Data protection principles

1 Personal data shall be processed fairly & lawfully

This is the most important principle, if we don’t comply with this anything else we do with someone’s information will be unlawful

Fairly – we need to make it clear to all individuals who we obtain personal information about, who we are, what we want to do with their information and who we might disclose their information to

Lawfully – any information obtained, used, disclosed or destroyed (processed) must be done so lawfully. This means that we need to have a legal power enabling us to process personal information, this could be if someone gives us their permission, for example.

2 Personal data shall be processed for specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes.

This means that we can only use someone’s information for the purpose(s) outlined in our ‘Notification’ and for the purpose(s) we stipulated at the time of collecting the information.

The council cannot re-use personal information for unrelated purposes without obtaining further consent from the data subject.

3 Personal data shall be adequate, relevant and not excessive

Individuals who collect and input data must ensure that the information is adequate, relevant and not excessive for the purpose for which it was obtained.  Individual’s have a right of access to information held about them, whether held in a handwritten note, in an email or in a formal document.

4  Personal data shall be accurate and where possible kept up to date

This places an obligation on the council to ensure that the personal information we hold is accurate and up to date. This means that we need to review the information we hold about people regularly and change any out of date or inaccurate information.Data is inaccurate for the purpose of the Data Protection Act if it is incorrect or misleading.

You  have the right have inaccurate data held about you erased or destroyed and can claim compensation for any damage or distress that has been caused by any contravention of the Data Protection Act.

5 Personal data must not be kept for longer than necessary

Personal information must be reviewed on a regular basis and out-of-date or irrelevant information should be deleted or destroyed

6 Personal data shall be processed in accordance with the rights of data subjects

One of the rights under the Data Protection Act is ‘Subject Access’. This gives everyone the right to obtain a copy of any personal information held about them (including opinions), subject to certain exemptions. Find out how to make a subject access request or contact the Information Governance Team.

7 Personal data shall be kept secure

Employees, contractors and agents must keep all personal information secure. Extensive guidance is provided on our staff intranet.

8 Data must not be transferred to countries without adequate security

Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory can ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.