Data Protection - Internal Documentation
View the internal policies and procedures we have in place to manage our residents personal data.
You're likely to deal with lots of data and some of this will be personal data and could be sensitive. It's important to understand your role in handling data, best practice to reduce the chance of things going wrong, what our responsibilities are if things go wrong and understanding what the consequences are if data is not processed correctly.
Processing means taking the correct steps when deciding how personal data will be collected and used, protecting it from harm and misuse and ensuring that when it is no longer required it is securely destroyed.
Data protection requires that we respect individual's privacy and provide assurance that processing is fair and lawful.
The Council's Privacy Policy provides information about:
- the nature of our processing activities
- the rights of individuals
- how to contact the Data Protection Officer if you have a complaint about data
- Service Privacy Notices
Directorates and Services must ensure that processing of personal data is in line with their privacy notices. The following template policy should be used to populate the details about how and why personal data will be processed and managed.
Any forms or correspondence issued to customers should contain a brief statement signposting to your services privacy notice.
Download the privacy notice template [34kb]
Once you have completed the template form this should be emailed to communications@eastrenfrewshire.gov.uk who will publish to the external website. If you require assistance with privacy notice information please email your enquiry to DPO@eastrenfrewshire.gov.uk
DPIA a process to help identify and minimise the data protection risks of a project
Information risk is inherent within business process and activities and where service delivery changes within the project management framework it is necessary to engage with the DPIA framework to ensure privacy and information risk is being proactively managed. Completing the Screening questions will help to assess if a full impact assessment is required. A DPIA allows risks to be considered before processing takes place and supports compliance with the law and is an effective way to assess and demonstrate compliance, including:
- Assessment of necessity and proportionality
- Ensure that personal data processing activities are designed from the outset to comply with data protection law
- Protect the rights of individuals and reduces the risks of harm to individuals through the misuse of their personal data
- Ensure default for any data processing activity is to carry out only the minimum amount of processing
- Improves transparency and trust and makes it easier for individual to understand how and why you are using their data.
Data Protection by Design and by Default:
This means taking steps to ensure that personal data processing activities are designed to comply with data protection law and protect the rights of data subjects (individuals)
- Default position for processing activity should be "carry out the minimum amount of processing"
- Ensure processing activities (including mapping of citizen data and flows) are fully understood and documented
- Apply requirements throughout the lifecycle of any processing activity
- Processes in place to assess data protection issues during the initial design and development of any new system, project or other activity involving personal data
- Opportunity to create organisation and technical processes at the outset and avoiding expensive fixes at a later date
- Regularly review design features to ensure ongoing compliance
If a new project, process, module or the development or acquisition for the processing of personal data is planned or underway a data protection assessment of compliance should be undertaken where:
- Screening questions indicate Data Protection Impact Assessment (DPIA) is not necessary
- Processing activities are being added to an existing system/application where there is an existing DPIA
- DPIA Guidance
- DPIA Template
Training Workshops have been scheduled for 11th October 2024 and 14th March 2025 and details can be found on the Corporate Training Calendar.
Data protection is not a barrier to prevent sharing. It provides a framework to ensure that personal information about living individuals is shared:
- appropriately
- proportionally
- on a strict need to know basis
Ad hoc (or one off) Information Sharing
There are situations where information can, and legally must, be shared. In these circumstances the following must be considered:
- what information needs to be shared:
- with whom?
- why?
- how ?
- what are the risks of not sharing the information
- could the same aim be achieved without sharing the data or by anonymising it?
You may wish to share personal information which was originally presented in confidence. In such cases, you are restricted from:
- using it for a purpose other than that for which it was provided
- disclosing it without the individual's consent
The exception to this is when:
- there is an overriding reason in the public interest for this to happen
- another law or power permits disclosure
In deciding whether there is a public interest in sharing the "confidential" information, you should consider if the sharing is necessary to:
- protect someone from harm
- prevent or detect a crime
- apprehend an offender
- comply with a court order or other legal obligation
You should also consider:
- if the person has given consent to release the information
- if there is any other reason in the public interest. You are obligated to comply with not only the DPA but also the council's Data Protection Policy. You must also comply with other legislation which applies to you.
Systematic information sharing
This will generally involve routine sharing of data sets between organisations for an agreed purpose.
It may involve a group or organisations having an arrangement to pool data for specific purposes (controller to controller). It could also happen when the council (controller) has contracted with a supplier (processor) to provide or deliver services.
Before any sharing of personal data can happen, it may be necessary to have a Data Sharing/Processing Agreement in place and/or assurance that supplier contract terms and conditions set out a common set of rules to be adopted by our processors involved in data sharing activities. Depending on the nature and context you may be required to conduct Data Protection Impact Assessment.
Where the relationship is on Controller to Controller complete the Controller to Controller Data Sharing Template
Where the relationship is Controller to Processor complete the Controller to Processor Data Processing Agreement
The Council regularly shares information with internal services, external organisations, partners, elected members and responds to requests for information from members of the public.
Employees must ensure that only information which can be legitimately released or shared is done so. Where information cannot be released or shared then a decision must be taken on whether to withhold the release of the information in its entirety or apply redaction.
Redaction is a terms used to describe the editing process whereby information is removed from a document. It is a process which is undertaken to render information unreadable. This is done by blocking out individual words, sentences and paragraphs or by removing whole pages or sections prior to the release of the document.
Consult the Redaction guidance (PDF, 820 KB) for further information on when and how to redact.
All employees are expected to remain vigilant and ensure that the Council's use of personal data complies with the 6 data protection principles and the Data Protection Policy (PDF, 892 KB)
However where this does not happen it is vital that incidents are reported within 3 hours of discovery or knowledge of an incident. A breach of data protection is an incident in which sensitive, confidential or otherwise protected personal data has been accessed and/or disclosed in an unauthorised manner. Example of common incidents are:
- personal data being sent to the wrong person by mistake
- employees inappropriately accessing or sharing personal data
- Sharing more data than is necessary with others
- Sending information to the wrong email recipient
- Failing to protect the privacy of people when sending mass emails by not using the BCC function to hide others email addresses.
The details of an incident must be established quickly for an assessment to be undertaken and an initial evaluation to be made by the Data Protection Officer within 24 hours. Where an incident is reportable to the regulator this must be done by the Data Protection Officer within 72 hours which includes weekends.
The Data Incident and Breach Management Procedures (PDF, 827 KB) provides further detail about incidents. These procedures explain the following steps which must be followed to ensure that legal duties are adhered to and that there is an assessment of the potential risk of harm to individuals:
- Notification
- Initial Assessment
- Containment & Recovery
- Assessment of Risk
- Corporate Recording & ICO Reporting
You must ensure that incidents are reported using the Data incident report form (Word doc, 28 KB) and emailed to DPO@eastrenfrewshire.gov.uk without delay.
Employees are required to undertake data protection training at induction and it must be refreshed on an annual basis.
Other courses are available and services must ensure that staff training is commensurate with an employee's role. Tutor Led courses can be tailored to the needs of the service and in the first instance please contact the DPO.
The dates and times of tutor led sessions can be found within the corporate training calendar:
- GDPR ( E-Learn) to be completed annually
Bookable courses
- Fundamentals of Data Protection (tutor led via Teams).
- Information Rights (including subject access)
- Data Protection Impact Assessments (tutor led workshop).
Bookings should be made through Employee Self Service (ESS)
Under GDPR there is a requirement for organisations to document its record of processing activities (ROPA).
An Information Asset Register(IAR) is a simple way for the Council to manage its processing activities. A corporate IAR will shortly be launched and guidance on what is to be recorded and how to use the application will be published soon.