1. Home
  2. Council and Democracy
  3. Information and Data
  4. Data Protection, FOI and EIR
  5. Data Protection

Data Protection

1. Introduction

1.1 Maidstone Borough Council (MBC) is committed to complying with the data protection principles when processing personal data and special categories data or sensitive data under the UK General Data Protection Regulation 2018 (UK GDPR) and the Data Protection Act 2018 (DPA), also known as data protection legislation.

1.2 The policy sets out the council’s commitment to comply with the UK GDPR and DPA in relation to the processing of the personal data of individuals by the council. Compliance with the data protection legislation will ensure that such processing is carried out fairly and lawfully.

1.3 The processing of data by the council is essential to Service provision and fulfilling the council’s statutory functions and often involves the use of personal and/or ‘special category’ personal data.

1.4 The UK GDPR along with the Human Rights Act (1998) (HRA) Article 8 and the Protection of Freedoms Act (2012), make it clear that the processing of personal data must respect the rights and freedoms of the data subject (individual), but at the same time be adequate for the council to carry out its functions effectively.

1.5 This policy is to be read in conjunction with other policies and legislation.

1.6 The privacy of individuals will always be respected in line with the council’s privacy notices. All information that the council processes, stores, or transfers in relation to individuals must be adequately protected against unauthorized access or changes.

1.7 For the purposes of this policy, all definitions will take the meaning given to them in the UK General Data Protection Regulation 2018 (UK GDPR) and the Data Protection Act 2018 (DPA).

2. Purpose of policy

2.1 The purpose of this policy is to convey the council’s commitment to comply with the provisions of the data protection legislation, in particular, the UK GDPR 2018 and DPA 2018. It outlines the rules governing how information should be processed by all council staff.

2.2 It seeks to ensure that personal data is processed in a manner consistent with the privacy principles under data protection legislation.

2.3 This Policy seeks to ensure that all staff have a clear understanding of the legal requirement and the council’s expectations in relation to the processing of personal data.

2.4 It seeks to ensure the protection and preservation of the confidentiality, integrity and availability of personal data and sets out the implications of non-compliance with the legislation to ensure strategic and operational risks are understood and treated thereby minimising the risk of non-compliance.

3. Scope of policy

1.1 This policy applies to all processing activities carried out by the council in relation to the personal data of individuals including the collection, usage, access, storage and retention of the personal data.

1.2 It covers the council’s approach in handling specific data protection issues and requirements such as data security breaches, data privacy impact assessments (DPIA), Subject Access Requests (SARs), processing sensitive personal data and lawful basis.

1.3 It clarifies the data protection principles, data subject rights and the council’s legal basis for processing personal data. Through this policy, and the council’s privacy notices, the council will provide general information to the public about their statutory rights under data protection legislation.

1.4 The council will hold the minimum amount of personal data necessary to carry out its functions, and every effort will be made to ensure the accuracy and relevance of data processed.

1.5 The personal data the council holds will be kept in accordance with the principles of the UK GDPR and council’s policies and procedures.

1.6 Whilst still ensuing compliance with data protection legislation, the council reserves the right to depart from the council’s Data Protection Policy and procedures when mitigating circumstances apply.

4. Roles and responsibilities

4.1 Chief Executive

Our Chief Executive will have overall responsibility for data protection in the council. However, it is the responsibility of all employees and elected members to handle information and data correctly.

4.2 Senior Information Risk Owner (SIRO)

The responsibilities of the SIRO are encompassed in the role of the Director of Strategy, Insight and Governance. In their capacity as the SIRO the director will lead on information governance by:

  • leading and fostering a culture that values, protects and uses information for the success of the organisation and benefit of its customers
  • chairing the Information Management Group
  • owning the organisation’s overall information risk policy and risk assessment processes and ensuring they are implemented consistently by Information Asset Owners (IAOs)
  • advising the Chief Executive and relevant officers on the information security risk aspects of recommended technical and organisational controls
  • ensure compliance with regulatory, statutory and organisational information security policies and procedures
  • owning the organisation’s information security incident management framework
  • ensuring staff awareness of information security risks affecting the organisation and the necessity to comply with the relevant legislation

4.3 Data Protection Officer (DPO)

The responsibilities of the DPO are encompassed in the role of the Head of Insight, Communities and Governance. As prescribed under Article 39 of the UK GDPR, the following duties are within the responsibility and remit of the DPO to:

  • report directly to the council's highest level of management and is given the required independence to do this in the role
  • champion information governance requirements and issues across all levels of the council
  • inform and advise the council and our employees about the necessary obligations that should be undertaken to comply with data protection legislation and all other applicable laws - this includes delivering training on data protection legislation and all other applicable laws
  • advise and monitor compliance with data protection legislation and all other applicable laws, by conducting internal audits
  • advise and assist in the completion of data protection impact assessments (DPIA)
  • continuously develop expertise on data protection sufficient to effectively fulfil the role
  • act as custodian(s) of the council's Retention Schedule and advise on the secure disposal of personal data
  • maintain current and accurate registration with the Information Commissioner’s Office (ICO)
  • be the first point of contact for the ICO and data subjects
  • be the initial contact for the investigation of data breaches and when and where required for reporting data breaches to the ICO
  • seek the advice of the ICO or council lawyers where there is uncertainty around a data protection matter
  • carry out responses to requests made by data subjects in accordance with their rights
  • have due regard to the risk associated with processing operations, considering the nature, scope, context and purposes of processing when approving processing activities and data protection impact assessments
  • maintain the council's records of processing activities as required by Article 30 of the UK GDPR

4.4 Information Governance Group

The duties, responsibility and remit of the Information Governance Group are detailed in the group’s terms of reference.

4.5 Information Governance Team

The Information Governance Team will have the responsibility of supporting the DPO in carrying out their duties. This includes:

  • investigating data breaches
  • responding to requests for personal data under the UK GDPR and DPA
  • conducting Information Management Audits
  • assisting and advising on Data Privacy Impact Assessments (DPIA)

4.6 Internal audit

Internal audit will undertake reviews to assess the procedures and policies in place that relate to data protection as per the annual audit plan or on request from the DPO.

4.7 Corporate Leadership Team

The following duties are within the responsibility and remit of the council's Corporate Leadership Team:

  • promote data protection and model best practice
  • maintain oversight of data protection across the council to ensure compliance with legislation
  • appoint a Data Protection Officer owing to the council's fulfilment of specified reasons listed in Article 37 of the UK GDPR
  • pursuant to Article 38 (2) of the UK GDPR, ensure that adequate resources are available for the implementation of data protection policies and procedures
  • pursuant to Article 38 (2, 3, 6) of the UK GDPR, ensure that the role remains independent and from bias and conflict(s) of interest
  • pursuant to Article 38 (3) of the UK GDPR, which states "...the DPO shall directly report to the highest management level of the controller or the processor...”, ensure that the position of the DPO will be held by, or report to, a member of the executive team
  • pursuant to Article 38 (1) of the UK GDPR, “…ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data”
  • pursuant to Article 37 (5) of the UK GDPR ensure that “the DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39"
  • ensure that data protection is integrated into council policies and procedures as and when they relate to personal data
  • foster an environment in which employees are not put under any undue influence or pressure to breach this policy

4.8 Wider Leadership Team

The following duties align with the responsibilities and remit of managers who form the Corporate  Leadership Team and Wider Leadership Team:

  • ensuring operational compliance with this policy within their own departments
  • ensuring that the people who work under their control protect the personal data of individuals in accordance with the organisations standards
  • developing and encouraging data protection best practices
  • maintaining oversight of data protection within their respective departments/service areas to ensure compliance with legislation in day to day activities
  • working with the DPO to ensure any necessary compliance measures identified are implemented within their respective departments/service - such compliance measures may arise from, but are not limited to, data protection impact assessments (DPIA), employee training, audits, data breaches
  • to assist the Data Protection Officer with requests pertinent to data protection including, but not limited to, data breaches and requests made under section 8 Data Subject Rights

4.9 Head of service for ICT

The following duties align with the responsibilities and remit of the above post-holder:

  • to ensure that appropriate and adequate technical measures are in place to safeguard the security of data
  • to advise and recommend additional requirements and developments that can be implemented to enhance the security of the data the council processes
  • to maintain awareness and understanding of current cybersecurity thefts and threats

4.10 Head of service for Human Resources (HR)

The following duties align with the responsibilities and remit of the above post-holder:

  • to maintain oversight of personal data processed in regard to employees, that relates to the functions carried out by Human Resources
  • to work with the DPO to ensure the security and integrity of the personal data processed in regard to employees, that relates to the functions carried out by Human Resources
  • to work with the DPO to ensure that the council responds to changes in legislation that will impact employees’ personal data held
  • to ensure that the council provides a mechanism for employees to complete mandatory data protection training on a regular basis

4.11 Employees and contractors working on behalf of the council

All employees and individuals working on behalf of the council are expected to:

  • familiarise themselves with the Employee Privacy Notice provided by the council
  • ensure that their personal data provided to the council is accurate and up to date
  • not respond to requests made in relation to data subjects’ rights, but instead to refer the request to the DPO
  • ensure that any personal data that the council holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised
  • only use devices for council work purposes in line with the council's Acceptable Use Policy
  • not bring unauthorised data including, but not limited to, personal data not required for employment purposes, data that is not relevant to completing the job role or data that is not related to the council's operational requirements, into the council buildings or onto the council network
  • complete all required mandatory data protection training
  • only keep personal data in accordance with the council's Retention Schedule
  • take care when connecting to public wi-fi to complete council work, as these can expose your connection to interception - if in doubt do not connect to it
  • take care to e-mail the intended recipient, especially when using autocomplete, and use the ‘BCC' field for emailing multiple people where using ‘to’ or ’cc’ is not needed
  • report any suspected or confirmed personal data breaches to the DPO and/or the Information Security Officer as soon as possible in line with the Data Breach Procedure
  • seek advice from the DPO and/or the Information Security Officer where there is uncertainty around a data protection matter

4.12 Customers

Customers are responsible for:

  • familiarising themselves with the Privacy Notice provided when they register with the council
  • ensuring that their personal data provided to the council is accurate and up to date
  • report any suspected or confirmed personal data breaches to a member of staff as soon as possible in line with the Data Breach Procedure

5. Data protection principles

5.1 The council will ensure that it follows the data protection principles, as set out in Article 5 of the UK GDPR when processing ‘personal data’ data:

  • the processing must be lawful, fair and transparent in relation to data subjects.
  • The processing must be for only specified, explicit and legitimate purposes. Any further processing in a manner that is incompatible with those purposes should be done with the consent of the data subject.
  • The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Personal data must be accurate and kept up to date.
  • Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. This is the principle of the ‘integrity and confidentiality’.
  • The organisation must take responsibility for personal data and compliance with the other principles.

5.2 The council will implement all reasonable measures to maintain compliance with the principles.  To this end, the council will continuously seek to develop and implement measures that ensure a high level of security for personal and confidential data and to maintain a secure environment for information held both manually and electronically.

6. Lawful basis for processing

6.1 In order to process any personal data, the council is required to justify the processing by meeting at least one of the conditions in Article 6 and, for special categories of data, Article 9 of the UK GDPR.

6.2 The council ensure that special category data and criminal convictions data has additional protection because it is sensitive and poses the greatest risk to individuals’ risk and freedoms if compromised.

6.3 The council accept that no matter how urgent the data collection, processing or sharing is, a lawful basis, and any associated conditions in Schedule 1 of the DPA 2018, must be identified, met and documented beforehand. Failure to do so is a breach of the data protection legislation, and significantly increases the risks to data subject’s rights and freedoms.

6.4 The exception to the above is vital interests. On the occasions that there is an emergency situation, pertaining only to matters of life and death, the lawful basis for processing of vital interests will be invoked under Article 6(1)(d) of the UK GDPR. The council recognise that there is a high threshold required for this lawful basis to be applied - it must be essential to someone’s life.

6.5 The council recognises the importance of having an ‘appropriate policy document’ in place in order to meet a UK Schedule 1 condition for processing in the DPA 2018.

6.6 Prior to processing criminal convictions data, the council will identify and document accordingly:

  • the applicable condition from Article 10 of the UK GDPR and identity if it is processing the data in an official capacity or under a condition in Schedule 1 of the Data Protection Act 2018;
  • the lawful basis from Article 6 and 9 of the UK GDPR;
  • how we are complying with the Rehabilitation of Offenders Act 1974 (ROA) and Disclosure and Barring Service (DBS)

6.7 If the council cannot suitably identify, and justify, why criminal convictions data is required, the council will not proceed with the processing.

6.8 The council will not accept ‘consent’ as a lawful basis if it can justify processing under any of the other lawful basis.

7. Data subject rights

7.1 Data protection legislation enhanced the data subject’s rights and the council must process personal data in line with these regulatory and statutory requirements to demonstrate its compliance.

7.2 The council acknowledges that it must comply with the eight rights set out in Articles 12-23 of the UK GDPR to data subjects, known as “Data Subjects Rights”:

  • the right to be informed - the right to be told how personal data is used in clear and transparent language
  • the right of access, also known as a data subject access request (DSAR) - the right to know and have access to the personal data held about the individual
  • the right to rectification - the right to have personal data corrected where it is inaccurate or incomplete
  • the right to erasure, also known as the right to be forgotten - the right to have personal data deleted
  • the right to restrict processing - the right to limit the extent of the processing of the individual’s personal data
  • the right to data portability - the right to receive personal data in a common and machine-readable electronic format
  • the right to object - the right to complain and to seek to prevent the processing of an individual’s data
  • rights in relation to automated decision-making and profiling - the right not to be subject to decisions without human involvement

7.3 To enact any of these rights please contact the council's Information Governance Team.

7.4 The council is committed to facilitating requests made by data subjects meeting the criteria of the above rights. As such, the council will:

  • process personal data in a transparent manner.
  • Uphold individuals’ rights under data protection legislation and allow data subjects to exercise their rights over the personal data held about them by the council.
  • Keep records of all requests and their outcome.
  • Respond to requests made under these rights based on the conditions set out in law. Not all the data subjects’ rights are absolute, and depending on the circumstances, exemptions may apply.
  • Maintain internal procedures that detail how to process each of the data subject rights.
  • Take reasonable measures to require individuals to confirm their identity where it is not obvious that they are the data subject.
  • Not charge a fee to data subjects for enacting these rights, unless a request is found to be “manifestly unfounded or excessive” and/or reserves the right to refuse requests that are “manifestly unfounded or excessive”.
  • Strive to respond to all requests without undue delay. If a request is complex then the council will invoke its ability to extend the deadline by a further 2 months, pursuant to the legislative requirements being met. However, in addition to the above, as per Article 12 (4) of the UK GDPR, when extreme mitigating circumstances arise that hinder the council from meeting these obligations, the council will consult with data subjects and seek advice from the ICO about how to proceed. This includes but is not limited to; unforeseen/major disasters that affect the council's operations in line with business continuity and disaster recovery operations.
  • Review all requests made under data subjects rights on a case by case basis, having due regard for a consistent approach in line with council procedures. When mitigating circumstances apply, we reserve the right to depart from the council procedures to ensure that the data subjects’ rights are administered transparently and to the best of the council's ability.
  • If the council rely upon automated decision-making and profiling, the process(es) will be subject to intense scrutiny and risk assessments to ensure that there are no alternative solutions available and that data subject rights are upheld.

Information sharing

8.1 The council is a data controller for personal data processed in line with operational requirements and is therefore responsible for establishing policies and procedures which ensure compliance with legislation.

8.2 For the purposes of Government funding and performance accountability, the council shares data with (and may act on behalf of) external agencies. Principally this is the Cabinet Office, Department for Housing and Levelling Up and Kent County Council, as well as any executive agencies it sponsors. In these situations, the external agency acts as a data controller in their own right.

8.3 The council recognises there is a growing need to share health data to benefit the lives of residents. Where there is a lawful basis to do so, the council will share data with appropriate authorities regarding health, in particular this includes NHS services and Kent County Council.

8.4 The council will only appoint processors if, and when, sufficient guarantees around compliance with the data protection legislation have been supplied.

8.5 Where a processor can demonstrate that they adhere to approved codes of conduct or certification schemes, the council will take this into consideration for choice of supplier.

8.6 Processors, working with or for the council, who have access to personal data, will be expected to comply with this policy.

8.7 When the council uses a processor, a written contract/agreement with compulsory terms as set out in Article 28 of the UK GDPR must be in place, along with any additional requirements that the council determines necessary. Any written contracts/agreements with processors will entail a clause that specifies that processors can only act on the instruction of the council also giving the council the right to audit compliance with the agreement.

8.8 Subject to the necessary legislative requirements, the council permits the sharing of information in the following ways:

  • a reciprocal exchange of information;
  • one or more organisations providing information to a third party or parties;
  • several organisations pooling information and making it available to each other;
  • several organisations pooling information and making it available to a third party or parties;
  • different parts of an organisation making information available to each other; or
  • exceptional, one-off disclosures of information in unexpected or emergency situation.

8.9 In all cases, before data is shared, the council will:

  • identify the lawful basis for sharing. This includes identifying whether the data sharing is congruent with the lawful basis upon which the data was collected to do so; determine if the data subjects need to be consulted or consent to the processing; determine if the data needs to be re-collected for the new purpose; and if any additional documentation is required, including a new privacy notice.
  • Consider whether it is appropriate to anonymise the data or use a pseudonym first. The decision outcome should be documented, including the supporting arguments.
  • Ensure that all necessary precautions to maintain the security, integrity and proper treatment of personal data have been considered and documented. If, based on the information provided, the council cannot guarantee that the recipient, whether it is an internal or external party, adequately complies with data protection legislation then the council will refuse to provide the data and/or sign any contracts/agreements.
  • Determine if one or more of the following signed documents are required between the council and the third party to define the obligations of both parties:  a data sharing agreement, a contract, which includes sufficient reference to data protection, a non-disclosure agreement and/or a confidentiality agreement.

International transfers

9.1 The council will only transfer data outside the UK in accordance with Articles 44-50 of the UK GDPR. The council will refer to the list of countries/territories that the UK has deemed as covered by an ‘adequacy regulation’ before transferring personal data.

9.2 Should the council identify the need to transfer data to a third country that does not have an adequacy rating, the council will review each case independently against the criteria and options listed in Article 46 of the UK GDPR.

9.3 The council will approach the transfer of personal data to third counties using an exemption with extreme caution and will not rely on the exemptions listed lightly, and never routinely.

9.4 The council will only transfer personal data to third counties once:

  • all the appropriate documentation has been completed, including DPIAs;
  • the council is satisfied that the conditions set out in Chapter 5 (Articles 44-50) of the UK GDPR have been met; and
  • the transfer has been approved by the DPO

9.5 The council will determine which mechanism in Article 46 of the UK GDPR is adequate for the council to use, based on the following factors:

  • the nature of the information being transferred;
  • the country or territory of the origin, and final destination, of the information;
  • how the information will be used and for how long;
  • the laws and practices of the country of the transferee, including relevant codes of practice and international obligations; and
  • the security measures that are to be taken as regards the data in the overseas location

Breaches and breach notification

10.1 A breach of data is defined as a security incident that has adversely affected the confidentiality, integrity or availability of personal data. This could include:

  • hacking or other forms of unauthorised access by a third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • loss or theft of devices or data;
  • alteration of personal data without permission; and
  • loss of availability of personal data

10.2 All breaches and suspected breaches should be reported to the Information Governance Team as soon as possible in line with the Data Breach Procedure.

10.3 The council acknowledges that data breaches can happen at any time and as such will ensure measures are in place to respond to breaches regardless of the date and time they occur.

10.4 Where there is a likely risk to individuals’ rights and freedoms, the Data Protection Officer and/or the Deputy Data Protection Officer will report the personal data breach to the ICO within 72 hours of the organisation being aware of the breach.

10.5 The council acknowledges that failure to notify the ICO about a breach could result in significant penalties of either a maximum fine of up to £17.5 million or 4% of your annual turnover, whichever is greater. In addition, significant breaches are also likely to result in damage to the council’s reputation.

10.6 Where there is also a likely high risk to individuals’ rights and freedoms, the council will inform those individuals without undue delay; unless subsequent steps have been taken to ensure that the risk is unlikely to materialise, security measures were applied to render the personal data unintelligible (this includes but is not limited to encryption), or it would amount to disproportionate effort to inform the data subject directly. In the latter circumstances, a public communication must be made, or an equally effective alternative measure must be adopted to inform data subjects, so that they themselves can take any remedial action.

10.7 The Information Governance Team will keep a record of all personal data breaches reported and follow up with appropriate measures and improvements to reduce the risk of reoccurrence.

10.8 Actions or omissions leading to a breach of this policy, or failure to report a breach will be investigated.

10.9 Where gross misconduct is suspected, this will be dealt with under council’s Staff Disciplinary Policy. If a breach is deemed to be a criminal offence, the matter will be reported to the appropriate authorities. This does not affect an employee’s right to whistle blow or to freedom of speech, but rather to run in parallel with the council’s policies on these matters. Offences which the council consider to be gross misconduct include but are not limited to:

  • deliberate unlawful disclosure of personal data
  • inappropriate use of personal data
  • deliberately accessing special category personal data in the absence of a legitimate business reason for doing so
  • misuse of personal data which results in a claim being made against the council

Implementation of technical and organisational measures

11.1 The data protection principles require the council to implement appropriate technical and organisational measures to avoid any breaches and to be able to demonstrate that processing is performed in accordance with the Article 24 of the UK GDPR.

11.2 Appropriate data protection documentation by the council includes the Privacy Notices, Data Protection Policy, Acceptable Users Policy, Subject Access Policy and Procedure, Disposal and Retention Policy, Information Security Policy and Breach Notification policy etc.

11.3 Other measures or controls include the pseudonymisation and encryption of personal data; anonymization of data; restricting access control with passwords; using antivirus and firewalls and securing physical storage spaces e.g. cupboard spaces

11.4 The council is committed to ensuring that personal data should be accessible only to those who need to use it, with access granted in line with the remits of an individual’s job role or in accordance with data subject rights.

11.5 All electronically held data is processed as per the details contained within the council’s ICT Policies.

11.6 The controls listed in the ICT Policies are applied on the basis of identified risk to personal data, and the potential for damage or distress to individuals whose data is being processed.

11.7 All paper-based personal data is subject to appropriate records management control including but not limited to, being stored in lockable drawers, filing cabinets and cupboards.

11.8 The council understands that data protection is not a barrier to working offsite and data protection legislation does not prevent this. However, the processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data and requires the implementation of measures to reduce the risk(s). The council must be satisfied that employees have adequate security measures in place for this to happen.

Complaints

12.1 Data subjects have the right to request a review of the council’s decisions. The review would normally be carried out by the council. If dissatisfied, they have a right to complain to the Information Commissioner’s Office (ICO). In addition, they can seek judicial remedies through the courts.

12.2 The Data Protection Officer can be contacted at:

Data Protection Officer
Information Governance
Maidstone Borough Council
Maidstone House
King Street
Maidstone
Kent
ME15 6JQ
or email dataprotectionofficer@maidstone.gov.uk

Policy review

13.1 This policy will be updated within three years, or sooner when necessary to reflect best practice and future amendments made in relation to any further changes to legislation. The council recognises there are upcoming changes to data protection legislation and will update this policy accordingly.