General Data Protection Regulation - FAQs

The General Data Protection Regulation (GDPR) is a European regulation which will come into force on 25th May 2018, and replace the current Data Protection Act 1998.

The Council processes a large amount of personal data, is committed to using it fairly, and keeping it safe. This will not change under the new regulation, and information about its information governance can be found below, to provide assurance to both customers and suppliers.

Find more information about how the Council uses personal data: Privacy policy

GDPR - Frequently asked questions

What actions are being taken to prepare for GDPR?

The Council’s GDPR preparations form part of its annual information governance action plan, which is overseen by its Information Governance Board. The action plan is implemented at a local level by the service areas.

What technical and organisational security measures do you have in place to protect personal data?

The technical security measures will differ between service areas, depending on the nature of the information being processed, but the Council has an information governance structure in place to ensure privacy risks are identified and addressed. 

The Council also has suite of information governance polices in place that staff are required to adhere to. These policies cover information security, records management, and the access and use of information.

What policies and procedures do you have in place to protect personal data?

SCC has an Information Governance and Risk Framework in place. This includes polices on Information Security, Records Management, and Information Access and Use. If you require further information on the individual policies, or would like copies of these, please

How secure are SCC’s systems?

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. 

It requires that appropriate technical or organisational measures are used, and the Council’s handling of its data will satisfy this requirement.

What legal basis does SCC have for the processing of data?

As a local authority, in nearly all matters the legal basis for processing data will be that is is necessary to perform its statutory duties, or to ‘carry out a public task’.

In certain circumstances, consent may be required, but the Council will ensure that it is always obtained by an affirmative action, in compliance with the GDPR. Where consent is relied on, the individuals will be been given control and choice over the data.

If the processing is not being carried out as part of its statutory duties, SCC may still be able to process the information if it’s in their ‘legitimate interests’ to do so. Before doing so, we will be satisfied that there is a genuine and legitimate reason to rely on this, and the processing won’t adversely affect the individuals.

Will my data be shared with any third parties?

There may be occasions where your personal data is shared with other organisations, but the Council will only do so if it necessary as part of providing its services.

A list of the types of organisations we may share your data with can be found on its Information Commissioner’s Office (ICO) registration, but it will depend on the service being provided.

If the Council engages another organisation to process personal data on its behalf, it will be satisfied that it has the necessary technical and organisational measures to keep the data safe before doing so.

Find out more: 

Information Commissioner's Office (ICO) registration

Will the processing be governed by a contract?

Yes, all processing will either be governed by a contract or other legal act. The contract will be complaint with the requirements under the GDPR.

Will council staff keep the data safe?

The Council will ensure that any person authorised to process the personal data has committed themselves to confidentiality or are under an obligation of confidentiality.

What happens to the data once the agreement is expired?

For information on how long the Council keeps information, please see its retention schedule.

Does SCC have any information management accreditation?

The Council does not have any official accreditation however we were audited by the ICO in 2016. More information about the audit can be found on their website. With regard to its information held in respect of social care, the council’s latest IG Toolkit return can be viewed on NHS Digital’ website. 

See also: 

Information Commissioners Office - audit

NHS Digital

How does the Council send information securely?

Council staff follow guidance on appropriate technical measures to use when sending different types of information securely.