Data Privacy Notice & Data Protection Policy
The Broadway Parish Council is committed to respecting and protecting privacy. We only use the information that we collect about you lawfully in accordance with the GDPR and Data Protection Act 2018.
This Privacy Notice & Data Protection Policy is to explain when and why we collect personal information, how we use it, the conditions under which we may disclose it to others, and how we keep it secure.
We may change this Policy from time to time, so please check this page occasionally to ensure that you’re happy with any changes. This Policy was last updated in September 2024.
Any questions regarding this Policy and our privacy practices should be sent by email to clerk@broadwayparishcouncil.org or in writing to The Parish Office, 5 Russell Square, Broadway, WR12 7AP.
DATA PRIVACY NOTICE
1. Your personal data - what is it?
Personal data relates to a living individual who can be identified from that data, e.g. a name, photo or address. Identification can be by the information alone or with other information in the data controller’s possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
2. Who are we?
Broadway Parish Council is the data controller (contact details are below). This means it decides how your personal data is processed and what it is used for.
3. How do we process your personal data?
Broadway Parish Council complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and be ensuring that appropriate technical measures are in place to protect personal data. We may use your personal data for the following purposes:
✓ To enable us to provide services for the benefit of residents within the parishes
✓ To process relevant transactions including donations and grant applications.
✓ To send you information that you have requested.
✓ To manage employees and contractors.
✓ To maintain our own accounts and records (including the processing of grants).
✓ To inform parishioners and the wider community of news, events, activities and services within the parish.
✓ To seek your views, opinions and comments.
4. What is the legal basis for processing your personal data?
The council is a public authority and has certain powers and obligations. Most of your personal data is processed for compliance with a legal obligation which includes the discharge of the council’s statutory functions and powers. Sometimes when exercising these powers or duties it is necessary to process personal data of residents or people using the council’s services. We will always take into account your interests and rights. This Privacy Notice sets out your rights and the council’s obligations to you. We may process personal data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract. Sometimes the use of your personal data requires your consent. We will first obtain your consent to that use.
5. Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared with other organisations with your explicit consent.
6. How long do we need your personal data?
We will keep records as legally required. For example it is best practice to keep financial records for a minimum of 8 years to support HMRC audits. We may have legal obligations to retain some data in connection with our statutory obligations as a public authority, such as the current electoral roll. We will endeavour to keep data only for as long as we need it- it will be deleted when no longer required.
7. Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
✓ The right to request a copy of your personal data which Broadway Parish Council holds.
✓ The right to request that Broadway Parish Council corrects any personal data if it is found to be inaccurate or out of date.
✓ The right to request your personal data is erased where it is no longer necessary for Broadway Parish Council to retain such data.
✓ The right to withdraw your consent to the processing at any time.
✓ The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller (known as the right to data portability).
✓ The right to object to the processing of personal data or restrict it to certain purposes.
✓ The right to lodge a complaint with the Information Commissioner’s Office.
8. Further processing
If we wish to use your personal data for a new purpose, not covered by this Data Protection Notice, then we will provide you with a new notice explaining this new use prior to starting the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing.
9. Contact Details
To exercise all relevant rights, queries or complaints please contact: The Parish Clerk clerk@broadwayparishcouncil.org or Broadway Parish Council Office, 5 Russell Square, Broadway, WR12 7AP.
You can contact the Information Commissioner’s Office on 0303 123 1113 or via email on https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
DATA PROTECTION POLICY
1. Introduction
In order to conduct relevant business, services and duties as a public authority Broadway Parish Council processes a range of data relating to its own operations and some which it handles on behalf of partners. In broad terms, this data can be classified as:
Data shared in the public arena about the services it offers, its mode of operations and other information it is required to make available to the public.
Confidential information and data not yet in the public arena such as ideas or policies in the process of being decided.
Information about other organisations that is confidential because of commercial sensitivity.
Personal data concerning its current, past and potential employees, councillors and volunteers.
Personal data concerning individuals who contact the Parish Council for information, to access its services or facilities or to make a complaint.
Broadway Parish Council will adopt procedures and manage responsibly, all data which it handles and will respect the confidentiality of both its own data and that belonging to partner organisations it works with and members of the public. In some cases, it will have contractual obligations towards confidential data, but in addition will have specific legal responsibilities for personal and sensitive information under data protection legislation.
Broadway Parish Council will periodically review and revise this policy in the light of experience, comments from data subjects and guidance from the Information Commissioners Office.
The Council will be as transparent as possible about its operations and will work closely with public, community and voluntary organisations. Therefore, in the case of all information which is not personal or confidential, it will be prepared to make it available to partners and members of the parish communities.
Details of information which is routinely available is contained in the Council’s Publication Scheme which is based on the statutory model publication scheme for local councils and is available on the Broadway Parish Council website at: https://www.broadwayparishcouncil.org/
Protecting Confidential or Sensitive Information
Broadway Parish Council recognises it must at times, keep and process sensitive and personal information about employees and the public; it has therefore adopted this policy not only to meet its legal obligations but to ensure high standards.
2. This policy is based on the eight principles set out in the 1998 Act
Data shall:
i. Be processed fairly and lawfully;
ii. Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with the purpose;
iii. Be adequate, relevant and not excessive for the purpose;
iv. Be accurate and up-to-date;
v. Not be kept for longer than necessary for the purpose;
vi. Be processed in accordance with the Data Subject’s rights;
vii. Be kept safe from unauthorised processing and accidental loss, damage or destruction;
viii. Not be transferred to a country outside the European Economic area, unless that country has the equivalent levels of protection for personal data, except in specified circumstances.
3. Definitions:
The Act – means the Data Protection Act 1998 which controls the use of personal information by organisations, businesses and government. Everyone responsible for using data has to follow the data protection principles (as above) and make sure the information is used fairly and lawfully.
General Data Protection Regulation (GDPR) – from 25th May 2018, the GDPR replaces the Data Protection Act 1998. Its aim is to give people more control over how organisations use their data and to ensure data protection law is almost identical across the EU.
Data subject - means the person whose personal data is being processed. This may be an employee, prospective employee, councillor, resident or customer. Other data subjects and third parties may include contractors, suppliers, contacts, referees, friends or family members.
Personal data - means any information relating to a natural person or data subject that can be used directly or indirectly to identify the person. It can be anything from a name, a photo, and an address, date of birth, an email address, bank details, and posts on social networking sites or a computer IP address.
Sensitive personal data - includes information about racial or ethnic origin, political opinions, and religious or other beliefs, trade union membership, physical or mental health or condition, sexual orientation, genetic and biometric data or criminal proceedings or convictions.
Data controller - is a ‘person’ who determines the purposes for which and the manner in which any personal data is to be processed. A ‘person’ as recognised in law may be an individual, organisation or body of persons.
Data processor - in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Processing – refers to any action involving personal information, including obtaining, viewing, copying amending, adding, deleting, extracting, storing, disclosing or destroying information.
Data Protection Officer – is an individual working on behalf of the Data Controller with responsibility for the data protection within that organisation.
4. Reasons for processing personal data
Brroadway Parish Council processes personal data in order to:
- fulfil its duties as an employer by complying with the terms of contracts of employment, safeguarding the employee and maintaining information required by law.
- pursue the legitimate interests of its business and its duties as a public body, by fulfilling contractual terms with other organisations, and maintaining information required by law.
- monitor its activities including the equality and diversity of its activities.
- fulfil its duties in operating the business premises including security.
- assist regulatory and law enforcement agencies’
- process information including recording and updating details about its Councillors, employees, partners and volunteers.
- process information including the recording and updating details about individuals who contact it for information, or to access a service, or make a complaint.
- undertake surveys, censuses and questionnaires to fulfil the objectives and purposes of the Council.
- undertake research, audit and quality improvement work to fulfil its objects and purposes.
- carry out Council administration.
Where appropriate and governed by necessary safeguards we may carry out the above processing jointly with other appropriate bodies from time to time.
5. Fair Process
The Council will ensure that at least one of the following conditions is met for personal information to be considered fairly processed:
The individual has consented to the processing
Processing is necessary for the performance of a contract or agreement with the individual
Processing is required under a legal obligation
Processing is necessary to protect the vital interests of the individual
Processing is necessary to carry out public functions
Processing is necessary in order to pursue the legitimate interests of the data controller or third parties.
Particular attention is paid to the processing of any sensitive personal information and the Parish Council will ensure that at least one of the following conditions is met:
Explicit consent of the individual
Required by law to process the data for employment purposes
A requirement in order to protect the vital interests of the individual or another person
6. Responsibilities
Broadway Parish Council is the Data Controller and must ensure that any processing of personal data for which they are responsible complies with the Act. The Data Protection Officer is the Executive Officer, who acts on behalf of the Council and is responsible for:
i. Fully observing conditions regarding the fair collection and use of information;
ii. Meeting the Council’s legal obligations to specify the purposes for which information is used;
iii. Collecting and processing relevant information, only to the extent that is required to fulfil operational needs/to comply with legal requirements;
iv. Ensuring the quality of information used;
v. Applying strict checks to determine the length of time that information is held;
vi. Ensuring that the rights of the people whose information is held are able to be fully exercised under the Act;
vii. Taking appropriate technical and organisational security measures to safeguard personal information;
viii. Ensuring that personal information is not transferred abroad without suitable safeguards;
ix. Ensuring that everyone managing and handling personal information –
a) Fully understands they are contractually responsible for following good practice in terms of protection;
b) Is adequately trained to do so;
c) Is appropriately supervised.
Appendix A of this policy sets out guidelines for staff members, volunteers and councillors that process or may have access to personal data.
7. Information provided to Broadway Parish Council
Personal information such as name, address, email address, phone number provided to Broadway Parish Council, will be processed and stored so that it is possible for the Council to contact, respond to or conduct the transaction requested by the individual.
By transacting with Broadway Parish Council, individuals are deemed to be giving consent for the personal data they have provided to be used and transferred in accordance with this policy, however wherever possible specific written consent will be sought. It is the responsibility of those individuals to ensure the Parish Council can keep their personal data accurate and up-to- date. The personal information will be not shared or provided to any other third party or be used for any purpose other than that for which it was provided.
8. The Council’s Right to Process Information
General Data Protection Regulations (and Data Protection Act) Article 6 (1) (a) (b) and (e)
Processing is with consent of the data subject, or
Processing is necessary for compliance with a legal obligation.
Processing is necessary for the legitimate interests of the Council.
9. Storage and Retention
Personal data may exist in either paper-based format or electronically.
All paper-based documents are securely filed in lockable cabinets in an alarmed office premises that can be accessed only by the Data Protection Officer and nominated members of the parish council.
All electronic data is securely password protected on both the current operating system, off-site data storage and the separate hard-drive.
Different types of information will be kept for differing time periods, depending on legal and operational requirements. See the council’s Document Retention Policy for further details.
10. Access to Information
Any employee, councillor, resident, customer or other data subjects have a right to:
i. Ask what personal information the Council holds on them;
ii. Ask what this information is used for;
iii. Be provided with a copy of the information
iv. Be given details of the purposes for which the Council uses the information and any other persons or organisations to whom it is disclosed;
v. Ask that any incorrect data held is corrected.
If the data subject believes that any personal information held is incorrect the individual may request that it be amended. The Council must advise the individual within 21 days whether or not the amendment has been made.
11. Breach of Policy
Compliance with the Act is the responsibility of all councillors and members of staff. Any deliberate or reckless breach of the policy may lead to disciplinary action and, where appropriate, legal proceedings.
Any individual who believes that the Council has breached any of the requirements of the Data Protection Act 1998, including the GDPR 2018, should raise the matter with the Executive Officer.Alternatively, a complaint can be made to the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; casework@ico.org.uk / Tel: 0303 123 1113
SECURITY PRECAUTIONS
On-line security is our highest priority. Non-sensitive details (your email address etc.) are transmitted normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while Broadway Parish Council strives to protect your personal information, Broadway Parish Council cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems.
LINKS TO OTHER WEBSITES
The Broadway Parish Council a website at www.broadwayparishcouncil.org may contain links to other websites run by other organisations. This data privacy & protection policy applies only to the www.broadwayparishcouncil.org website‚ so we encourage you to read the privacy statements on other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from www.broadwayparishcouncil.org.
APPENDIX A – GUIDELINES FOR STAFF, VOLUNTEERS & COUNCILLORS
During the course of your duties with Broadway Parish Council, you will be dealing with information such as names / addresses / phone numbers / email addresses of members of the public. You may be told or overhear sensitive information while working for the Parish Council.
The Data Protection Act 1998 and subsequent General Data Protection Regulation 2018 give specific guidance on how this information should be dealt with. In order to comply with the law, when personal information is collected, it must be used fairly, stored safely and not disclosed to any other person unlawfully.
Please use the following guidelines to help meet the legal requirements. If you are in any doubt about any of them, please ask the Data Protection Officer (the Executive Officer) for advice:
Sharing of personal information
‘Personal information’ includes details such as addresses / phone numbers and health details supplied by members of the public.
Such information may be shared between staff and councillors at Broadway Parish Council for work purposes but should not be given to anyone outside the Council without explicit consent from the person concerned. If such a situation arises, please ask the Executive Officer for advice.
Unlawful disclosure of personal information
Under the Data Protection Act you are committing a criminal office if you disclose personal information ‘knowingly or recklessly’ to anyone you are not supposed to, so please be careful. Give consideration to any conversations you are having containing personal or sensitive information that could possibly be overheard by people who should not have access to such information.
Use of files, books and other paper records
In order to prevent unauthorised access and accidental loss or damage to personal information held on paper, please take good care of the files, books and other paper records you use, and ensure they are stored safely and securely before leaving the office.
Use of email
Please ensure before sending e-mails that they contain no personal or sensitive information that the recipients should not have access to. This is a particular risk when forwarding emails or adding in new recipients to an e-mail chain. Always check the email before sending.
Disposal of scrap paper
Be aware that names / addresses / phone numbers and other information written on scrap paper are also considered to be confidential. Such notes must be shredded or disposed of in the confidential waste provision within the office.