Data protection policy

Contents:

  1. Definitions
  2. Purpose
  3. Spidergram of policies
  4. Data protection principles
  5. Fair and lawful processing
  6. Accuracy of personal data
  7. Retention periods
  8. Information rights
  9. Information security
  10. Training and development
  11. Further information

Definitions

TermDefinition
Data Protection Act 2018 (“DPA”)
General Data Protection Regulation (“UK GDPR”)
Data Controller
The law on data protection in the UK
A new law on data protection that comes into force on 25 May 2018 throughout Europe
A person or organisation that handles and processes personal data and determines the way such data should be processed.
Personal DataAny information from which a living individual can be identified.
Sensitive Personal DataAny Personal Data which includes further information as defined in the DPA. Further information includes (i) racial or ethnic origin;
(ii) political opinions; (iii) religious beliefs; (iv) membership of a trade union; (v) physical or mental health or condition; (vi) sexual life or preferences; (vii) information about any criminal offence or court proceedings related to a criminal offence.
Information Commissioner’s Office (“ICO”)The statutory regulator of the DPA and the UK GDPR.
Data Privacy Notice (“DPN”)A description of Personal Data held by the Reading Borough Council, along with details of purpose, retention and other information about how the Council will handle the Personal Data.
Data SubjectAs defined in the DPA and the UK GDPR. The Data Subject is the person who the Personal Data is about, or who is identified by the Personal Data.
Data Privacy Impact Assessment
(“DPIA”)
An obligation under the UK GDPR which requires us to set out and have recorded all our processing activities across the council. It will also help us to identify and mitigate data privacy risks at an early stage.
Data ProcessorAny person (other than an employee of the data controller) who processes the data on behalf of data controller.

Purpose

This Policy is intended to ensure that Personal Data is dealt with correctly and securely and in accordance with the DPA, UK GDPR and other related legislation. It will apply to information regardless of how it is collected, used, recorded, stored and destroyed or deleted, and irrespective of whether it is held in paper files or electronically.

All staff involved with the collection, processing and disclosure of Personal Data will be aware of their duties and responsibilities by adhering to these guidelines.

This Policy is central to the Council’s suite of policies designed to ensure that the Council is compliant with the DPA in all aspects of its work where Personal Data is handled.

The spidergram below shows how this Policy interacts with those other policies.

Staff are expected to adhere to the principles and spirit of this Policy in order to protect Personal Data belonging to our customers and staff. Anyone found to have breached this Policy may find that the Council will invoke Disciplinary Procedures.

This Policy has been approved by the Information Governance Board and is evidence of the commitment the Council makes to safeguarding Personal Data.

Spidergram of policies

Centre circle with 7 circles coming off of it. Centre circle says 'Data Protection Policy', the surrounding circles have: 'Disciplinary Policy', 'Records Management Policy', 'ICT Policies', 'Freedom of Information Policy', 'Privacy Notices and DPIAs', 'Breach Management Procedure' and 'Information Sharing Code of Practice'.

Data protection principles

Article 5 of the UK GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Council is committed to maintaining the above principles at all times. Therefore, the Council will:

  • Inform individuals why Personal Data is being collected and when
  • Inform individuals that their information may be shared and why and with whom
  • Check the quality and the accuracy of the information it holds
  • Ensure that information is not retained for longer than is necessary
  • Ensure that when obsolete information is destroyed that it is done so appropriately and securely
  • Ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded
  • Share information with others only when it is legally appropriate to do so
  • Set out procedures to ensure compliance with the duty to respond to requests for access to personal information, known as Subject Access Requests
  • Ensure our staff are aware of and understand our policies and procedures

Fair and lawful processing

The Council needs to collect and handle Personal Data for a number of reasons.

Customer/Service Users Data

We process personal data of customers and service users in order to provide a service requested by those customers, to safeguard individuals or to provide a statutory service as follows:

  • Name, address, date of birth, gender, contact information
  • Next of kin and contact details
  • Allergies, dietary and medical information
  • Ethnic origin
  • Any special education needs (SEN)
  • Progress data, including national curriculum assessment results, attendance information
  • Relevant data from a previous school
  • Any safeguarding or social services information, including court information, and adoption status
  • Nationality and country of birth
  • Immigration status, date of entry to the UK
  • Accident records and behaviour
  • Financial information
  • Criminal conviction data
  • Other information as required to enable the Council to provide the Service

The Council collects and uses this personal information in order to provide both statutory and requested services.

The Council is required by law to collect and share certain types of information with external bodies such as Local (Education) Authorities (LAs), government agencies (such as the Department of Education, Department for Work & Pensions, Home Office, HM Revenue & Customs) and other bodies to comply with our statutory obligations.

Staff Data

Data is held about staff. This includes

  • name, address, phone number, next of kin, emergency contact details
  • car insurance details, car registration number
  • bank details, earnings from other sources or previous employer, pensions data
  • DBS number and date authorised (including spent and unspent convictions)
  • medical details, including records of sickness absence and maternity/paternity
  • work history, educational history, references
  • ethnicity, sexuality, personal living arrangements
  • criminal offences/cautions relating to themselves and their partners
  • nationality, right to work, and forms of ID (passports, driving licence)
  • performance data, disciplinary records

This data is held to enable the Council to comply with its legal obligations and to ensure safeguarding requirements are met.

Parents/ Carers

Data may be held about those with parental responsibility for children for whom a service is provided, whether by request or due to Safeguarding issues. This data includes

  • their name, address, emergency contact details, email address, phone number, date of birth
  • banking information, income information (if claiming free school meals)
  • national asylum support service number (if they’re seeking asylum)
  • whether they have parental responsibility, and information about injunctions/court orders if applicable

Visitors and others

From time to time, there will be visiting professionals to the Council.

Contractors’ details will also be stored. This includes their name, the organisation they work for, a DBS check accompanied with, car registration number, and contact details.

Other visitors will be required to sign in, providing their name and organisation details.

Information consisting of Personal Data may also be shared with law enforcement agencies, such as the Police, from time to time to assist them with the prevention and detection of crime.

If we collect data for any other purposes, or from any other person, we will ensure that the purpose of the processing of that data is clear and where necessary, consent is obtained in advance.

Data security

Regardless of the purpose, Personal Data will always be held securely. If in paper format, Personal Data will always be held in secure rooms with access only to authorised individuals. If in electronic format, Personal Data will be stored in secure systems and will be accessed via encrypted devices authorized by the Council. No member of staff is permitted to store any Personal Data on unencrypted media or on personal devices.

Accuracy of personal data

Under the DPA, the Council is required to ensure that Personal Data is kept accurate and up to date. To comply with the applicable law, the Council will:

  • Take reasonable steps to ensure the accuracy of any Personal Data that is obtained.
  • Ensure that the source of any Personal Data is clear.
  • Carefully consider any challenges to the accuracy of Personal Data; and
  • Consider where necessary if Personal Data needs to be updated or rectified

If a Data Subject informs the Council of a change of circumstances, or notifies the Council of an error, inaccuracy or defect in the Personal Data held, the Council will update both paper and electronic records as soon as practicable. This will normally be done within one calendar month.

Where a Data Subject challenges the accuracy of the data, the Council will require evidence of the inaccuracy to investigate. In the case of any dispute, the Council will try to resolve the issue informally but if this is not successful, disputes will be referred to the ICO for a decision.

Retention periods

This section sets out a framework for management decisions on whether a particular document (or set of documents) will either be:

  • Retained – and if so in what format and for what period
  • Disposed of – and if so by when and by what method Specific data retention periods can be found on application to IGTeam@reading.gov.uk

All other Personal Data falling outside of these retention periods will be securely destroyed. All records that are to be retained will be retained securely.

Destruction of records

Where paper records are identified as needing to be destroyed, these will be shredded securely. Currently destruction of records takes place onsite using government approved shredding contractors.

Information rights

a.      Subject Access Requests (SARs)

A customer, or someone acting on their behalf, may make a Subject Access Request in respect of Personal Data held by the Council.

The SAR process can be found at the following link: Subject access requests – Reading Borough Council

b.      Right to be forgotten

Under the UK GDPR, individuals have the right to request the Council to delete Personal Data where there is no compelling reason for them to retain it:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • The personal data was unlawfully processed (i.e. otherwise in breach of the UK GDPR).
  • The personal data must be erased in order to comply with a legal obligation.
  • The personal data is processed in relation to the offer of information society services to a child.

An individual may make a request by writing to the Information Governance Team IGTeam@reading.gov.uk if they wish to request that the Council delete or remove any Personal Data. The Council will consider such a request and within 30 days will either confirm the deletion or removal of all Personal Data (other than retaining a record of the request itself) or will inform the individual that the Personal Data will not be deleted, because it is required for one of the following reasons:

  • to exercise the right of freedom of expression and information.
  • to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
  • for public health purposes in the public interest.
  • archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  • the exercise or defence of legal claims.

Information security

We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves that meet the Council’s security standards.

We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

Confidentiality

means that only people who are authorised to use the data can access it

Integrity

means that personal data should be accurate and suitable for the purpose for which it is processed

Availability

means that authorised users should be able to access the data if they need it for authorised purposes, personal data should therefore be stored only on the relevant Council systems and/or computers instead of Personal Computers.

Security procedures include:

  • Entry controls
    Any stranger seen in entry-controlled areas should be challenged and reported to building security.
  • Secure lockable cupboards
    Cupboards should be kept locked if they hold confidential information of any kind (personal information is always considered confidential), keys should be kept in a secure lockable place.
  • Methods of disposal
    Paper documents should be shredded to government approved specifications
    Records stored on digital storage devices should be securely destroyed when they are no longer required or have reached the end of their retention period.
  • Equipment
    Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.

Training and development

The Council is committed to ensuring the staff adopt the highest standards in relation to the processing and handling of Personal Data.

Mandatory Data Protection training is available to all staff, a face-to-face module is available for non-IT users and all staff are required to complete it annually.

New staff will be expected to complete the Introduction to UK GDPR module as part of their induction training.

Staff will be re-trained according to changes in regulations or emerging security threats. It is anticipated that this will usually be annually.

Members of staff are expected to read this policy.

Further information

Any person reading this Policy requiring further information or assistance is invited to contact the Data Protection Officer or the Information Governance Team IGTeam@reading.gov.uk .

Where any person has a complaint about the way the Council has handled their Personal Data or that of their children, may address their concern in writing to the Data Protection Officer at IGTeam@reading.gov.uk .

For further information about the DPA, UK GDPR and its application, the Information Commissioner’s Office has a wealth of information on its website – www.ico.org.uk.

Last updated on 02/01/2025