CHITTLEHAMPTON PARISH COUNCIL
1. Personal data
Personal data is any information about a ‘data subject’ i.e. any identifiable, living person.
Examples of personal data includes someone’s name, their address, their email address or a photograph of them.
Data protection laws ensure that the personal data we hold is:
- used lawfully, fairly and in a transparent way
- collected only for valid purposes that we have clearly explained and not used in any way that is incompatible with those purposes
- accurate and kept up to date
- kept only as long as necessary for the purposes we have declared
- kept and destroyed securely including ensuring that appropriate technical and security measures are in place to protect the personal data from loss, misuse, unauthorised access or disclosure
As well as imposing obligations upon the parish council, this data protection legislation gives data subjects the right to be informed about what personal data is held on them, how that data is used, who it is shared with and how long it is retained. This privacy notice provides this information, in general terms, as well as the lawful basis under which it is collected and retained.
If after reading this notice you have any questions relating to the data we hold or how we use it, please contact the parish clerk, whose contact details are listed at the end of this privacy notice.
Chittlehampton Parish Council is the data controller in charge of the data.
2. Categories of information
The parish council may process some or all of the following personal data:
- names and titles
- contact details such as telephone numbers, addresses, and email addresses
- correspondence received and sent
Additional information may be held on the parish council’s employees, including:
- marital status
- education & work history
- academic/professional qualifications
- criminal convictions
- health information
3. Why we collect personal data
We collect and use personal data to enable the parish council to:
- deliver public services including to understand people’s needs in order to provide them with the services requested and to inform them of other relevant services
- contact people by post, email, telephone or text
- enable us to meet all legal and statutory obligations and powers including any delegated functions
- maintain our own financial accounts and record of meetings
- confirm people’s identity prior to providing some services
- help us to build up a picture of how the parish council is performing
- prevent and detect fraud and corruption in the use of public funds and, where necessary, for law enforcement functions
- where relevant, carry out safeguarding procedures in accordance with best safeguarding practice with the aim of ensuring that all children and adults-at-risk are provided with safe environments
- carry out due diligence
- process any complaints
- promote the interests of the parish council
- seek people’s views, opinions or comments
- notify people of changes to our facilities, services, events and staff, councillors and other role holders
- send out communications which have been requested and that may be of interest to people. These may include information about campaigns, appeals and other new projects or initiatives
- process relevant financial transactions including grants and payments for goods and services supplied to the council
- allow the statistical analysis of data so we can plan the provision of services.
In order to protect data whilst it is in our possession we have data protection policies and procedures in place which are reviewed regularly. For further information on how data is protected please contact the parish clerk whose contact details can be found at the end of this privacy notice.
Special category data
The GDPR singles out some types of personal data as being ‘special category data’ as it is more sensitive and provides such data with extra protection.
The parish council may process the following special category data:
- information about its employee’s physical or mental health in order to monitor sick leave and take decisions on fitness for work
- racial, ethnic origin, religious or similar information in order to monitor compliance with equal opportunities legislation
- special category data in order to comply with legal requirements and obligations to third parties.
4. What is the legal basis for processing personal data?
The parish council is a public authority and has certain powers and obligations. Whenever we process personal data, we will always take into account a data subject’s interests and rights.
Most personal data is processed by the parish council upon the basis of public task where the processing is necessary to perform tasks that the parish council is required to perform as part of its statutory functions. We may also process personal data for compliance with a legal obligation or
for the performance of a contract.
Sometimes our use of personal data may require obtaining a person’s consent. Anyone who has given consent for their personal data to be processed by the parish council may withdraw their consent at any time. Section 10 below explains how consent can be withdrawn.
Occasionally, where the processing is not part of our performing tasks as a public authority, we may process data under the lawful basis that it is in our legitimate interests or the legitimate interests of a third party to do so. In these circumstances we would be using the data in a way that would be reasonably expected by a data subject and the processing will have a minimal privacy impact or there will be a compelling justification for the processing.
Rarely, we may also process personal data in order to protect someone’s vital interests.
No decisions are made by the parish council through automated decision making (including profiling).
If we need to process any special category data under Article 9 of the GDPR which is of a more sensitive nature, we will only do so if we have a lawful basis to do so under Paragraph 2 of Article 9 of the General Data Protection Regulation.
Some of the reasons listed above for collecting and using personal data may overlap and it may be that more than one lawful basis applies to our processing of the data.
5. Sharing personal data
We may need to share personal data we hold with third parties. Where there is a legal requirement to do so, or it is otherwise necessary and it complies with data protection law, we may share personal information with:
- North Devon District Council
- Devon County Council
- central government departments or agencies
- suppliers and service providers
- community groups
- other not for profit entities
- our auditors
- health and social welfare organisations
- professional advisers and consultants
- police forces, courts and tribunals
If we and the other data controllers listed above are processing your data jointly for the same purposes, the parish council and the other data controllers may be “joint data controllers” which means we are all collectively responsible to the data subject for their data. However, where each of the parties listed above are processing the data for their own independent purposes then each of us will be independently responsible to the data subject and if they have any questions, wish to exercise any of their rights (see section 7 below) or wish to raise a complaint, they should do so directly to the relevant data controller.
All third parties with whom personal data is shared have an obligation to put in place appropriate security measures and will be responsible to data subjects directly for the manner in which they process and protect their personal data.
6. How long we keep personal data
In general, we will endeavour to keep personal data only for as long as we need it. This means that we will delete it when it is no longer needed. However, we are legally required to keep some records permanently. We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 8 years to support HMRC audits or provide tax information. We may have legal obligations to retain some personal data in connection with our statutory obligations as a public authority. The parish council is permitted to retain personal data in order to defend or pursue claims. In some cases the law imposes a time limit for such claims (for example 3 years for personal injury claims or 6 years for contract claims). We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim.
7. Your rights regarding your personal data
Under data protection legislation, data subjects have the following rights with respect to their personal data:
The right to access personal data we hold on you
At any point you can contact us to request a copy of the personal data we hold about you. This is known as making a subject access request. If you make such a request and we do hold information about you we will:
- give you a description of the information held
- tell you why we are processing it and for how long we will keep it
- explain where we got it from, if it was not from you
- tell you who it has been, or will be, shared with
- let you know whether any automated decision-making is being applied to the data
- give you a copy of the information in an intelligible form.
In most circumstances we will respond to your subject access request within one month.
There are no fees or charges for the first request but additional requests for the same personal data or requests which are manifestly unfounded or excessive may be subject to an administrative fee.
The right to correct and update the personal data we hold on you
If the data we hold on you is out of date, incomplete or incorrect, you can inform us of this and your data will be updated.
The right to have your personal data erased If you feel that we should no longer be using your personal data or that we are unlawfully using your personal data, you can request that we erase the personal data we hold.
When we receive your request we will confirm whether the personal data has been deleted or the reason why it cannot be deleted (for example because we need to retain it to comply with a legal obligation).
The right to object to processing of your personal data or to restrict it to certain purposes only
You have the right to request that we stop processing your personal data or ask us to restrict processing. Upon receiving the request we will contact you and let you know if we are able to comply or if we have a legal obligation to continue to process your data.
The right to data portability
You have the right to request that we transfer some of your personal data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request.
The right to prevent processing of your personal data for the purpose of direct marketing and to object to decisions being taken by automated means We do not currently use personal data for direct marketing or to make any decisions by automated means.
The right to withdraw consent at any time to processing taking place on the basis of your consent
You can withdraw your consent easily by telephone, email or by post. (See section 10 below.)
The right to lodge a complaint
If you think that our collection or use of your personal information is unfair, misleading or inappropriate, or have any other concern or query about our data processing, you can contact the Information Commissioners Office:
- report a concern online at https://ico.org.uk/concerns
- call 0303 123 1113
- or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
However, we would ask that you raise any concerns you have with the parish council in the first instance by contacting the parish clerk.
If you would like to make a subject access request or exercise another of the above rights, please contact the parish clerk whose contact details are listed at the end of this notice.
When exercising some of the rights listed above, in order to process your request, we may need to verify your identity for security reasons. In such cases we will need you to respond with proof of your identity before you can exercise those rights.
8. Transfer of Data Abroad
Any personal data transferred to countries or territories outside the European Economic Area (“EEA”) will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union.
Chittlehampton Parish Council’s website is accessible from overseas so personal data on its website may on occasion be accessed from overseas.
9. Additional processing and changes to this privacy notice
We keep this privacy notice under regular review and will make the most current version available on the following web page: www.chittlehamptonparishcouncil.co.uk.
If we wish to use personal data for a new purpose that is not covered in this privacy notice, we will issue an updated privacy notice explaining this new use prior to commencing the processing. If necessary, we will seek prior consent to the new processing.
This privacy notice was last updated on 29th December 2020.
10. Withdrawal of consent and our contact details
Where we have obtained consent to use personal data, this consent can be withdrawn at any time by contacting the parish clerk:
Corner Cottage, The Square, Umberleigh, Devon EX37 9QW