General Data Protection Regulations Policy of Old Hutton & Holmescales Parish Council

a) The Parish Council is registered with the Information Commissioner’s Office (Registration reference:
A8257940) for the period 21-03-2018 to 20-03-2018. The registration has to be renewed annually. The GDPR
th
regulations come into force on the 25 May 2018.

b) Individuals’ rights under GDPR are:

 The right to be informed  The right to restrict processing

 The right of access  The right to data portability
 The right to rectification  The right to object
 The right to be erased/forgotten  Rights in relation to automated decision making and
profiling

c) The Parish Council is the Data Controller and the Data Processor for the personal information it holds and
uses. The clerk is the Data Protection Officer. The office of DPO is not a requirement of GDPR for small
councils but is regarded as good practice.

d) The following personal information is held by the Parish Council:

I. Contact details – name, postal address, email address(s), phone numbers
II. Whether a parishioner, a parish councillor
III. Electoral roll
IV. For councillors – attendance at PC meetings
V. For councillors – information to do with financial and pecuniary interests
VI. Invoices and receipts – information published in minutes and recorded on spreadsheets as well as on paper
VII. Correspondence

e) It was concluded that the lawful basis for holding and processing the data is:
I. Legal obligations:
For councillors – information to do with financial and pecuniary interests
For councillors – attendance at PC meetings
Minutes and PC financial records (to be retained in perpetuity)
II. Official authority:
Personal data of parishioners in order to communicate agendas and minutes of PC meetings and audit
requirements
Information about planning applications and appeals
Electoral roll
Correspondence from parishioners
III. Contractual:
Information about invoices and suppliers
IV. Public interest:
Personal data for the occasional communication of information which might affect the parish from public
bodies such as the police, fire brigade, Cumbria County Council Highways and SLDC.
V. Legitimate interest:
This is the most appropriate basis when:
 the processing is not required by law but is of a clear benefit to recipients;
 there is a limited privacy impact on the individual;
 the individual should reasonably expect their data to be used in that way; and
 recipients will not want to be bothered with disruptive consent requests when they are unlikely to object to
the processing.

The Parish Council has resolved, therefore, that legitimate interest is the lawful basis on which personal data
can be used for the occasional communication of information such as events at the Public Hall and Church,
notification of litter picking and footpath clearance, and reports about the progress of the broadband project.

f) The Parish Council uses personal data for some or all of the following purposes (parish councils have been
advised to include all these in their list even though many purposes will not apply to them):
 To deliver public services including to understand parishioners’ needs, to provide the services they request
and to inform them of other relevant services;
 To confirm identity to provide some services;
 To contact parishioners by post, email, telephone or using social media (e.g., Facebook, Twitter, WhatsApp);
 To help the council build up a picture of how it is performing;
 To prevent and detect fraud and corruption in the use of public funds and where necessary for the law
enforcement functions;
 To enable the council to meet all legal and statutory obligations and powers including any delegated functions;
  To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in
accordance with best safeguarding practice from time to time with the aim of ensuring that all children and
adults-at-risk are provided with safe environments and generally as necessary to protect individuals from
harm or injury;
 To promote the interests of the council;
 To maintain the council’s accounts and records;
 To seek parishioners’ views, opinions or comments;
 To notify parishioners of changes to facilities, services, events and staff, councillors and role holders;
 To send parishioners communications which have been requested by them and that may be of interest to
them. These may include information about campaigns, appeals, other new projects or initiatives;
 To process relevant financial transactions including grants and payments for goods and services supplied to
the council;
 To allow the statistical analysis of data so in order to plan the provision of services.

g) Data is stored and protected as follows:

I. Archives – some in a locked cellar; some in bags at the clerk’s home
II. Electronic storage – on the clerk’s own password-protected computer; all files are backed up regularly.
Expenditure for the off-site storage of back-ups will be considered at the next meeting.
III. Sharing of information – only the clerk’s wife has the password
IV. Access to email addresses – BCC is used for emails to parishioners. Addresses are not given to third persons
without the permission of the owners; councillors agreed to be able to see each other’s email addresses.
V. Access to other information – is not given to third persons without the permission of the owners.

h) Privacy notices and individual rights:

The privacy notice on all out-going personal correspondence and on the website is:

Your information is stored securely, and it will be used only for Parish Council purposes and to communicate
information of general interest to the parish. If at any time you wish to stop receiving these emails or have your contact
details changed, simply reply to me, the parish clerk, to tell me and I will make the change as soon as practically
possible.

i) Review of procedure for answering access requests:

Requests for information will be answered at no cost within one month and usually as soon as possible.

j) Data breaches:
The Information Commissioner’s Office will be notified of a data breach where it is likely to result in a risk to the
rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial
loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to
result in a high risk to the rights and freedoms of individuals, they will also be notified directly in most cases.

k) Children’s personal data:

No children’s data is held or processed by the Parish Council.

l) The GDPR procedures and policy were approved by the Parish Council on 30-04-2018.