The General Data Protection Regulation (GDPR) governs the way in which personal data is collected, stored, processed and distributed.
We need to collect personal information about people we deal with in order to carry out council business and provide services. This includes customers, employees, suppliers and other business contacts.
We may be required to collect and use certain types of personal information to comply with the requirements of the law. No matter how data is collected, recorded and used (i.e. on a computer or on paper) this personal information must be dealt with properly to ensure compliance with the General Data Protection Regulation (GDPR) .
You can visit the Information Commissioner’s Office website for more information.
Your rights under the General Data Protection Regulation (GDPR)
You have a right to access personal data that we may be processing about you, subject to certain exemptions. Requests for access to personal data are known as subject access requests.
If you submit a subject access request to us, you are entitled to be told whether we hold any data about you. If we do, you also have the right:
- To be given a description of the data, the purposes for which the data are being processed, and those to whom the data may have been disclosed;
- To be given a copy of the data in an intelligible form, with any unintelligible terms explained;
- To be provided with any information available to Oxford City Council about the source of the data; and
- If you specifically request it, to be given an explanation as to how any decisions taken about you solely by automated means have been made.
These rights apply to electronic data, and to data in “manual” (i.e. non-electronic) formats subject to certain limitations.
If your request is for information other than information about yourself, such as information about decisions or actions by us, you cannot submit it as a subject access request.
See our Freedom of Information pages for details of how to find information using our Freedom of Information Publication scheme, and how to submit a Freedom of Information request.
Statement of Commitment
Oxford Town Hall is owned and managed by Oxford City Council.
We understand the importance of ensuring that personal data, including sensitive personal data is always treated lawfully and appropriately and that the rights of individuals are upheld.
We are required to collect, use and hold personal data about individuals. Data is required for the purposes of carrying out our statutory obligations, delivering services and meeting the needs of individuals that we deal with. This includes current, past and prospective employees, service users, members of the public, Members of the Council, our business partners and other local authorities or public bodies.
Policy Objectives
In order to comply with the requirements of the General Data Protection Regulation (GDPR), we will ensure that:
- Any personal data will be collected, used and held, lawfully and appropriately.
- Regular data sharing with external partners and other relevant agencies will be subject to information sharing agreements. Partnerships will only be entered into where there is a clear statutory power enabling the council to participate such as the Crime and Disorder Act 1998.
- External agencies contracted to undertake any data processing on behalf of the us will be required to demonstrate compliance with the General Data Protection Regulation (GDPR) and satisfy the council that it has the necessary technical and organisational measures in place to protect personal data.
- There are policies and procedures in place which are regularly reviewed and updated to ensure staff understand their responsibilities towards protecting personal data.
- Training needs are identified and provided to ensure that those handling personal data are trained appropriately.
- There is an appointed officer within the organisation who has specific responsibility and knowledge about data protection compliance covering all aspects within the scope of this policy and who is a point of contact for all queries.
- There are a number of employees throughout the organisation who have specific responsibilities for data protection.
- Data Subjects rights can be fully exercised.
- Subject Access Requests are dealt with promptly and courteously.
- Any new projects being implemented that involve personal data will undergo a privacy impact assessment.
- We will regularly review and update this policy, procedures and guidance for Council employees and Members.
We are required by law to share or make available some of the personal data we collect and hold. This information may be shared for a number of reasons including to safeguard public funds and for the prevention and detection of fraud, and for the prevention and detection of crime. For more details on this please see the privacy notice on the Oxford City Council website.
We are fully committed to compliance with the requirements of the General Data Protection Regulation (GDPR) and are registered as a data controller with the Information Commissioner’s Office. Our registration number is Z7925628.
Meeting our Policy’s Objectives
In order to meet the objectives that are listed above we need to ensure that the following are always considered and that appropriate controls and procedures are in place to ensure compliance with the General Data Protection Regulation (GDPR).
Collecting and Processing Personal Data
- When we collect personal data we will ensure that where required, we make individuals aware that their information is being collected, the purpose for collecting the data specified, and whether it will be shared with any third parties. This will be done through the use of privacy notices. When reviewing documents and forms, we will always consider whether a privacy notice should be included.
- No new purpose for processing data will take place until the Information Commissioner’s Office has been notified of the relevant new purpose and the data subjects have been informed and consent has been sought where required.
Data Security
- Council employees and Members must report any suspected data breaches to the Data Protection Officer for investigation and where necessary the Data Protection Officer will notify the Information Commissioner’s Office
- Council employees and Members must use appropriate levels of security to store or share personal data. Corporate guidance will be published and training will be provided to employees and Members
- When new projects involving personal data are being developed, Privacy Impact Assessments will be carried out by the Project Manager and reviewed by the Data Protection Officer in order to assess any privacy risks.
An Information Asset Register will be maintained by the Data Protection Officer identifying:
- all personal data held
- where it is held
- how it is processed
- what teams have access to it
- who has overall responsibility for the data.
Personal data will not be shared with a third party organisation without a valid business reason and where required we will notify individuals that the sharing will take place in the form of a privacy notice. If any new purposes for the data sharing are to take place, we will seek consent from the individuals concerned.
When personal data is to be shared regularly with a third party, a Data Sharing Agreement must be implemented.
Any data sharing will also take into consideration:
- any statutory basis of the proposed information sharing
- whether the sharing is justified
- how to ensure the security of the information being shared.
Data Access
- Our employees and Members will have access to personal data only where it is required in order to fulfil their role.
- All data subjects have a right of access to their own personal data; employees will be made aware of and will provide advice to data subjects about how to request or access their personal data held by us. More information is available on the Oxford City Council’s Subject Access Requests page.
- Our employees and Members are aware of what to do when requests for information are made under the General Data Protection Regulation (GDPR).
- Our employees and Members are made aware that in the event of a Subject Access Request being received by us, their emails may be searched and relevant content disclosed.
- Privacy Notices will include a contact address for data subjects to use should they wish to submit a Subject Access Request, make a comment or complaint about how we are processing their data, or about the handling of a Subject Access Request.
- A Subject Access Request will be acknowledged to the data subject within 24 hours, with the final response and disclosure of information (subject to exemptions) within 30 calendar days.
- A data subject’s personal data will not be disclosed to them until their identity has been verified.
- Third party personal data will not be released by us when responding to a Subject Access Request (unless consent is obtained, it is required to be released by law, or it is deemed reasonable to release).
Compliance with this Policy
- This Policy applies to all our employees, Council Members and all people or organisations acting on behalf of the Council.
- Each Head of Service/Director shall ensure compliance with this policy appropriate to the personal data activities within their remit.
- If any Council employee, or Member or persons acting on our behalf are found to knowingly or recklessly breach the Council’s Data Protection Policy appropriate disciplinary and/or legal action will be taken.
- The Council has a designated Data Protection Officer and designated officers with data protection responsibilities have been identified in all service areas.
Implementation of this policy will be led by our Data Protection Officer. If you have a privacy concern, complaint or question for Oxford City Council Corporate Governance Manager, please email dataprotection@oxford.gov.uk.
You can also contact the Council’s Corporate Governance Manager by post at:
Corporate Governance Manager
Oxford City Council
109-113 St Aldate’s
Oxford
OX1 1DS