Data Protection Policy

Leighton-Linslade Town Councils data protection policy sets out the Town Councils commitment to protecting personal data and how that commitment is implemented with regards to the collection and use of personal data.

Leighton-Linslade Town Council needs to collect and use certain types of information about people with whom it deals in order to operate. This includes information relating to current, past and previous employees, suppliers, residents and others with whom it communicates.

Leighton-Linslade Town Council is registered with the Information Commissioner’s Office.

The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details. The Act stipulates that anyone processing personal data must comply with Eight Principles of good practice. These Principles are legally enforceable.

The Principles require that personal information:

  1. Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met;
  2. Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
  3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
  4. Shall be accurate and where necessary, kept up to date;
  5. Shall not be kept for longer than is necessary for that purpose or those purposes;
  6. Shall be processed in accordance with the rights of data subjects under the Act;
  7. Shall be kept secure i.e. protected by an appropriate degree of security;
  8. Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.

The Act provides conditions for the processing of any personal data. It also makes a distinction between personal data and “sensitive” personal data.

Personal data is defined as, data relating to a living individual who can be identified from:

  • That data;
  • That data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.

Sensitive personal data is defined as personal data consisting of information as to:

  • Racial or ethnic origin;
  • Political opinion;
  • Religious or other beliefs;
  • Trade union membership;
  • Physical or mental health or condition;
  • Sexual life;
  • Criminal proceedings or convictions.

Through appropriate management Leighton-Linslade Town Council will apply the following criteria and controls:

  • Ensure that data is collected and used fairly and lawfully;
  • Process personal data only in order to meet operational needs or fulfill legal requirements;
  • Take steps to ensure that personal data is up to date and accurate;
  • Establish appropriate retention periods for personal data;
  • Ensure that data subjects’ rights can be appropriately exercised;
  • Provide adequate security measures to protect personal data;
  • Ensure that a nominated officer is responsible for data protection compliance and provides a point of contact for all data protection issues;
  • Ensure that all staff are made aware of good practice in data protection;
  • Provide adequate training for all staff responsible for personal data;
  • Ensure that everyone handling personal data knows where to find further guidance;
  • Ensure that queries about data protection, internal and external to the organisation, is dealt with effectively and promptly;
  • Regularly review data protection procedures and guidelines within the organisation.

Adopted by Council 30 September 2013