information is not readily available in which case the Clerk’s time will be charged at £10.00 per hour (pro rata).
Type of charge
Description
Basis of charge
Disbursement cost
Photocopying @ 20p per sheet (black & white)
Actual cost of printing ink and paper
Photocopying @ 50p per sheet (colour)
Actual cost of printing ink and paper
Postage
Actual cost of Royal Mail standard 2nd class
Statutory Fee
Not applicable, unless a search is required, when the actual statutory fee will be charged, plus any photocopying required
In accordance with the relevant legislation
Other
Clerk’s time involved in gathering information, photocopying etc.
Actual cost £10 per hour (pro-rata)
Leven Parish Council
General Data Protection Regulation Policy
Agreed 2nd July 2024
Review July 2026
Introduction
The purpose of data protection legislation is to protect the ‘rights and freedom’ of living individuals. Data protection legislation applies to all data controllers within the UK, who process personal data in order to provide services.
The Information Commissioner oversees compliance and promotes good practice, regulating all organisations and individuals who process personal data. This policy applies to all personal data held by Leven Parish Council. The policy aims to ensure those individuals’ rights and freedoms are protected, preventing personal data being mistreated or used to deny access to services. The policy will be used to ensure that the personal data Leven Parish Council holds is used fairly and lawfully, in line with data protection legislation.
Roles
Whilst Parish Councils are not classed as public authorities under the UK General Data Protection Regulation (GDPR) and therefore there is no requirement to have a Data Protection Officer, as part of its commitment to comply with data protection legislation the Parish Clerk will be a point of contact for all data protection issues.
As the Parish Council is a data controller it is registered with the Information Commissioners Office (ICO). It is the responsibility of all staff and Councillors to comply with data protection legislation.
Data
Leven Parish Council collects and uses certain types of personal information about staff, councillors, residents and other individuals who come into contact with the Parish Council.
The Parish Council may be required by law to collect and use certain types of information to comply with statutory obligations related to employment, other information may be collected either by consent of the individual or to perform its public task (i.e. operate as a Parish Council).
The Parish Council has completed an Annual Assessment of the data it holds in support of this policy (Appendix One).
Principles
All processing of data by Leven Parish Council must be conducted in accordance with the data protection principles:
1. Personal data must be processed lawfully, fairly and transparently.
2. Personal data can only be collected for specific, explicit and legitimate purposes.
3. Personal data must be adequate, relevant and limited to what is necessary for processing
4. Personal data must be accurate and kept up to date with every effort to erase or rectify without delay
5. Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.
6. Personal data must be processed in a manner that ensures the appropriate security
7. The controller must be able to demonstrate compliance with the UK GDPR’s other principles (accountability)
Data Subjects Rights
Data subjects have the following rights regarding data processing, and the data that is recorded about them:
To make subject access requests regarding the nature of information held and to whom it has been disclosed.
To prevent processing likely to cause damage or distress.
To prevent processing for purposes of direct marketing.
To be informed about the mechanics of automated decision-taking process that will significantly affect them.
To not have significant decisions that will affect them taken solely by automated process.
To take action to rectify, block, erase, including the right to be forgotten, or destroy inaccurate data.
To request the ICO to assess whether any provision of the data protection legislation has been contravened.
To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller (ported).
To object to any automated profiling that is occurring without consent.
The Parish Council makes every effort to ensure that data subjects may exercise these rights.
A data subject may make a Subject Access Request, which are under normal circumstances free of charge and will be dealt within one month (although they can be extended by two months in some circumstances).
Data subjects also have the right to complain to the Parish Council in relation to the processing or handling of their personal data. This will be done in line with the Councils’complaints policy and procedure.
Disclosure
The Parish Council ensures that personal data is not disclosed to unauthorised third parties which includes family members, friends, suppliers, government bodies and other public sector organisations. All employees or members of the Parish Council should exercise caution when asked to disclose personal data held on another individual to a third party.
Incidents and Breaches
The Parish Council will always treat any data protection incident/breach as a serious issue. In the event of a breach, or suspected breach (incident). An investigation will be undertaken and there is an obligation to report certain data protection breaches to the ICO within 72 hours of the Parish Council being made aware. If required, the Parish Council will also arrange for the affected data subjects to be notified.
GDPR Risk Assessment
The Parish Council has conducted a GDPR risk assessment with details of the management of risk in place and proposed further actions. This will be updated annually. (Appendix Two).
TYPE OF DATA
WHY COLLECTED?
SOURCE
WHO IS IT SHARED WITH?
CONSENT
HOW IS IT PROTECTED?
Electoral Roll
For council use only to inform correspondence and changes to the roll
East Riding of Yorkshire Council
Clerk and Councillors
Not required
Digital copy only in the Leven PC cloud storage. Backed up daily
Correspondence from residents
Queries from residents
residents
Clerk and councillors
No but GDPR statement on email correspondence
Stored digitally on Leven PC cloud storage. If copies are printed for meetings, they are destroyed post meeting with cross shredder
Personal contact details of councillors
To make available to residents, community groups, ward councillors and other local contacts
Councillors
Public
From Councillors
Councillors have council system email addresses not personal email addresses.
Clerk and Handypersons employment details
For contracts of employment and payroll
Clerk and handyperson
Councillors, clerk and Autela payroll services, HMRC
Clerk and handyperson
Hard copies stored securely in clerk’s home. Digital copies on Leven cloud storage. Autela payroll system storage.
Job Applications
When employing staff
candidates
Clerk, councillors
From candidates consent statement on application form
Application forms are stored on Leven PC cloud. Unsuccessful candidates’ data is deleted. Printed copies of shortlisted candidates are destroyed after appointment by cross shredder.
Complaints
To deal with complaints
complainants
Clerk, councillors
From complainant in line with complaints policy
In Leven PC cloud storage Any printed copies destroyed after processing
TYPES OF DATA
WHY COLLECTED ?
SOURCE
WHO SHARED WITH?
CONSENT OBTAINED
HOW IS IT PROTECTED?
Grant applications and donations
To process grant/donation requests
applicants
Clerk, councillors
GDPR statement on application form
Stored in Leven cloud storage. Paper copies used to assess application destroyed by shredder.
Communications with third parties eg ERYC, HMRC, ERNLLCA, other parish councils, Community funding organisations
Undertaking Parish business, including commissioning services and training Advice and support, reporting local issues, Information sharing.
Third party organisations
Clerk, councillors
Not required as public organisations
Stored in Leven cloud storage
Planning applications
To enable the council to respond to applications
ERYC
Clerk, councillors and public (on secure website)
N/A
Stored on Leven PC website
Contracts
To enable the Parish to deliver local services e.g. grass cutting
contractor
Clerk and councils
Stored in Leven PC cloud. Hard copy of invoices stored securely in clerks’ home
Details of sponsors for local projects
To collect payment and acknowledge contributions
Sponsors
Clerk and councillors
Stored in Leven PC cloud.
AREA OF RISK
RISK
LEVEL H/M/L
MANAGEMENT OF RISK
ACTION
All personal data held by Leven PC
Personal data falls into the hands of a third party
L
Personal data held is always minimised. Data is held securely in the Leven PC cloud storage backed up daily. Data printed off the system is destroyed after use.
Councillors have recently been given Leven PC emails so all email activity resides in the Leven PC system and is not sent to private email addresses
Publishing of personal data in minutes and other public documents
L
Clerk avoids publishing non public personal data in the minutes. Personal names are not used and replaced by ‘resident or member of the public’
Minutes and other documents going into the public domain are cleared by the chair and vice chair
Sharing of data
Personal data falls into the hands of a third party
L
Data is not shared without the consent of the data owner
Hard copy data
Paper copies of data falls into the hands of a third party
L
Minimal data held in paper form, data that is, for example on contracts of employment, are stored securely in the Clerks home.
Hard copies no longer required are cross shredded
Electronically held data
Theft or loss of laptop and remote devices
L
Laptop access password protected. All files held in cloud storage. All councillors access files within the Leven PC system. Councillors advised to secure personal device. Safe disposal of old IT equipment vis ERYC ICT services.
More training for Parish Councillors on data security
AREA OF RISK
RISK
LEVEL H/M/L
MANAGEMENT OF RISK
ACTION
Email security
Unauthorised access to council emails
L
Emails accounts all within the Leven PC domain and are password protected. Use of bcc to send wider mail shots to external parties. Delete emails from residents when issues have been resolved.
Do not forward emails from residents cut and paste information into a new email.
General internet security
Unauthorised access to council computers and files
L
Computer password protected and has up to date anti virus software. Operating system is hosted remotely through a host organisation that manages storage in line with GDPR requirements.
Remind Councillors to ensure their security systems are up to date and installed correctly.
Use of Whatsapp
Access to whatsapp group data
M
Never refer to personal data when using the Leven PC whatapp group
Continue to remind councillors
Website SM security
Personal information or photographs of individuals published
M
Ensure written consent is secured for photographs of individuals including parental consent for those under 17. Security is provided on the website by the host organisation (Getextra) including statements regarding GDPR.
Provide a proforma for consent for events
Financial Risks
Financial loss following a data breach
L
The council has funds in reserve for contingencies related to fines
Ensure insurance policy covers liability cover for data breaches
Filming
Filming and recording at meetings
L
If a meeting is closed to discuss confidential information ensure no phones or other devices are able to record the session. If filming of public meeting is enabled ensure all filmed give consent if not ensure those not giving consent are not recorded
Chair to issue a statement on recording at the beginning of all meetings
