Data protection guidance

The Data Protection Act 2018 has data protection principles to ensure that your personal data is being dealt with correctly.  These are:

  • lawfulness, fairness and transparency: your personal data must be processed lawful, fairly and in a transparent manner
  • limited lawful purpose: personal data must only be collected for specified, explicit and legitimate purposes
  • data minimisation: personal data collected must be adequate, relevant and limited to what is necessary for the intended purposes
  • accuracy: personal data must be accurate and where necessary, kept up-to-date
  • storage limitation: personal data must not be kept in a form which permits identification for any longer than necessary for the given purpose
  • integration and confidentiality: personal data must be processed in a manner which ensures its appropriate security
  • accountability: we are responsible for, and must be able to demonstrate, compliance with the data protection principles

The lawful and correct treatment of personal information is extremely important to us, not only to ensure that we meet our legal requirements, but also to maintain the confidence that we are acting in an honourable and transparent way.

Processing of information

Through appropriate management and strict application of criteria and controls we will, when processing personal information on any individual:

  • observe fully conditions regarding the collection and use of information
  • meet our legal obligations under the Data Protection Act 2018 to specify the purpose for which information is used
  • collect and process appropriate information only to the extent that it is needed to fulfil operational needs or to comply with any legal requirement
  • ensure the quality of information processed is accurate
  • apply strict checks to determine the length of time information is held, and identify destruction date
  • ensure that the rights of people about whom information is held can be fully exercised under the Act including:-
    • the right to be informed that processing is being undertaken 
    • the right of access to personal information  
    • the right to prevent processing in certain circumstances 
    • the right to correct, rectify, block or erase information, which is regarded as wrong information
  • ensure technical and organisational security measures are put in place to safeguard personal information
  • ensure that personal information is not transferred outside the European Economic area without suitable safeguards
  • ensure that staff are reminded that data covered by the Data Protection Act is exempt from disclosure under the Freedom of Information Act 2000

Fair obtaining and processing  

Individuals whose data is collected by us must be made aware at the time of collection of all the processes that data may be subject to. No manual or automatic processing of an individual's data can take place unless reasonable steps have been taken to make that individual aware of that processing.

Individuals must also be informed of likely recipients of their information, both internal and external, and also be given details of whom contact in order to query the use or content of their information: dataprotection@eastcambs.gov.uk

Data uses and purposes 

All processing performed must be for a purpose that is necessary to enable us to perform our duties and services, and which has been notified by us to the Information Commissioner. Personal data can only be processed in line with notified purposes.

All personal data should be regarded as confidential and only disclosed to persons (internal and external) who are listed for the purpose concerned in our current notification AND whose authority has been explicitly established.

Information owned by us must not be used for non-council purposes. This applies when our data is being processed at employees' homes. Employees may only remove personal data from a council office with the authority of their service lead or the chief executive and will be held responsible for any misuse or unauthorised disclosures while the data is in their control.

Customer relationship management 

We use Customer Relationship Management (CRM) to capture and manage information about our customers. Information collected is stored in a central database, allowing information to be collected once but used many times.

Each customer can make a call to customer services where staff will be able to find their details and advise of the progress made on their case. The information is stored safely and securely. It is not used for marketing purposes and is only used to provide a better service to our customers.

The sharing of this customer data across the council allows us to make gains in both efficiency and effectiveness by improving the ability of front line staff to resolve issues at first contact or deal automatically with enquiries that originate over the web.

Data quality 

Information processed shall not be excessive or irrelevant to the notified purposes. Information will be held only for so long as is necessary for the notified purposes, after which it shall be deleted or destroyed. Whenever information is processed, reasonable measures shall be taken to ensure that it is up-to-date and accurate.  

Organisational responsibilities and security   

  • all personal data should be kept secure, in a manner appropriate to its sensitivity and the likely harm should a breach of the Act occur. Security shall be applied to all stages of processing to prevent unauthorised access or disclosure (internal or external), damage (accidental or deliberate) or loss
  • personal data must not be left on display or unsecured when unattended. Computer software shall be kept secure when not in use. System entry passwords should be known only to the holder and be changed regularly
  • everyone managing and handling personal information is appropriately trained to do so
  • everyone managing and handling personal information is appropriately supervised
  • anybody wanting to make enquiries about handling personal information knows what to do
  • queries about handling personal information are promptly and courteously dealt with
  • methods of handling personal information are clearly described
  • a regular review and audit is made of the way personal information is managed
  • methods of handling personal information are regularly assessed and evaluated
  • performance with handling personal information is regularly assessed and evaluated
  • we have compiled data protection guidance for staff and all employees are requested to follow the guidance and to co-operate with us to ensure the guidance is effective 
  • it is the duty of individual employees and members to ensure that personal information held by them is dealt with in accordance with the Data Protection Act 
  • any breaches of security shall be reported to the department’s service lead and legal services for investigation and subsequent remedial action

Use of cookies 

To find out more about how we use cookies in line with the Privacy and Electronic Communications (PECR) Regulations 2003 please see our cookies notice.

General 

Processing carried out by a third party on behalf of the council shall be subject to a contract, which stipulates compliance with the principles of the Act and this policy.

Similarly, when we are processing personal data on behalf of a third party we will need to demonstrate that the data is subject to the same standard of care.