Data Protection Policy for City of Westminster

This policy was formally adopted by City of Westminster (the Council) on November 2000, revised in December 2010 and approved inApril 2011. The policy applies to:

All employees;
Elected members;
Third parties acting on the Council's behalf.

INTRODUCTION

At the heart of the Council’s activities is the need to gather, process, use, maintain, and protect information about their staff, customers and partners.The Council is committed to ensuring that any such activities involving the use of personal data1 will be done in accordance with the Data Protection Act 1998

The Council – acting as custodians of personal data – recognisesits duty to ensure that personal data is handled appropriately irrespective of the medium on which it is held. This covers the whole lifecycle of the data, including:

The obtaining of personal data;
The storage and security of personal data;
The management, arrangement & accuracy of personal data;
The disposal / destruction of personal data.
The sharing of personal data for the purposes of fulfilling statutory obligations and delivering timely and effective services to citizens, customers and partners

The Council also has a responsibility to ensure the right of access to personal data is upheld and managed in an appropriate fashion to ensure that any such disclosures are lawful.

In line with the Act the Council will charge a fee of £10 for all Subject Access Requests, including those made for CCTV footage.

1. Actions

By following and maintaining strict safeguards and controls, the Council will:

1.1. / Acknowledge and enforce the rights of individuals about whom the personal data relate in accordance with its corporate Data Protection delivery framework as set out in section 2[Enablers]
1.2 / Ensure that the collection and use of personal data is undertaken fairly and lawfully. The Council will ensure that its use of personal data is set out in a publicly available notice
1.3 / Ensure that individuals about whom the personal data relate are given a right of redress with regard to the collection and use of their personal data in accordance with the Act and its associated guidance
1.4 / Specify the purposes for which personal data will beused and restrict the use of data to those purposes
1.5 / Collect and process personal data on a “need to know” basis, ensuring that it is fit for the purpose, is not excessive, and is disposed of in accordance with the Council’s Corporate Records Management Policies and procedures
1.6 / Ensure that adequate steps are taken to verify the accuracy, reliability, timeliness, relevance and completeness of personal data collections in accordance with regulatory standards and obligations
1.7 / Ensure the confidentiality, integrity and availability of personal information with regard to its collection, storage, use, maintenance and transfer in accordance with the Council’s Information Security Policy and procedures
1.8 / Ensure that any such measures as set out under 1.7 (where reasonably practicable) will be applied to Council contractors and partners, in order to protect against damage, loss or abuse
1.9 / Ensure that the transfer of personal data is lawful. Safeguarding data transfers will be undertaken in accordance with the Council’s Data Sharing Standard, Information Security Policy, and other guidance, including adherence to and the monitoring of any current and future data sharing agreements
1.10 / Ensure that where appropriate, data sharing arrangements are captured and monitored through the use of Data Sharing Protocols that meet the criteria set out in the Council’s Data Sharing Standard, and Data Handling Classification Policies
1.11 / Ensure that regular audits are undertaken in order to monitor compliance with this policy
1.12 / Establish a centralised information risk register to monitor personal data transfers and use across the Council

2. Enablers

In order to support these actions the Council will:

2.1 / Nominate a “Corporate Data Protection Officer” for the Council, who will act on behalf of the Data Controller and be responsible for:

Reviewing and monitoring compliance with this policy
Gathering and disseminating best practice guidance on Data Protection and other related legislation
Ensuring annual notification to the Information Commissioner’s Office
Instigating regular DPA Audits
Ensuring Right of Subject Access is maintained

Provide adequate staffing and financial resources to ensure compliance with this policy – specifically through the establishment of a corporate Data Protection Team charged with day to day responsibility for ensuring compliance with this policy
2.2 / Establish a network of nominated officers known as Divisional Records Officers [DROs]. DROs will act as local coordinators for responding to related Data Protection issues that impact their service areas.
DROs will:
-act as the contact point for coordinating and responding to Data Protection issues that impact upon their area
-respond to requests for information from the Council’s Corporate Data Protection Officer
-escalate to line management any issues that would affect compliance with this policy within their service area
2.3 / Provide adequate training and guidance materials to enable a high level of awareness with regard to compliance with this policy
2.4 / Ensure that all contracts and service level agreements between the Council and external third parties – where personal data is processed – make reference to adherence to this and any other policies that impact on the processing of personal data
2.5 / Ensure that all staff and third parties acting on the Council’s behalf are given access to personal information that is appropriate to the duties they undertake and no more
2.6 / Establish procedures for validating the right of subject access and ensuring that the information provided is clear and unambiguous.
2.7 / Review this policy every two years to ensure that its objectives and approach are both relevant and effective.

3. Units

In order to support the enablers outlined above departments must undertake the following:

3.1 / Ensure that a “Divisional Records Officer” [DRO] is appointed within each of their delivery and support unit areas.
3.2 / Ensure that each Service Area will provide adequate coverage of the DRO role and immediately inform the Corporate Data Protection Officer of any changes in personnel.
3.3 / Ensure that all nominated officers receive appropriate training and support to carry out the DRO function as provided by the Corporate Data Protection Team.
3.4 / Ensure that all activities that relate to the processing2 of personal data have appropriate local safeguards and controls in place to ensure data security and compliance with data handling policies and best practice.
Ensure that any suspected Data Protection breaches are immediately reported to the Corporate Data Protection Officer.
3.5 / Ensure that all their staff and third party contractors and/or partners understand and implement their responsibilities with regard to the safeguarding of personal data, as set out under the Council’s Security and Data Handling policies.
3.6 / Ensure that their general staff population undertakes adequate awareness training using the available corporate facilities provided by the Council.

4. Staff and Third Party Contractors

4.1 / All staff and third party contractors and/or partners must adhere to this policy by undertaking the following:
Adherence to this policy
Adherence to the Council’s Security and Data Handling Policies
Adherence to the Council’s Corporate Records Management Policy
Use every available recommended means to safeguard the processing of personal data.
Raise any concerns to their appropriate line manager, service coordinator or department.
If appropriate, raise concerns over the processing of personal data with the Corporate Data Protection team
Notify line managers, service coordinator and or department of any potential losses of personal data
Comply with any requests received for information issued by the corporate Data Protection Team within the specified time frames.
Notify corporate Data Protection Team of any requests for personal data falling under this policy
Third Party contractors and partners should destroy personal data stored on behalf of the Council in line with this and the Information Security and Records Management policies.
Notes: /

Personal Data includes any information held about a living individual and includes any recorded opinions or intentions towards them

Processing as defined by the Act includes the obtaining, recording, holding, organisation, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, blocking, erasure and destruction

Signed,

______

Mike More

Chief Executive

City of Westminster Council