Our Commitment to you
South Oxfordshire District Council understands the importance of ensuring that personal data, including sensitive personal data, is always treated lawfully and appropriately and that the rights of individuals are upheld.
We are required to collect, use and hold personal data about individuals to fulfil our statutory obligations, delivering services and meeting the needs of individuals that we deal with. This includes current, past and prospective employees, service users, members of the public, councillors, our contractors and partners and other local authorities or public bodies. Some personal data will appear on file records, which by law we are required to keep and make publicly available.
In order to comply with the requirements of the current Data Protection legislation we will ensure that:
- any personal data will be collected, used and held, lawfully and appropriately
- regular data sharing with external partners and other relevant agencies will be subject to information sharing agreements. Partnerships will only be entered into where there is a clear statutory power enabling the council to participate such as the Crime and Disorder Act 1998
- external agencies contracted to undertake any data processing on behalf of the council will be required to demonstrate compliance with the current data protection legislation and satisfy the council that they have the necessary technical and organisational measures in place to protect personal data. This will be set out in their contract with us
- there are policies and procedures in place which are regularly reviewed and updated to ensure staff understand their responsibilities towards protecting personal data
- Data Protection training is mandatory for all staff
- there is an appointed officer within the organisation who has specific responsibility and knowledge about data protection compliance covering all aspects within the scope of this policy and who is a point of contact for all queries
- we have appointed a Data Protection Officer. He is Patrick Arran and he can be contacted by email to email@example.com or writing to us at the address at the bottom of this page.
- data subjects’ rights can be fully exercised
- Subject Access Requests are dealt with promptly
- any new projects or changes to existing processes that involve personal data will undergo a privacy impact assessment
- we will regularly review and update this policy, our procedures and guidance for council employees and councillors
- we are required by law to share or make available some of the personal data we collect and hold. This information may be shared for a number of reasons including to safeguard public funds and for the prevention and detection of fraud, and for the prevention and detection of crime. We are also audited regularly to ensure your information is kept securely and used only for the purposes detailed here
The council has two registrations:
Data controller name: South Oxfordshire District Council Registration number: Z6629204
Data controller name: Electoral Registration Officer for South Oxfordshire District Council Registration number: Z6605488
Clicking on the above reference numbers starting with a ‘Z’ will connect you to the Information Commissioner’s Office on-line register where you can inspect the council’s entries.
Meeting our Policy’s Objectives
In order to meet the objectives that are listed above we need to ensure that the following are always considered and that appropriate controls and procedures are in place to ensure compliance with the Data Protection Act 2018.
Collecting and Processing Personal Data
When we collect personal data we will ensure that where required, we make individuals aware that their information is being collected, the purpose for collecting the data specified, and whether it will be shared with any third parties. This will be done through the use of privacy notices. Typically these will be included in the forms you complete to receive our services.
- Council employees and councillors must report any suspected data breaches to the Data Protection Officer for investigation and where necessary the Data Protection Officer will notify the Information Commissioner’s Office
- Council employees and councillors must use appropriate levels of security to store or share personal data
- When new projects involving personal data are being developed, Impact Assessments will be carried out in order to assess any privacy risks
A Register of Processing Activity or ROPA will be maintained by the Data Protection Officer identifying:
- all personal data held
- how it is processed
- what teams have access to it
- where we share data with contractors or partners
- how long we are required to store the data known as the retention period.
Personal data will not be shared with a third party organisation without a valid business reason and where required we will notify individuals that the sharing will take place in the form of a privacy notice. If any new purposes for the data sharing are to take place, we will seek consent from the individuals concerned.
When personal data is to be shared regularly with a third party, a Data Sharing Agreement must be implemented.
Any data sharing will also take into consideration:
- any statutory basis of the proposed information sharing
- whether the sharing is justified
- how to ensure the security of the information being shared.
Data subjects rights
The current data legislation provides the following rights for individuals:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making and profiling.
Many of these do not apply in certain circumstances, primarily where the council have a statutory duty to have your personal data or we are carrying out a public task. For more information on this please see the Information Commissioner’s Office website.
- Our employees and councillors will have access to personal data only where it is required in order to fulfil their role unless you have passed your details to your councillor because you need their assistance.
- All data subjects have a right of access to their own personal data by requesting a Data Subject Access Request.
- Our employees and councillors are aware of what to do when requests for information are made under the Data Protection Act.
- Our employees and councillors are made aware that in the event of a Subject Access Request being received by us, their emails may be searched and relevant content disclosed.
- Privacy Notices will include a contact address for data subjects to use should they wish to submit a Subject Access Request, make a comment or complaint about how we are processing their data, or about the handling of a Subject Access Request.
- A Subject Access Request will be acknowledged to the data subject within two working days, with the final response and disclosure of information (subject to exemptions) within a calendar month.
- A data subject’s personal data will not be disclosed to them until their identity has been verified.
- Third party personal data will not be released by us when responding to a Subject Access Request (unless consent is obtained, it is required to be released by law, or it is deemed reasonable to release).
Compliance with this Policy
- This policy applies to all our employees, councillors and all people or organisations acting on behalf of the council.
- Each Head of Service shall ensure compliance with this policy appropriate to the personal data activities within their remit.
- If any council employee, or councillor or persons acting on our behalf are found to knowingly or recklessly breach the council’s Data Protection Policy appropriate disciplinary and/or legal action will be taken.
- The Council has a designated Data Protection Officer
Implementation of this policy will be led by our Data Protection Officer.
Any questions or concerns about this policy should be taken up with our Data Protection Officer.
When and why we may need to share your personal data
We may sometimes need to share your personal data for a number of reasons. Our registration with the Information Commissioner’s Office lists of the purposes for which we may share personal information with partner bodies and agencies.
This information explains further about when and why we may need to share personal data with others
Preventing and detecting Fraud
The council is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
By sharing information securely and effectively we will:
- Provide better quality and more streamlined services to you
- Ensure that public money is not wasted
- Avoid having to ask for money back which has been paid incorrectly
- Improve the lives of others
- Help prevent and detect fraud and crime
You will always have the right to opt out of any data sharing initiatives where no statutory requirement exists.
Your personal data will not be used for any sale or marketing purposes and we will not pass your information onto third parties unless we have your consent to do so or we are required by law to do so (e.g. fraud or crime purposes).
If you have any questions about any of the above please contact our Data Protection Officer.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority. It does not require the consent of the individuals concerned under current data protection legislation.
Data matching by the Cabinet Office is subject to a code of practice.
The Cabinet Office may be contacted should you require further information on the legal powers and the reasons why it matches particular information. You can find their contact details on the NFI website.
If you would like to know more about how we use and store your data, please see our webpage www.southoxon.gov.uk/about-us/contact-us/requesting-information/data-protection.
If you believe we have not handled your personal data as we have described here, please either call 01235 422485 or contact us by email to firstname.lastname@example.org and your concerns will be fully investigated. If, after we have investigated your concerns, you are not satisfied with our conclusion, you have the right to refer the matter to the Information Commissioner’s Office (ICO). You can reach them through this link to their website or call them on 0303 123 1113. Their mailing address is:
Information Commissioner’s Office
The council’s Data Protection Officer is Patrick Arran and he can be contacted by email to email@example.com or writing to the address at the bottom of this page.