Data Protection Policy

Policy Uploaded on May 10, 2021

Upper Rissington Parish Council


1. Introduction

1.1.  Upper Rissington Parish Council takes its responsibilities with regards to the management of the requirements of the General Data Protection Regulation (GDPR) seriously.

1.2.  The council obtains, uses, stores and otherwise processes personal data relating to councillors and staff, former councillors and staff, current and former contractors, website users and members of the public, collectively referred to in this policy as data subjects.

1.3.  When processing personal data, the council is obliged to fulfil individuals’ reasonable expectations of privacy by complying with General Data Protection Regulation (GDPR) and other relevant data protection legislation (Data Protection Act 2018).

1.4.  This policy therefore seeks to ensure that the council is clear about how personal data must be processed and the council’s expectations for all those who process personal data on its behalf.

2. Scope & Responsibilities

2.1.  This policy applies to all personal data processing carried out by the council, regardless of the location where that personal data is stored (e.g. on an employee or councillor’s own device) and regardless of the data subject.

2.2.  Anyone processing personal data on the council’s behalf must read and comply with this policy.

2.3.  The council is responsible for ensuring compliance with this policy, and will implement appropriate processes, and provide information and training so that anyone processing personal data on the council’s behalf knows what to do.

2.4.  The council will work to identify areas that might cause compliance issues and use this to inform the council’s risk assessments, and to improve its data processing processes and controls.

3. Data Protection Principles

3.1. When personal data is processed, it should be guided by the following principles listed below, as set out in the GDPR, which require personal data to be:

  • processed lawfully, fairly and in a transparent manner (Lawfulness, fairness and transparency).
  • collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (Purpose limitation).
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data minimisation).
  • accurate and where necessary kept up to date (Accuracy).
  • not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (Storage limitation).
  • processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, integrity and confidentiality).


4. Accountability & Responsibilities

4.1.  Upper Rissington Parish Council is the data controller, which determines how data is processed,

and must pay a fee to the Information Commissioner’s Office (ICO).

4.2.  As the data controller, the council is responsible for establishing policies and procedures in order to comply with, and demonstrate compliance with, data protection law.

4.3.  The council must therefore apply adequate resources and controls to ensure GDPR compliance as far as is practicable, including training and information.

4.4.  The ICO has confirmed that parish councils do not need to appoint a Data Protection Officer (DPO). Notwithstanding the announcement, the council may decide to appoint a DPO.

4.5.  The council must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles.

4.6.  The council must produce the required documentation such as Privacy Notices, Data Retention Schedule, Records of Processing and records of Personal Data Breaches.

4.7.  Where data is processed by a third party, such as a payroll provider, a data processor must be chosen that provides sufficient guarantees about its security measures; and reasonable steps taken to ensure that such security measures are in place to protect personal data.

4.8.  Where there is uncertainty around a data protection matter, advice shall be sought from the council’s Data Protection Officer (if applicable) and/or the ICO.

5. Role of Members of Council

5.1.  Data protection laws affect councillors in three different capacities:

    • as members of the council, and therefore subject to the same responsibilities as employees;
    • when acting on behalf of a member of the public (casework); and
    • personally, when the rights of data subjects apply.

5.2.  Councillors will only seek access to personal data when this knowledge is essential for them to carry out official duties, or where the data subject has authorised the access (casework). The information should only be used for its intended purpose and deleted afterwards.

5.3.  Where the councillor can take a copy of the personal information away from the premises, or where they have remote access to the information, the council may specify the steps to keep the information secure. For example, setting out rules about how personal information on a laptop or on paper should be stored securely and who can have access to it.

6. Communicating Privacy Information

6.1. A ‘Privacy Notice’ and ‘Cookie Policy’ are available on the council website, which details who the council shares personal data with, how personal data is used and stored, the purposes for which personal data is used, and subject rights to their personal data.

7. Data Subject Access Requests

7.1. Data subjects have the right to receive a copy of their personal data held by the council. In addition, an individual is entitled to receive further information about their rights and how the council processes their personal data, including the categories, recipients, retention periods, and details of relevant safeguards where personal data is transferred outside the EEA.


7.2.  The entitlement is not to documents per se (which may however be accessible by means of the Freedom of Information Act, subject to any exemptions and the public interest), but to such personal data as is contained in the document. The right relates to personal data held electronically and to limited manual records.

7.3.  A response to each request will be provided within 30 days of the receipt of the written request from the data subject. Appropriate verification will be requested to confirm that the requestor is the data subject or their authorised legal representative. If the council cannot respond fully to the request within 30 days, the data subject will be kept fully informed of the progress of their request, and/or reasons for refusal and any procedure for appealing the decision.

7.4.  Data subjects have the right to require the council to correct or supplement erroneous, misleading, outdated or incomplete personal data.

7.5.  Personal data should not be altered, concealed, blocked or destroyed once a request for access has been received. The council will contact the ICO or Data Protection Officer (if applicable) for advice before any changes are made to personal data which is the subject of an access request.

8. Data Breaches

8.1.  A personal data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

8.2.  If anyone (including a third party provider) knows or suspects a data breach has occurred, details of the alleged breach should be submitted immediately in writing to the Clerk.

8.3.  The law requires that organisations report to the Information Commissioner’s Office (ICO) any personal data breach where there is a high risk to the rights and freedoms of the data subject, such as identify theft, or serious damage to reputation.

8.4.  Where there is doubt as to whether the breach is reportable, clarification shall be obtained from the ICO helpline on 0303 123 1113.

8.5.  Data breaches will be reported using the ICO’s online system:

8.6.  The report shall be made as soon as possible and within 72 hours (daily hours not working hours) of becoming aware that an incident is reportable.

8.7.  Where the breach is likely to result in a high risk to the rights and freedoms of individuals then those concerned directly will also need to be informed.

8.8.  Evidence relating to personal data breaches must be retained, to enable the council to maintain a record of such breaches, as required by the GDPR.

9. Issue & Review

9.1.  A copy of this policy will be brought to the attention of all employees and council members.

9.2.  The council reserves the right to change this policy at any time without notice, so please check our website to obtain the latest copy.

This policy was approved by Upper Rissington Parish Council on 10 May 2021. Next Review due: May 2022


Data Breach Reporting Form (For Internal Use):

Data Breach Report

Name of person investigating breach

Severity of breach

Police Informed, if relevant Individuals affected

Recovery plan


Additional Details

Name, Job Title, Contact details

How many individuals contacted?
What are the potential consequences for those individuals? Information Commissioner informed Y/N
Note time and method of contact

Time and method of contact
Name of person contacted, contact details

Method of contact used to contact ?

Confirm that details of the nature of the risk to the individuals affected: any measures they can take to safeguard against it; and the likely cost to them of taking those measures is relayed to the individuals involved.

Containment Actions: technical and organisational security measures applied (or were to be applied) to the affected personal data.

Assessment of ongoing risk

Date and time of report to council Any additional actions arising

Details of written notification of breach

Date and time
By whom, name and contact details

Details of Breach:
Nature and content of data involved, Number of individuals affected


Page 4 of 4