1. Policy statement
1.1 Norwich City Council lawfully processes information about its residents, members, employees, customers and other individuals in order to carry out its everyday business and to fulfil its public functions.
1.2 Norwich City Council is committed to protecting the rights of privacy and processing will be conducted fairly, lawfully and transparently in accordance with the General Data Protection Regulation (EU 2016/679) and all other applicable data protection law (‘Data protection legislation’).
1.3 Data subjects have legal rights including the right to request: access to their data; rectification of an error; erasure of their details; restriction of processing; portability of their data; and to object to processing. To find out more about these rights please see Section 8.
1.4 This policy must be read and complied with by all permanent staff, temporary staff, councillors, partner organisations, other authorised third parties (suppliers and contractors) and all other authorised users. It must be adhered to when processing any of Norwich City Council’s personal data.
1.5 This policy is open to all internal and external stakeholders and is available on the council’s website www.norwich.gov.uk
2.1 Data protection legislation requires all public authorities to designate an officer responsible for data protection. The data protection and information team leader for Norwich City Council is involved in all matters which relate to the protection of personal data and is required to monitor compliance, provide advice and to co-operate/communicate with the regulator as required.
2.2 The senior information risk owner (SIRO) is responsible for ensuring information assurance controls are in place.
2.3 The corporate leadership team is responsible for developing and encouraging robust information handling practices within the council.
2.4 Data protection champions have been nominated from across the council who help to ensure that all the council services maintain our high standards.
2.5 Beyond this, compliance with data protection legislation is the responsibility of everyone that processes personal data on behalf of the council. The council, through its staff, members and authorised third parties, is responsible for ensuring that any personal data is processed in accordance with data protection legislation.
3. Data protection legislation principles
3.1 All processing of personal data must be done in accordance with the data protection principles as prescribed in data protection legislation:
- Personal data shall be processed lawfully, fairly & transparently (‘lawfulness, fairness and transparency’);
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘accuracy’);
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (‘storage limitation’);
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
3.2 Furthermore, data controllers are required to be responsible for, and to demonstrate compliance with the principles (‘accountability’).
3.3 The council’s accountability is demonstrated in numerous ways, including: the provision of mandatory data protection training, and refresher training; through the assignment of responsible individuals across the organisation (as set out at Section 2) including the assignment of the data protection and information team leader and data protection champions from across the service areas who help to maintain high standards of data privacy; and through the application of council policies which are all regularly reviewed, promoted and accessible.
4. Lawful processing
4.1 Personal data will be lawfully processed by the council at all times.
4.2 There are six ways in which lawful processing can occur, however only five of these are available to the council as a public authority in the performance of tasks.
4.3 These five ways of lawful processing are:
- The data subject consents to the processing for one or more specific purpose.
- In the performance of a contract to which the data subject is a party
- In compliance with a legal obligation.
- It is necessary to protect the vital interests of the data subject
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller
4.4 When Norwich City Council exercises its official obligation to provide services, the lawful ground generally used will be the exercise of the official authority vested in the controller. The council hereby acknowledges the regulator’s guidance on consent which identifies that public authorities will rarely be able to use consent as their lawful processing ground. However, where direct marketing is being carried out consent will ordinarily be required.
4.5 The council will be clear and transparent in privacy notices, detailing the purposes for which data is collected.
4.6 Wherever the lawful ground of processing is consent, consent will be requested: 4.6.1 In clear, specific and plain language.
4.6.2 Separate from other matters. If the processing is necessary for the provision of a service or the performance of a contract consent is unlikely to be a suitable lawful processing ground.
4.6.3 Able to put individuals in control of their data, build trust and engagement and maintain the council’s high-standards.
4.6.4 Important in providing genuine choice and control. It will be an affirmative action and will not be deemed or gathered by pre-ticked or opt-out boxes.
4.6.5 As easy to withdraw as it was to give consent. We will clearly explain how consent can be withdrawn and continue to do so in future interactions.
4.6.6 Reviewed and refreshed regularly.
4.6.7 Acted upon, ensuring that appropriate action is taken to prevent further processing where consent is withdrawn.
4.7 If any member or officer of the council is in any doubt about these matters, they should contact the data protection and information team leader by emailing DPO@norwich.gov.uk
5. Privacy notices
6. Security of data
6.1 The council implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
6.2 All staff are responsible for ensuring that any council personal data which they hold is kept securely and not disclosed to any unauthorised third parties.
6.3 All personal data should be accessible only to those who need to use it. To ensure an appropriate level of security, we will keep personal data:
- In a locked room with access controlled; or
- In a locked drawer or filing cabinet; or
- If computerised, ensure data is only accessible to the required individuals; or
- Kept on encrypted disks, which are themselves stored securely.
6.4 Care should be taken to ensure that PCs and screens are not visible except to authorised individuals. Passwords must be kept confidential.
6.5 Care must be taken with the deletion or disposal of personal data ensuring safe disposal in line with the Records Management Policy. Physical records should be shredded or placed in the confidential waste bins.
6.6 Electronic records should be securely stored and deleted from council systems in line with the council’s retention guidelines and Records Management Policy. The council maintains a back-up system for use in emergencies.
6.7 Where data is transferred to a third-party individual or organisation, we take every step to ensure that this data is secure. We cannot however be held responsible for data once it reaches the third party unless that third party is an authorised data processor for the council in which case we take due diligence to ensure they meet council standards of security.
6.8 Where personal data is transferred to a third-party individual or organisation security measures will be taken to prevent a security breach in transit (these may include sending documents through a secure server or by password protection of documents).
6.9 The council has measures in place to ensure compliance with security requirements which are regularly reviewed through internal audit reviews.
6.10 The council is committed to ensuring that any breaches of data security are promptly reported to, and robustly investigated by, the data protection and information team leader so that mitigating steps can be taken at the earliest opportunity. Where legally required the data protection and information team leader will notify the Information Commissioner of any relevant breaches in line with our security incident response plan.
7. Rights of data subjects
7.1 Data protection legislation provides individuals with the rights to request:
- access to their data;
- portability of their data;
- erasure of their data;
- to object to processing;
- to rectification of their data;
- to restrict processing
7.2 The rights set out at 7.1 are not absolute rights and may be dependent upon the lawful processing ground used and may be subject to an exemption as set out under data protection legislation.
7.3 Where a data subject wishes to exercise one of these rights, they should contact the Data protection and information team leader;
7.4 When we process a request to exercise one of your rights, we will take reasonable authentication steps to verify your identity.
7.5 When one of the rights detailed at 7.1 is exercised, these will be actioned by the council without undue delay and ordinarily within one month. This time may on occasion be extended by up to two months, in compliance with data protection legislation. Where it is necessary to extend this time we will inform you of the reasons for this delay
7.6 Subject access request
When making a subject access request the data subject will be asked the preferred format for our reply.
A charge will not ordinarily be made for a subject access request. Data protection legislation prescribes that a charge could only be made where further copies of personal data are requested by a data subject.
The right of portability only applies to processing carried out by automated means which is based on consent or on the performance of a contract.
If you have a right of portability where possible inter-operable systems will be used to transfer your personal data, however where this is not technically possible the data will be transferred in an acceptable format.
The right of erasure does not apply to processing which is subject to the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Whereby you have an applicable right of erasure we will let you know when we will be able to delete your details from our systems. This will be without undue delay, and within one month.
Individuals can also object to personal data processed under grounds detailed at 4.3(e) or (f). An objection to processing of personal data for direct marketing purposes cannot be refused. Where an objection to processing is made and a relevant exception does not apply the council will cease to process your personal data.
Where inaccurate personal data is gathered you have the right to the rectification of this data. Rectification will occur without undue delay and ordinarily within one month
Where a right to restriction of processing applies such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal persons or for reasons of public interest.
8. The Regulator – The Information Commissioner’s Office
8.1 The Information Commissioner regulates the compliance of Data protection legislation across the UK. The Information Commissioner’s details are:
Information Commissioner’s Office,
Water Lane, Wilmslow,
Cheshire, SK9 5AF
(t) 0303 123 1113
8.2 The council, as a data controller, is required to pay the regulator a fee on an annual basis. Our registration number is Z5260004.
8.3 If you have any queries or concerns about how the council processes your personal data, you can contact the council’s data protection and information team leader by emailing DPO@norwich.gov.uk
8.4 You also have a right to lodge a complaint with the Information Commissioner’s Office.
9. Disclosure of data
9.1 Personal data may be lawfully disclosed where one of the following conditions apply:
- The individual has given their consent (e.g. a member of staff or a customer has consented for the council to correspond with a named third party).
- There is a Power of Attorney in place which authorises a third party to act on behalf of the data subject in relation to that issue.
- Where an exemption under data protection legislation applies, including for the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment/collection of a tax or duty or an imposition of a similar nature.
- Where the authority is legally obliged to disclose data
If in doubt, please consult the council’s data protection and information team leader.
10. Freedom of Information Act 2000
10.1 The Freedom of Information Act 2000 allows the public access, subject to certain exemptions, to all types of non-personal information held by public authorities, including the council. However, requests for personal information will be dealt with under data protection legislation.
11. Policy review
11.1 This policy will be reviewed every two years, and sooner if any issues are highlighted, in the case of new risks, and/or if there are changes in legislation
12. Further information
12.1 For further guidance or advice on data protection legislation, please contact the data protection and information team leader by emailing DPO@norwich.gov.uk or telephoning 0344 980 3333.