Data Protection Policy 2023

This policy sets out South Tyneside Council’s approach to handling personal data in accordance with the UK General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018.

As Data Controller, it is the Council’s obligation to ensure compliance with Data Protection Law.

The purpose of this policy is to ensure that South Tyneside Council employees, elected members and individuals working for, or on its behalf, are aware of their obligations under Data Protection Law.

South Tyneside Council is registered with the Information Commissioner’s Office (ICO) as a registered Data Controller for the processing of living individuals’ personal information.

South Tyneside Council’s registration number is Z5765988.

There are also other registrations which cover functions undertaken by the Council:

• Electoral Registration Officer / Returning Officer
• The Superintendent Registrar for Births, Deaths, Marriages and Civil Partnerships

This policy applies to:

• All forms of personal information held, stored, archived or processed by the Council, including electronic and hard copy formats.
• All employees of the Council, elected members, volunteers, agency workers and any third parties accessing the Council’s data and/or networks.
• All electronic and communication devices owned, administered or sanctioned for use by the Council.
• All service users whom the Council processes data on behalf of.

Personal information is defined as any information which relates to a living individual who can be identified either:

• from the information we hold, or
• from the information combined with any other information which is already in the possession of, or likely to come into the possession of, the person or organisation holding the information

Personal information also includes expressions of opinions about an individual, and any indication of the intentions of the data controller or any other person in respect of the individual.

The Council needs to collect, store and use personal information in order to carry out our functions. In some instances the Council has a legal obligation to collect and use personal information. Personal information must always be handled in accordance with the law.

The Council is committed to:

• Complying with the law and good practice
• Respecting individuals’ rights
• Being transparent with individuals whose personal data is collected and held
• Ensuring retention and destruction of personal data is adhered to
• Implementing appropriate security measures to keep personal data safe and ensuring it is only accessible to appropriate personnel
• Ensuring personal data is not transferred abroad without suitable safeguards in place
• Providing regular training and support for all employees who handle personal information
• Demonstrating compliance with the Data Protection Principles (see below)

When processing personal information, the Council will always require that those within the scope outlined at Section 3 comply with the data protection principles. Personal data will be:

• used fairly and lawfully
• only used for the purposes it has been provided for, unless required to by law
• only collected as much as needed for the required purpose
• accurate and where necessary, up to date
• only held for as long as necessary
• kept safe and secure

As Data Controller, the Council is responsible for, and must be able to demonstrate compliance with the principles above (accountability). More information on individuals’ rights is included in Chapter 10 - Individual Rights.

It is the responsibility of everyone to handle information and data appropriately. It is essential that anyone working for, or on behalf of the Council understands and abides by the following:

• Corporate and/or departmental policy, procedures and guidance on the collection and use of personal information will be followed at all times
• We process personal information in accordance with data protection laws
• We will always promote transparency around the use of personal information
• We will only collect the minimum amount of personal information needed for the intended purpose
• Personal information is used only for the specified purpose or legal requirement
• We only access the personal information required to carry out your role and no more
• Personal information is kept accurate and up-to-date
• Personal information is destroyed securely when it is no longer needed
• We handle personal information in accordance with security policies and procedures
• Do not send personal information outside of the UK without seeking guidance
• Requests from individuals for their personal data are referred to Information Governance in a timely manner
• Complete any mandatory Data Protection training courses.

The Council will ensure that:

• Employee and elected member training needs are identified and training is provided to ensure those managing and handling personal information understand their responsibilities and follow good practice
• Anyone who makes a request regarding their personal information to the Council is responded to
• Advice and support is offered to employees and elected members in relation to data protection enquiries.

The Council has several roles in place to ensure compliance with data protection laws:

Data Protection Officer (DPO) and Deputy Data Protection Officer (DDPO)

The Council’s Data Protection Officer who has the following responsibilities:

• advise senior management and employees about our data protection obligations
• monitor compliance with data protection laws, including managing internal data protection activities, raising awareness of data protection issues, training employees and conducting internal audits
• advise on, and monitor data protection impact assessments
• cooperate with the supervisory authority (ICO)
• be the first point of contact for supervisory authorities and individuals whose data is processed (employees, customers etc.).

Senior Information Risk Owner (SIRO)

The SIRO takes overall ownership of the Council’s Information Risk Policy, acts as champion for information risk and provides advice to the Chief Executive on internal controls in regard to information risk. The SIRO will assist the organisation to consider the information risks associated with its business goals and how those risks may be managed. The SIRO is responsible for ensuring that organisational information risk is properly identified and managed and that appropriate assurance mechanisms exist.

Caldicott Guardian

All local authorities which provide social services must have a Caldicott Guardian who is responsible for protecting the confidentiality of people’s health and care information and making sure it is used and shared appropriately and in line with the Caldicott principles.

Information Governance

Information Governance provide advice and support to Council teams, officers and elected members in relation to data protection. The Information Governance Team is also responsible for processing Freedom of Information (FOI) requests, Environmental Information Regulation (EIR) requests and Subject Access Requests (SAR) in accordance with legislation. Information Governance also provide advice and guidance on potential data breaches, which will be investigated by the appropriate Service Team.

Information Security

The Information Security Lead is responsible for overseeing all information security related policies and procedures and for approving any exemptions. The lead is also responsible for carrying out risk assessments of security related issues, situations or assets in relation to information governance and advising or escalating accordingly.

Lawful basis for processing

We process personal information where there is a relevant lawful basis to do so in data protection law. These include circumstances where:

• the data subject has given consent to the processing for specific purposes
• processing is necessary to perform a contract with the data subject
• processing is necessary to comply with one of the Council’s legal obligations
• processing is necessary to protect the vital interests of the data subject or other person
• processing is necessary to carry out a task in the public interest or the exercise of the Council’s official authority
• processing is necessary for the purposes of legitimate interests a third party or the Council is pursuing, where those purposes do not form part of the Council’s public task.

Special Category Information

Special category information (also known as sensitive personal information) is personal information relating to:

• race
• ethnic origin
• politics
• religion
• trade union membership
• genetics
• biometrics (where used for ID purposes)
• health
• sex life
• sexual orientation

Special category information is given specific protection under data protection laws. Information in these categories is particularly sensitive as processing could create significant risk to the rights and freedoms of an individual.

Sensitive personal data can only be processed where specified conditions are met.

• The data subject has given explicit consent to the processing for the specified purpose
• Processing is necessary to carry out employment, social security and social protection law obligations, or exercise specific rights, authorised under the DPA
• Processing is necessary to protect the vital interests of the data subject (life and death situations) where the data subject is physically or legally incapable of giving consent
• Processing carried out by an organisation with a political, philosophical, religious or trade-union aim under conditions specified in the GDPR
• Processing relates to personal data the data subject has made public
• Processing is necessary to establish, exercise or defend legal claims or when a court is acting in its judicial capacity
• Processing is necessary for reasons of substantial public interest, on the basis of law, and proportionate to the aim pursued, respectful of the right to data protection and provides suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
• Processing is necessary, and processed by or under the responsibility of a professional subject to the obligation of professional confidentiality for:
  • preventative or occupational medicine
  • assessment of the employee’s working capacity
  • medical diagnosis
  • provision of health or social care or treatment
  • the management of health or social care systems and services
  • under a contract with a health professional
• Processing is necessary in the public interest in the area of public health (principles of proportionality and professional confidentiality apply)
• Processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes

All employees must recognise how to identify special category information and how to process it lawfully and according to Council policy. Employees should seek advice from Information Governance if uncertain about how the following rules apply.

Children’s Information

The GDPR explicitly states that children’s personal data merits specific protection. It also introduces new requirements for the online processing of a child’s personal data.

Where consent is relied on for processing a child’s data, in the UK only children aged 13 or over are able to give their own consent. For children under this age, unless providing an online preventive or counselling service, consent needs to be provided by the holder of parental responsibility over the child.

Specific protection is also required where children’s personal data is used for marketing purposes or creating personality or user profiles.

Finally, the GDPR requires the provision of age-appropriate privacy notices for children, and says that the right to have personal data erased is particularly relevant when processing is based upon the consent of a child.

More guidance on handling Children’s information can be found on the ICO website.

South Tyneside Council complies with the Privacy of Electronic Communications Regulations (PECR). PECR is a law in the UK which makes it unlawful to send direct marketing (or any Promotional material with regards to goods and services) by electronic means without the consent of the receiver.

More guidance on PECR can be found on the ICO website. For further advice please contact Information Governance.

Individuals, also known as data subjects have the following rights set out in law:

Right to be informed

Individuals have the right to know about the collection and use of their personal information

Right of access

Individuals have the right to obtain a copy of their personal information and supplementary information. This is commonly known as a Subject Access Request (SAR).

Right to rectification

Individuals have the right to have inaccurate personal information rectified. They also have the right to have incomplete personal information completed in some instances.

Right to erasure

In certain circumstances individuals have the right to have their personal information erased. This is also known as the ‘right to be forgotten’.

Right to restrict processing

Individuals have the right to request the Council to restrict using their personal information in some circumstances. This may be during a challenge to the accuracy of the information.

Right to data portability

Individuals have the right to receive their personal data in a structured, commonly used and machine readable format. This is mostly used for banking and insurance purposes when wanting to switch providers and is not commonly used by Councils.

Right to object

Individuals have the right to object to the Council using their personal information. The right to object only applies in certain circumstances and requests to object using personal information will be considered on an individual basis. The Council will be unable to stop using personal information if it is needed to carry out a statutory function.

Rights in relating to automated decision making and profiling

Automated individual decision-making is a decision made by automated means without any human involvement. An example of this would be an online decision to award a loan. Profiling can be used to find out about individuals' preferences, predict behaviour or make decisions about people.

If an individual wishes to exercise their rights, advice can be sought from Information Governance where necessary.

Teams who process personal data will be responsible for holding and maintaining a retention schedule. This will explain what personal data is being used by the team, as well as how long it will be held for.

Retention schedules will follow any legislative requirement regarding the retention period for personal data. If there is no legal requirement to hold personal data for a specific period of time, it will be held in line with best practice.

Teams who process personal data will maintain a record of processing activities (ROPA). This will set out what personal data is being used, the lawful basis for processing, the source of the information and who it is shared with.

A Data Protection Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks of a project, new process or new systems.

A DPIA must be completed for processing that is likely to result in a high risk to individuals. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

Data Protection Impact Assessment

Assessments should be signed off by Head of Service or Corporate Lead after consultation with the Data Protection Officer and/or Information Governance.

If the assessment judges the processing of personal information to be Medium or High risk, it may require sign off from the Senior Information Risk Officer (SIRO) or the Information Commissioner before any processing can take place.

More information on DPIAs is available on the ICO website.

Individuals have the right to be informed about the collection and use of their personal information. This is a key transparency requirement under data protection laws.

When collecting personal information, Individuals must be provided with information explaining how we intend to use their personal data.

Teams and services who collect and use personal information should develop their own privacy notice. It may be appropriate to include a short privacy notice on forms with a link to a wider privacy notice on the Council website.

Privacy notice template

Where the Council regularly shares personal information with our partners and other organisations, an Information Sharing Agreement should be put in place. This agreement will clearly set out what information is to be shared and any conditions set around sharing the information, such as how often it will be shared and how long it will be held for. This agreement should be approved by all partners to the sharing before sharing any information.

Professional Information Sharing with agencies such as Cafcass and other Local Authorities must be carried out by Social Care teams as part of professional Information Sharing.

Such requests should not be directed to the Information Governance Team as this could delay important decisions being made in respect of these families. This should be done in line with the following National Guidance Information Sharing Advice.

Important Point - This must not be used for service users or their families or solicitors. Such requests must be forwarded immediately to Information Governance.

If you are not sure whether professional information sharing is appropriate, please contact Information Governance for advice.

Professional sharing process

A data breach can occur when personal data is lost, stolen, unlawfully destroyed, accessed inappropriately or shared in error. The majority of data breaches occur due to human error.

If you are made aware of a data breach you should inform your manager immediately (without delay) who should then report it to Information Governance as soon as possible, and no later than 24 hours of being aware of the breach.

An investigation will need to take place in order to determine any immediate threat to individuals whose personal data has been breached. Consideration will also need to be given on any notification we need to provide to data subjects in order that they can protect themselves from any potential harm as a result of the breach. We will also need to consider whether the breach meets the threshold of being self-reported to the Information Commissioner’s Office (ICO).

Any data breach must consider the context and source of the breach, so that the Council can learn from any incidents in order to put measures in place that can help to avoid similar breaches from occurring in future.

If your manager is unavailable, you can contact Information Governance. Guidance on what to do can be found on the intranet.

For further information, help or advice in relation to data protection please use the following contacts:

Information Governance
data.protection@southtyneside.gov.uk
0191 424 6539

Information Security
Information.security@southtyneside.gov.uk
0191 424 7536

Data Protection Officer (DPO)
data.protection@southtyneside.gov.uk
0191 424 6539

Senior Information Risk Owner (SIRO)
data.protection@southtyneside.gov.uk
0191 424 6539

Caldicott Guardian
data.protection@southtyneside.gov.uk
0191 424 6539

Useful links

Information Commissioner’s Office (ICO)

Data Protection Act 2018

Guide to the General Data Protection Regulation (GDPR)