The Council’s GDPR preparations form part of its annual information governance action plan, which is overseen by its Information Governance Board. The action plan is implemented at a local level by the service areas.
The technical security measures will differ between service areas, depending on the nature of the information being processed, but the Council has an information governance structure in place to ensure privacy risks are identified and addressed.
The Council also has suite of information governance polices in place that staff are required to adhere to. These policies cover information security, records management, and the access and use of information.
SCC has an Information Governance and Risk Framework in place. This includes polices on Information Security, Records Management, and Information Access and Use. If you require further information on the individual policies, or would like copies of these, please contact:firstname.lastname@example.org
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
It requires that appropriate technical or organisational measures are used, and the Council’s handling of its data will satisfy this requirement.
As a local authority, in nearly all matters the legal basis for processing data will be that is is necessary to perform its statutory duties, or to ‘carry out a public task’.
In certain circumstances, consent may be required, but the Council will ensure that it is always obtained by an affirmative action, in compliance with the GDPR. Where consent is relied on, the individuals will be been given control and choice over the data.
If the processing is not being carried out as part of its statutory duties, SCC may still be able to process the information if it’s in their ‘legitimate interests’ to do so. Before doing so, we will be satisfied that there is a genuine and legitimate reason to rely on this, and the processing won’t adversely affect the individuals.
There may be occasions where your personal data is shared with other organisations, but the Council will only do so if it necessary as part of providing its services.
A list of the types of organisations we may share your data with can be found on its Information Commissioner’s Office (ICO) registration, but it will depend on the service being provided.
If the Council engages another organisation to process personal data on its behalf, it will be satisfied that it has the necessary technical and organisational measures to keep the data safe before doing so.
Find out more:
Information Commissioner's Office (ICO) registration
Yes, all processing will either be governed by a contract or other legal act. The contract will be complaint with the requirements under the GDPR.
The Council will ensure that any person authorised to process the personal data has committed themselves to confidentiality or are under an obligation of confidentiality.
For information on how long the Council keeps information, please see its retention schedule
The Council does not have any official accreditation however we were audited by the ICO in 2016. More information about the audit can be found on their website. With regard to its information held in respect of social care, the council’s latest IG Toolkit return can be viewed on NHS Digital’ website.
Information Commissioners Office - audit
Council staff follow guidance on appropriate technical measures to use when sending different types of information securely.