Data protection policy

1 Introduction

This Policy replaces the Council’s previous Data Protection Policy V2.3 dated March 2015.

Personal information is defined and regulated by the Data Protection Act 1998 (The Act). In addition Article 8 of the Human Rights Act 1998 gives broader protection by affording everyone the right to respect for their private and family life, home and correspondence.

Personal information is information about living, identifiable people. The definition includes - but is not limited to - information about their activities, opinions, lifestyle, background, character and choices.

2 Purpose

Everyone who works for Blackburn with Darwen Borough Council (BWD) uses personal information. This policy ensures that all personal information BWD obtains, uses or shares in its work is treated with care and respect, and is used lawfully and fairly. The policy applies to information about employees as well as information about the public.

3 Scope

This document applies to all Elected Members, Committees, Departments, Partners, Volunteers and Employees of the Council, contracted third parties and agents of the Council who process, have access to, or custody of, Blackburn with Darwen Council information.

All users must understand and adhere to this policy and are responsible for ensuring the safety of all information controlled by the Council.

All users have a role to play and a contribution to make to the safe and secure use of the information that they hold.

4 Definition

The Act is based on 8 principles that explain how personal information should be used. Compliance with these principles ensures information is secure, managed well, accurate and available. Personal information can be obtained, used, shared and kept to provide services, look after people’s interests and support the Council’s objectives. Data Protection supports efficient working and reinforces the Council’s objective to provide appropriate and personalised services.

This policy sets out how the Act applies to the Council, and sets out some specific measures to assist compliance. The eight Data Protection Principles are:

  1. Personal information must be processed fairly and lawfully.
  2. Personal information must be processed only for specified purposes.
  3. Personal information must be adequate, relevant and not excessive.
  4. Personal information must be accurate and kept up to date.
  5. Personal information must not be kept for longer than necessary.
  6. Personal information must be processed in accordance with the rights of information subjects.
  7. Personal information must be protected by appropriate security.
  8. Personal information must not be transferred outside the EEA without adequate protection.

The Council is committed to ensuring that all processing of personal information complies with these principles.

5 Summary of Specific Measures

All departments will:

  • Ensure that all employees complete the Responsible for Information training provided by the Information Governance Department (See 6.18)
  • Inform the Information Governance Section within the ITM&G Department of any new services, projects and processes involving the use of personal information, or of significant changes to existing ones.
  • Participate, when necessary, in carrying out privacy impact assessments (PIA) (See 6.19)
  • Report all losses, thefts or breaches of security involving personal information to the Information Governance Section within the ITM&G Department.
  • Notify the Information Governance Section within the ITM&G Department of all information sharing agreements or protocols, providing copies for central repository.
  • Participate in information protection audits.
  • Return all IT equipment to ITM&G when;
    • No longer required
    • The user leaves the Council

6 Applying the Legislation

6.1 Individual Responsibility

The Council holds information about service users, local residents, elected members and employees, among others. Everyone who works for or represents the Council must protect the personal information that they use and be aware of their obligations. The use of personal information must be fair, legal and proportionate.

Employees cannot use personal information obtained at work for their own purposes. It is a criminal offence to knowingly or recklessly to disclose personal information. Anyone who uses, discusses or discloses personal information held by the Council without lawful authority may commit this offence, the penalty for which is up to two years in prison.

Employees who knowingly disclose or misuse Council information for their own purposes, or who knowingly ignore the requirements of this policy will face disciplinary action, regardless of any possible criminal sanction. This could lead to summary dismissal for gross misconduct and breach of trust.

6.2 Awareness and Training

Blackburn with Darwen Council promotes the need to respect privacy and confidentiality so that people remain confident about using Council services. People must be told how we will use their information, so that they are not reluctant to provide it to us. Departments will participate in an on-going programme of information protection training, provided by the Information Governance section within ITM&G. (See 6.18).

6.3 Obtaining Information

People must be informed when we record information about them, unless there is a specific legal reason for not doing so. Any process involving the collection and use of personal information must conform to the principles of The Act. Managers must ensure that the use of personal information meets these conditions.

6.4 New Processes and Services

Departments need to understand the legal basis for using and sharing personal information as defined in the Act when developing a new service or process. If there is any doubt, the Department must ask Information Governance to identify it.

Departments should carry out a Privacy Impact Assessment (PIA) on new initiatives or changes to existing services or processes, where the impact of the change is significant or intrusive.

The PIA will identify any areas of concern within which relate to Information Governance and ensures that they are addressed before the project is implemented.

All new services and procedures should be notified to the Information Governance and IT Compliance Manager prior to implementation to allow for any identified changes to policies and procedures to be implemented prior commencement. This will usually mean involvement at the beginning of the process.

If we need consent to use personal information, we will obtain it as soon as possible. If consent is not required, we will still tell people how their information will be used.

6.5 Application forms and tools to gather information

Any form or process designed to gather information must include a simple explanation about why personal information is needed, and how it will be used. This ‘fair processing notice’ (as directed by the Act) must also spell out whether information will be shared outside the Council.

Existing forms without fair processing information will be amended when it is practical to do so.

6.6 Notification

The Council’s ‘notification’, which is held by the Information Commissioner available from the Information Commissioner’s Office (ICO) website describes how and why we use personal information. It is reviewed annually. Departments should tell the Information Governance and IT Compliance Manager about new services or projects, or significant changes that might affect the notification (see also 6.4).

The Information Governance Section will process notifications on behalf of elected members.

6.7 Record Keeping

Departments must put in place adequate records management procedures, including measures to ensure that working records about people are fair, accurate, up-to-date and not excessive.

Records about people must be secure, traceable and accounted for at all times. Each department must ensure that its records comply with the Council’s Records Management (RM) Policy which contains a retention and disposal schedule. It can be found on the Council’s website and is available via departmental representatives or from the Information Governance and IT Compliance Manager.

Records must be disposed of securely in accordance with the appropriate disposal schedule found within the RM Policy. Records management procedures, including retention and disposal, apply equally to paper and electronic records including emails.

Departments will regularly need to assure themselves that they are compliant with statute and policy, reporting any discrepancies to the Information Governance Section.

6.8 Extent of Information

Personal information must be accurate, relevant, up-to-date, adequate and not excessive. It should be easy for employees and service users to update their information.

Inaccuracies must be corrected as soon as they come to light. Employees should ensure that they keep enough information to provide an effective service, but avoid keeping information just in case it may become useful in the future.

6.9 Need to know

Access to personal information must only be given to those who need it. Personal information should only be used when necessary and not purely because it is convenient to do so.

Each Department is responsible for restricting access to personal information and ensuring compliance with this policy.

This applies to all employees regardless of department or role.

All access to systems containing personal information for maintenance or testing must be logged. Where a system has the facility to log the creation of users, this facility must be switched on.

6.10 Physical Security

The Information Governance section must be notified of any actual loss, theft or accidental disclosure of personal information.

All premises and electronic systems where personal information is held must have adequate security.

Access to areas where information is held must be controlled, paper files containing personal information must be locked away when not in use, and computer data must be protected adequately.

Access to information must be restricted to authorised employees only; such employees must receive training on the security of the system prior to being given access to it.

Electronic data must only ever be stored on official servers. If this is impractical, data must be only stored in locations agreed by the Information Governance section of the ITM&G Department.

All personal information and documents containing personal information should be stored on the appropriate server on the Council’s network and not on Desktop PCs or laptops or other electronic storage devices.  Information stored on Desktop PCs and laptops etc. is at risk of loss through hardware or software failure or automated administrative activity, or loss or theft of equipment.

When information is gathered and recorded by employees through mobile working then it should be uploaded onto the appropriate network server as soon as possible after being gathered. Personal Information must not be stored on unencrypted devices. Any such temporary storage must have a risk assessment carried out by the Information Technology Security Officer (ITSO) within ITM&G prior to information being stored. The risk assessment must be sent to the Information Governance Section.

If in exceptional circumstances, information is not stored on the network then it is the responsibility of users to ensure that the information is secure and appropriate back-up procedures are in operation. The ITSO must approve this and information must be uploaded appropriately as soon as possible after the event and deleted from the mobile storage device.

When dealing with the public, employees must ensure that service users do not have access to devices on which other clients’ records are displayed or can be accessed.

Care must always be taken if personal information recorded on paper is used outside council premises, in accordance with the Council’s Paper records secure handling in transit policy. Personal information must only be stored on devices or equipment that are encrypted, under the Council’s control and which have been approved for use by the ITM&G Department.

Information must not be stored on any equipment owned by members of employees including, but not limited to, mobile phones, MP3 players, cameras, memory sticks, home computers or laptops unless approved by the ITSO and the Information Governance Section.

All personal information, physical or electronic, must be disposed of securely, in accordance with the Council’s Records Management Policy.

All client devices must be encrypted to Council Standards.

6.11 Validating requests for information

Departments must understand the relevant legal framework(s) that affect their work, so that they understand when they have the power or the obligation to disclose information to other organisations, and when they can obtain information from other organisations.

If an outside body requests personal information from the Council, employees must take reasonable steps to check the identity and entitlement of the person requesting personal information.

Requests for information should be made in writing and should make clear what is required. If an outside body says they can demand personal information held by the Council, the legal basis of that right must be checked with the Information Governance Section.

6.12 Security of Transfer

Person Identifiable Data must only be shared by secure transfer. This will mean using a GC email system for electronic transfers of personal information to other Government Agencies.

Should the recipient not have access to the GC email system, ITM&G can authorise the use of email encryption to enable the secure transfer of personal and sensitive information to non GC mail users.

Process documentation for accessing the corporate email encryption service can be obtained from the Information Governance Section.

When sending information outside the Council, employees must take steps to ensure that only appropriate people will see it.

If email is considered to be the best option, employees must use the correct email address and be aware that email inboxes may be monitored by managers or others who may not be entitled to access personal information.

When issuing personal and sensitive information via a secure transfer method, all employees must ensure that the recipient is not forwarding mail to another email account prior to transfer and must confirm with the recipient that the email has been received as soon as possible after transfer.

6.13 Information Sharing Agreements

An Information Sharing Agreement or protocol is not a legal requirement to share information. Sharing can happen without one. An agreement does not create a legal gateway if one does not already exist however, the use of a protocol will ensure best practice by all partners in any information sharing partnership.

All agreements or protocols between the Council and outside agencies must be registered with the Information Governance Section and agreed with the Senior Information Risk Officer (SIRO).

Departments must not sign any agreement without seeking advice from the Information Governance section and the Council’s Legal Services Department. Agreements should be drawn up after consultation between organisations, not imposed by one on another.

Any information sharing should be carried out using the Information Commissioner’s guidance, http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/data_sharing.aspx

Information Governance must be consulted whenever a Department wishes to share information with either internal or external partners. Information Governance will then risk assess the process.

6.14 Contracts

All contracts should include measures to ensure that the Council’s data is used safely and appropriately.

Information supplied to 3rd Party contractors must only be used for agreed purposes, and must not be used or disclosed for any other reason without the SIRO’s consent.

Due diligence must be carried out in relation to all contracts or agreements that involve the sharing of personal information. Risk assessments are required to assess the organisational maturity of a 3rd party’s data protection processes. All contractors that are to have access to the Council’s information will be required to provide evidence that data protection training has been completed.

6.15 Access to personal information

Employees will assist individuals to gain access to information that we hold about them. This might be by providing access to files, by advising them about the Council’s procedures, by referring requests to the Information Governance Section within ITM&G, or by advising requestors to submit their requests to accesstoinformation@blackburn.gov.uk.

All subject access requests (requests made by people for access to their own information) must be answered within 40 calendar days.

6.16 Complaints about personal information

If any person identifies errors or inaccuracies in the information we hold about them, or points out unfair use of their personal information identified by requesters as a result of access to their files, these must be rectified immediately (once verified).

The Council will immediately implement recommendations or instructions received as a result of an assessment or decision made by the Information Commissioner unless the Monitoring Officer believes the assessment to be incorrect.

6.17 Data Protection Officer and Network

There is a legal requirement for the Council to have a nominated member of employees with specific responsibility for data protection policy, advice, training and good practice. This is currently the Information Governance and IT Compliance Manager, based in the ITM&G Department’s Compliance section.

The Council will maintain a network of employees trained in Data Protection issues who are available to provide advice to employees in all areas of the council and assist the SIRO and the Information Governance and IT Compliance Manager (the Council’s Data Protection Officer).

All departments must have a nominated member of the Corporate Information Governance Group (IGG) and must nominate someone as a first point of contact for subject access requests. A list of members of this group can be obtained via the Information Governance Section.

6.18 Induction and appraisal

Training in the area of confidentiality and data protection must be provided to all new elected members and employees prior to them having access to any personal information.

An on-line e-learning course entitled ‘Responsible for Information’ has been made available on the Council’s e-learning platform; http://learning.blackburn.gov.uk/

The learning is split into three levels:

Responsible for Information – General Users is mandatory and designed for all elected members and employees. It provides a comprehensive guide to why protecting information is so important, the risks to its safety, and what can be done to protect it appropriately. This training must be refreshed annually and evidenced to line management as part of the Council’s appraisal process.

Responsible for Information – Information Asset and Information Risk Owners is designed for those who have a specific responsibility for information datasets, and is particularly aimed at Information Asset Owners (Head of Service) and line managers. It will help them understand more about their role in ensuring that information is appropriately protected.

Responsible for Information - SIRO is designed for the SIRO role and those with corporate Information Governance responsibility.

Basic guides to all data protection issues are also available on the intranet.

6.19 Privacy Impact Assessments

When starting any new project, every effort must be made to ensure that the privacy of any client information is respected and that all systems are compliant with the Human Rights Act and the Data Protection Act.

In order to ensure this, it is necessary to conduct a PIA. These assessments are defined by the Information Commissioner as processes whereby a project's potential privacy issues and risks are identified and examined from the perspective of all stakeholders, and a search is undertaken for ways to avoid or minimise privacy concerns.

When any new system is considered the Information Governance and IT Compliance Manager must be consulted in order to advise and assist with the completion of a PIA.

6.20 Confidentiality

Information explicitly accepted in confidence or as part of a confidential relationship can only be disclosed to someone else in exceptional circumstances.

Employees must not disclose confidential information to anyone else without the permission of the individual who first gave the information to them, unless the information is about serious wrong-doing or harm.

All employees have a duty to report any criminal activity or wrong doing to the proper authorities.

The Council operates a Whistleblowing Policy, which provides further advice on what to do in these situations. This Policy is on the Council’s intranet.

6.21 Testing and Training

When developing or testing any new system or process, or working on an existing system for the purpose of testing or training, information about real people must not be used unless it is impossible to test the system without it. This applies equally to employees and 3rd parties when testing or upgrading systems. If live data must be used for testing, it must be kept securely, and it must not be accessed or disclosed unless absolutely necessary. Inconvenience is not sufficient reason to use live data for testing.

Personal information must not be used in any training exercise – real examples must be fictionalised to the point where a person cannot be identified. Personal information can only be used for training purposes where managers or supervisors need to discuss with an officer the way they handled a specific case or situation.

6.22 Monitoring and Evaluation

The Information Governance and IT Compliance Manager is responsible for ensuring that all departments understand the requirements of this policy and the relevant legislation. The Audit and Assurance section will periodically audit departments using the Information Commissioner’s audit guidance to ensure that all parts of The Council comply with the Data Protection Act.

7 Policy Compliance

If any user is found to have breached this policy, they will be subject to Blackburn with Darwen Council disciplinary procedure.  If a criminal offence is considered to have been committed further action will be taken to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, seek advice from the Information Governance department.

8 Policy Governance

The following table identifies who within Blackburn with Darwen Council is Accountable, Responsible, Informed or Consulted with regards to this policy.  The following definitions apply:

  • Responsible – the person(s) responsible for developing and implementing the policy.
  • Accountable – the person who has ultimate accountability and authority for the policy.
  • Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
  • Informed – the person(s) or groups to be informed after policy implementation or amendment.
Responsible Director of IT Management and Governance
Accountable Section 151 Officer
Consulted Policy/Unions/Exec Board
Informed All Council Employees, All Temporary Employees, All Contractors, all 3rd Party Contract Holders

9 Review and Revision

This policy will be reviewed every two years to ensure that it takes account of new legislation and expected developments in the areas of personal privacy and public sector information sharing.

Policy review will be undertaken by the Information Governance and IT Compliance Manager.
We use cookies, just to track visits to our website, we store no personal details. Show ACCEPT COOKIES / DECLINE COOKIES option