Data protection policy

1. Policy statement

Blackpool Council collects, holds and processes personal data about residents, customers, employees and other key personnel and stakeholders. It therefore has a number of legal obligations under the UK General Data Protection Regulation (UK GDPR) and the provisions of the Data Protection Act 2018 (DPA 2018).

the council is also required by law to collect and use information to comply with central government requirements.

Blackpool Council regards the lawful and correct handling of all personal information as a very important and essential element of is successful service delivery. It is equally important that the council maintains a level of confidence with those who process Blackpool Council’s data.

2. Introduction

The UK GDPR provides six key principles that deliver a framework for good practice and the proper handling of personal data that are enforceable by the Information Commissioner’s Office (ICO).

Personal data shall be:

1. Processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’)
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes […] (‘purpose limitation’)
3. Adequate, relevant and limited to what is necessary in relation to the purpose for which they are process (‘data minimisation’)
4. Accurate and, where necessary, kept up to date; every reasonable step to ensure inaccurate data are erased or rectified without undue delay (‘accuracy’)
5. Kept in a form which permits identification of the individual for no longer than is necessary for the purpose which the data are processed […] (‘storage limitations’)
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

3. Scope

This policy applies to all personal data held as information in any format including paper, electronic, images and sound, and emails that may be sent or received by the council.

All stages of the lifecycle of personal data are covered by this policy:

• Obtaining of data
• Storage and security of data and any information this data creates
• Use and disclosure of data and any information this data creates
• Sharing of data and any information this data creates
• Disposal and destruction of data and any information this data creates

This policy applies to all part-time and full-time employees, including those working from home and from other locations, elected members (councillors) in their roles as cabinet members, and all other workers (including casual and agency workers, secondment posts and contractors) using the council’s equipment and computer network. This policy also applies to volunteers and students (including work experience or work-placement).

This policy does not apply to individual councillors in their constituency or ward work as they are registered separately for processing any personal data they may collect for this work.

4. Definitions and terms

The following are included to help with understanding of both the policy and the legislation. This is not an exhaustive list of definitions or terms.

Personal data – Information about an identified or identifiable natural person (living individual) – someone who can be identified directly or indirectly including with the use of an online identifier.

Special category data (Sensitive personal data) – Personal data of an individual that relates to their racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or orientation.

N.B. processing data that relates to offences or alleged offences, court proceedings or sentencing fall within the Law Enforcement Directive

Data subject – The living individual who is the subject of the personal data.

Data controller – A natural or legal person, public authority, agency or other body that determines the purposes and way in which personal data is processed. Blackpool Council is the data controller.

Data processor – A natural or legal person, public authority, agency or other body that processes personal data on behalf of a data controller.

Processing – Any operation on the data including obtaining/collecting, recording, organisation, storage or holding the personal data, disclosure; and any other operation on this e.g. destruction.

5. Subject access requests

When an individual requests their own personal data, this is called a ‘Subject Access Request’ or ‘Right of Access’. 

Whilst the council recognises that requests can be made verbally, to avoid confusion and to ensure that we do not disclose personal data incorrectly, it is helpful if this is made in writing.

We do verify the applicant’s identify and address – again this is to ensure that we do not incorrectly disclose personal data to anyone who is not entitled to receive it.

The request should describe the information requested and/or provide adequate detail and references to help the council identify and locate the personal data and information. 

To help, we publish a Subject Access Request form on the council website and have adopted a Right of Access Procedure.

If another person is helping to make the Subject Access Request, or is acting on behalf of an individual, the individual (the data subject) must provide written authorisation for this. This may be a letter or form freely signed by the individual. This requirement includes those who appoint a solicitor to act on their behalf.

The council is obliged to respond within 1 month from the day after the request is received. This timescale may be extended by another 2 months if the request is complex.

6. Compliance with the principles of data protection

To enable it to fully comply with the legislation, Blackpool Council will:

• Only collect and hold the data and information which are needed, and follow all necessary conditions to enable the council to do this including identification of the correct legal basis, or consent if this is required
• Only use the data and information collected for the purpose specified, or compatible purposes and make individuals aware of any other use or sharing
• Only use the data and information for marketing of goods and services where the individual has chosen (consented) to receive this
• Make every effort to ensure data and information are up-to-date and where opinions or intentions are recorded, that these are professionally expressed
• Follow the council’s published Corporate Retention Schedule to determine how long the data and information should be kept for, ensuring it is not kept for any longer than is necessary
• Ensure that any transfers of data or information are undertaken with appropriate safeguards in place.
• Enforce the Information and ICT Security Acceptable Use Policy and other associated policies to keep the data and information secure, preventing unauthorised access or processing or accidental loss
• Have procedures in place to enable the council to deal with information rights requests in line with the legislation and within the legislated timescale
• Ensure that contracts containing suitable clauses, are in place for any data processing undertaken externally for the council, as per its GDPR Procurement Procedure
• Ensure that its notification (its registration) to the Information Commissioner is renewed on an annual basis and that it accurately reflects the processing that the council undertakes
• Anonymise and pseudonymise data as appropriate and as per the Anonymisation and Pseudonymisation Procedure
• Commit to providing data protection training to all its workforce as part of their induction process and will issue regular refresh training throughout the course of their employment or in the event of any changes in data protection law. the council will retain a record of this training programme and this will be made available to the supervisory authority on request
• Incorporate a ‘clear desk’ culture throughout council offices, as per the Clear Workstation Procedure

7. Data protection officer (DPO)

Under the UK GDPR, it is mandatory for the council to designate a Data Protection Officer (DPO). The DPO’s minimum tasks are defined in Article 39: 

• To inform and advise the organisation and its employees about their obligations to comply with the UK GDPR and other data protection laws
• To monitor compliance with the UK GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
• To be the first point of contact for the Information Commissioners Office

The council’s has appointed a DPO, who has an appropriate level of knowledge and training to provide advice on data protection matters. The DPO can be contacted at dataprotectionofficer@blackpool.gov.uk.

8. Breach reporting

The UK GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. Where feasible, the council must do this within 72 hours of becoming aware of the breach, it is therefore essential that all employees make the data protection lead aware of any potential breaches of data protection without undue delay. This includes all losses, thefts or inadvertent disclosures of personal data. It also includes the loss or theft of any device that holds personal data.

An investigation will establish whether or not a personal data breach has occurred. If a personal data breach is confirmed, the information governance service and DPO will follow the Data and Security Breach Incident Management Procedure and for significant personal data breaches, the DPO will carefully consider whether it is required to notify the Information Commissioner and the data subjects affected.

9. Data Protection Impact Assessments (DPIAs)

Data Protection Impact Assessments (DPIAs) are a tool which can organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. the council commits to completing DPIAs for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests, as per its Data Protection Impact Assessment Procedure. Employees must consult the information governance service or DPO before they embark on any new processing that could be regarded as being high risk to an individuals’ interests so advice can be sought on whether an assessment is required.

10. Record of Processing Activity (ROPA)

The council is required to maintain records of activities related to higher risk processing of personal data. The council maintains a Register of Processing Activities in conjunction with its DPO. All employees are required to notify the information governance Service or DPO before they embark on any new processing activities so they can be adequately recorded on the council’s ROPA.

11. Individual Rights

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR and is called ‘privacy information’. the council publishes its privacy information on its website and is committed to this requirement, as per its Right to be Informed Procedure.

Individuals also have the right to access their personal data (commonly known as ‘subject access’) and supplementary information about the processing of their data. The right of access allows individuals to be aware of and verify the lawfulness of the processing of their personal data.

‘Subject access’ requests can be submitted to DPA@blackpool.gov.uk. Further information can be found in the council’s Right of Access Procedure.

The UK GDPR also empowers individuals with the right to rectification, erasure, right to restrict processing, data portability, right to object and rights in relation to automated decision making or profiling. Further information in relation to these rights can be found in the council’s Further GDPR Individual Rights Procedure, Right to Erasure Procedure and Right to Rectification Procedure.

12. Complaints

If an individual is unhappy with the way in which the council is handling their personal data or information, or they believe that the council has breached the data protection principles or shared or disclosed their data incorrectly, they can submit a complaint to the council.

Any complaint should be submitted in writing to: Data protection officer, Blackpool Council, PO Box 4, Blackpool, FY1 1NA, or by email to dataprotectionofficer@blackpool.gov.uk.

If an individual is unhappy with the council’s response to a Subject Access Request, they can ask for a review.

Any review request should be submitted in writing to: Data protection officer, Blackpool Council, PO Box 4, Blackpool, FY1 1NA, or by email to dataprotectionofficer@blackpool.gov.uk within 40 working days of their receipt of the council’s response.

If an individual is unhappy with the outcome of the review, they have the right to apply to the Information Commissioner’s Office for an assessment. They can contact the Information Commissioner at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Any other queries about data protection can be made in writing to: DPA, Information governance team, Blackpool Council, PO Box 4, Blackpool, FY1 1NA, or emailing DPA@blackpool.gov.uk .

13. Further information

Further information on data protection can be found:

• On the council’s website
• In the council’s e-learning course (for staff and members)
• On the Information Commissioner’s Office website.

Document control

Record of amendments

Approved by