Data Protection Policy

Policy Adopted April 3rd 2018
Last Review – 12/3/26 Minute Ref: M.295
Next Review Date: March 2028

1. Purpose of this Policy

Cropwell Bishop Parish Council is committed to protecting the privacy and personal data of individuals whose information it processes.

This policy explains how the Council ensures compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 when processing personal data.

The Council recognises its responsibility to ensure that personal data is processed lawfully, fairly, securely, and transparently.

2. Scope

This policy applies to all personal data processed by the Council including data relating to:

  • employees and prospective employees
  • councillors and volunteers
  • residents and members of the public
  • individuals contacting the Council
  • contractors and suppliers

This policy applies to both paper records and electronic information.

3. Data Protection Principles

The Council processes personal data in accordance with the following principles:

Personal data shall be:

  1. Processed lawfully, fairly and transparently
  2. Collected for specified, explicit and legitimate purposes
  3. Adequate, relevant and limited to what is necessary
  4. Accurate and kept up to date
  5. Retained only for as long as necessary
  6. Processed securely using appropriate technical and organisational measures

The Council is also responsible for demonstrating accountability for these principles.

4. Lawful Basis for Processing

As a public authority, the Council processes personal data primarily under the following lawful bases:

  • Legal obligation – where processing is required by law
  • Public task* – where processing is necessary for the Council to perform its public functions
  • Contract – where processing is necessary to fulfil contractual obligations
  • Consent – where individuals have freely given consent for specific processing activities

Special category personal data will only be processed where a lawful condition under the Data Protection Act 2018 also applies.

5. Data Protection Responsibilities

The Parish Council, as a corporate body, is the Data Controller responsible for ensuring compliance with data protection legislation.

Day-to-day responsibility for data protection is delegated to:

The Parish Clerk

Contact details:

  • Email: clerk@cropwellbishop-pc.gov.uk
  • Phone: 0115 9894656

The Council has also appointed an external Data Protection Officer (DPO) to provide independent advice and support compliance.

Contact details:

  • Email: dpo@cropwellbishop-pc.gov.uk

All councillors, staff, and volunteers who process personal data must ensure they follow this policy.

6. Records of Processing Activities

The Council maintains a Record of Processing Activities (RoPA) which documents:

  • the categories of personal data processed
  • the purposes of processing
  • the categories of data subjects
  • recipients of personal data
  • storage locations
  • retention periods

This record is reviewed periodically to ensure it remains accurate.

7. Information Security

The Council implements appropriate technical and organisational measures to protect personal data from:

  • unauthorised access
  • loss or destruction
  • alteration or disclosure

Measures may include:

  • secure storage of paper records
  • controlled access to systems and files
  • password protection and secure IT systems
  • use of secure cloud services where appropriate

8. Data Retention

Personal data will only be retained for as long as necessary to fulfil the purpose for which it was collected or to comply with legal obligations.

The Council maintains a data retention schedule which sets out how long different types of information are retained.

9. Data Breaches

A personal data breach occurs where personal data is:

  • lost
  • destroyed
  • accessed without authorisation
  • disclosed improperly

All suspected breaches must be reported to the Parish Clerk immediately.

Where required, breaches will be reported to the Information Commissioner’s Office (ICO) within 72 hours.

10. Data Subject Rights

Individuals have rights in relation to their personal data including:

  • the right of access to personal data held about them
  • the right to request correction of inaccurate data
  • the right to request deletion in certain circumstances
  • the right to object to processing
  • the right to restrict processing in certain circumstances

Requests relating to these rights should be directed to the Parish Clerk.

11. Complaints

If an individual is unhappy with how their personal data has been handled, they should first contact the Parish Clerk or the Data Protection Officer.

Individuals also have the right to complain to the Information Commissioner’s Office (ICO).

Information Commissioner’s Office
Website: https://ico.org.uk
Telephone: 0303 123 1113

12. Review of this Policy

This policy will be reviewed periodically to ensure it remains up to date with changes in legislation, guidance from the Information Commissioner’s Office, and the Council’s activities.

*Public task: Refers to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, as defined under Article 6(1)(e) of the UK GDPR.