1.1 Independence and Well Being Enfield Limited (IWE) is required as part of its overall information governance structure to ensure that appropriate controls are implemented and maintained in relation to the collection, use and retention of personal information pertaining to its customers, clients and staff and that these
are in accordance with the requirements of the current data protection law as enacted. (The Data Protection Act 2018 and the Applied GDPR) are in accordance with the requirements of the current data protection law as enacted. (The Data Protection Act 2018 and the Applied GDPR)
1.2 This document provides a framework for IWE officers to meet legal and corporate requirements in relation to information requests that fall within the scope of the legislation.
1.3 The Policy applies to all personal information created, received, stored, used and disposed of by Independence and Well Being Enfield Limited irrespective of where or how it is held.
1.4 It must be noted that compliance is a legal requirement and that individuals can face prosecution for breaches of its Principles.
2 Aim of the Policy
2.1 The aim of this document is to clarify IWE’s legal obligations and requirements for the processing of personal data and to ensure that all such data is: collected, stored and processed for justifiable business reasons; has appropriate legal basis or informed consent for use, and is not; combined with other data or used for other purposes without appropriate legal basis or consent; used only by those persons with a legitimate reason for access; stored safely; retained only for the defined time period; not disclosed to unauthorised persons, and transfers to authorised persons recorded
2.2 IWE will actively seek to meet its obligations and duties in accordance with the law and in so doing will not infringe the rights of its employees, customers,
third parties or others.
3.1 The scope of this policy requires compliance with the principles defined in law. Personal Data is defined as: personal data relating to an identifiable living individual and includes the expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of individual and includes the expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of
Sensitive personal data is defined as personal data consisting of information as to:
- racial or ethnic origin
- political opinions
- religious or other beliefs
- trade union membership
- physical or mental health or condition
- sexual life
- commission of criminal offences or alleged offences.
3.2 Sensitive personal data may only be stored or processed for a limited variety of purposes. All processing of sensitive personal data without a legal basis for use must be cleared by the Information Commissioner.
3.3 All personal data must be protected, and sensitive personal data may require special protection measures.
3.4 Changes to use or new uses of personal data require consultation with the Data Protection Officer. Their advice must be recorded and if dissented from, the dissent and alternate action taken recorded.
4 Data protection principles
4.1 The GDPR includes principles, as does the DPA, which must be adhered to whenever personal data is processed. Processing includes obtaining, recording, using, holding, disclosing and deleting personal data.
4.2 All personnel processing personal information in the course of their business functionality must ensure they adhere to the principles in the GDPR Article 5 (the DPA eight principles cover similar ground, but the GDPR is more developed) which require that:
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’). Note that there are additional requirement on location of storage and processing elsewhere in the laws;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
2.The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). Further information on the principles can be found on the Information Commissioner’s Office website
5 The Information Commissioner’s Office
5.1 The Information Commissioner administers Data Protection in the UK. The role and duties of the Commissioner include:
- ensuring compliance with the law
- ensuring that individuals rights to privacy are respected
- ensuring that individuals have access to data held about themselves
- establishing and maintaining a Register of data users and making it publicly available
- investigating complaints, serving notices on registered data users who are contravening the principles of the Act, and where appropriate prosecute offenders.
5.2 The law gives the Information Commissioner wide powers to ensure compliance, including warrants to search and seize documents and equipment.
6 Access and use of personal data
6.1 This policy applies to everyone that has access to personal data, and includes any third party or individual who conducts work on behalf of IWE or who has access to personal data for which IWE is responsible and who will be required contractually or otherwise to comply with this policy.
6.2 The Policy is also applicable to Members who create records in their capacity as representative of Independence and Well Being Enfield Limited. When Members create records when acting as representatives of a resident in their ward they are recommended to apply the policy but officers should consider whether it has been correctly applied on receipt of a member’s’ enquiry. It does not apply to those records Members create when acting as a representative of a political party. Note that members processing personal data not on behalf of the Independence and Well Being Enfield Limited will need their own registration with the ICO.
6.3 Deliberate unauthorised access to, copying, disclosure, destruction or alteration of or interference with any computer equipment or data is strictly forbidden and may constitute a criminal and/or a disciplinary offence.
6.4 It is an offence for any person to knowingly or recklessly obtain, procure or disclose personal data, without the permission of the data controller (IWE)
subject to certain exceptions.
6.5 It is also an offence for someone to sell or offer to sell personal data.
6.6 All data subjects are entitled to:
- Know what information IWE holds and processes about them and why it is held
- Know who can gain access to it, who it is shared with and where it is stored
- How to keep this data up-to-date
- Know what action IWE takes to comply with its obligations
6.7 All data subjects may request erasure of data which they feel is no longer relevant.
6.8 IWE will ensure that compliance with this Policy is monitored and the Council is able to evidence that it is complying with its legal responsibilities with respect to its staff and customers.
7 Company’s commitment
7.1 To achieve the overall aim of the Data Protection Policy Independence and Well Being Enfield Limited will:
- Provide adequate resources to support an effective corporate approach to Data Protection.
- Respect the confidentiality of all personal information irrespective of source.
- Publicise the Company’s commitment to Data Protection.
- Compile and maintain appropriate procedures and codes of practice.
- Promote general awareness and provide specific training, advice and guidance to its staff at all levels and to its Members to ensure standards are met.
- Monitor and review compliance with legislation and introduce changes to policies and procedures where necessary.
8 Roles and responsibilities
8.1 The Data Subjects are those natural persons about whom the authority retains information.
8.2 Ultimate accountability for all decisions made relating to Data Protection lies with the Executive Board.
8.3 The Executive Board is responsible for ensuring that sufficient resources are provided to support the requirements of this policy as well as making strategic level decisions which impact on how IWE carries out its obligations under the legislation. Each Service Manager is responsible for monitoring compliance within their service area and taking any necessary corrective action.
8.4 Enfield Council’s (Parent Organisation) Information Governance Board (IGB) monitors, oversees, reports and makes recommendations to the Council Management Board on all strategic level DPA issues.
8.5 Enfield Council’s Complaints and Access To Information Manager (CAATIM) has the role of handling requests for data (SARs, FOIs, EPAs etc.) and complaints about the authority’s use of data. The officer will also maintain and provide reporting to IGB/CMB/Council on these issues.
8.6 Enfield Council’s Data Protection Officer (DPO) will provide advice and guidance in conjunction with Legal Services on legal compliance and best practice. Advice of the DPO must be sought for all new or changed data uses; this advice must be formally recorded and if not followed, this fact must also be recorded. The DPO acts as the liaison between the ICO and the Council, and acts as independent reviewer/advisor on complaints. The officer also provides a lead for raising awareness of Data Protection issues.
8.7 Enfield Council’s Departmental Data Coordinators (DDC) are the central contact within their respective department with respect to compliance. DDCs will also process requests and complaints as required by the CAATIM. The DDCs also represent their department in the monthly corporate Information Governance Board meetings.
8.8 Information/System Owners have a responsibility to ensure that data stored on systems is captured, stored, processed, accessed and deleted in line with the law and Enfield Council’s Retention schedule. They are additionally responsible for ensuring that the recording of all statutory requirements are kept up to date, and reviewed at least annually.
8.9 The Manager of a team/s or service is directly responsible for compliance with the Act within their business areas and ensuring adherence by their staff
8.10 All IWE employees and personnel working with personal data have a responsibility to ensure that they have sufficient awareness of the DPA so that they are able to comply with the requirements of the DPA.
9 Responsibilities of Staff and Members
9.1 The processing of personal data is to be compliant with legal, industry, regulatory and business requirements; it is the responsibility of staff and Members to be aware of and conversant with these requirements for the processing and management of personal data in an appropriate manner.
9.2 Staff and Members will need to be aware of how IWE safeguards its data and ensure that the appropriate protective marking is applied to all information. In most cases personal information about any living individual will attract the classification of OFFICIAL, but in some cases it will be OFFICIAL-SENSITIVE, for example when large quantities of sensitive information are grouped together, For where the information could put someone at risk. For more information on the classification and handling of personal information please refer to IWE’s Information Classification and Handling Policy.
9.3 Some data supplied by others will have handling requirements beyond Enfield Council’s OFFICIAL-SENSITIVE criteria. Staff involved must be made aware of this by the Information/System Owners and are then responsible for handling it correctly.
9.4 The following minimum requirements are applied to everyone who comes into contact with personal data:
- Staff/Members are to ensure that personal data is to be processed accurately
- When not required for immediate use personal data is to be secured from unauthorised viewing and access
- Personal data must not be sent to/from personal/staff/member home email accounts
- Personal information can only be distributed externally if it is: being sent to someone with an appropriate data sharing or processing agreement with the council, a legal right to access and a need to know; sent via Egress encrypted e-mail or otherwise securely distributed as agreed with the DPO.
- Computer systems that process, access or store such data are to have password protected screen savers activated when left unattended, and all data should be encrypted at rest.
- The carrying of personal, sensitive or confidential information outside secure office environments should be avoided wherever possible. If this is unavoidable, then encryption of the device and device management by Enfield Council is mandatory. Paper based documents holding personal or sensitive information must be concealed from public view in transit and held securely when stored.
- When no longer required to be retained all personal data is to be disposed of securely, i.e. by shredding or via secure waste disposal.
- Personal data may not be stored on removable media devices without explicit management approval and appropriate encryption controls. Such data is to be removed from the removable media as soon as practically possible.
- The discussion of personal data with unauthorised persons either inside or outside IWE is expressly prohibited. This also includes, but is not limited to, email, social networking sites, blogs, forums, instant messaging services, chat rooms etc.
- Staff are required to complete the Data Privacy and Information Security training on joining the organisation and as required thereafter.
10 Data Controller
10.1 In accordance with the DPA, IWE as a corporate body is the Data Controller and is therefore ultimately responsible, through the appointed Data Protection Officer or the person fulfilling that role, for the implementation of this policy.
10.2 The Service Managers are responsible for the day-to-day management of the data within their business areas of responsibility to ensure that compliance with law and documentation of personal data use is maintained.
11 Data Protection Officer
11.1 The DPO is responsible for fulfilling the role as documented in the GDPR.
11.2 The DPO must be involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
11.3 The DPO is invited to participate regularly in meetings of senior and middle management. His or her presence is recommended where decisions with data protection implications are taken. All relevant information must be passed on to the DPO in a timely manner in order to allow him or her to provide Independence & Well Being Enfield Limited, including any changes in legislation that might impact business processes.
11.4 The DPO will ensure that Data Privacy and Information Security training is available to staff and that a record of completion is maintained.
12 Departmental Data Coordinator (Service Managers)
12.1 DDCs will work with the respective business areas in their Department to facilitate the daily activities and management responsibilities under the law.
12.2 DDCs must inform the DPO of any proposed new or changed uses of personal information within their business unit before any change in process or additional information collection is authorised.
12.3 DDCs must regularly review the content and use(s) of personal information within their Department’s business units, and confirm to the DPO that the information held is complaint with current law:
12.4 DDCs must ensure that members of staff and contractors under the control of their Departmental business units are conversant with their responsibilities under the law, and that they know the procedures to follow when handling, releasing and disposing of information
12.5 DDCs are responsible to ensure that SARs and other requests for information are processed within the required time limits.
12.6 DDCs will assist the CAATIM and/or DPO with the collation of materials in response to any access request or complaint received.
13 Training and awareness
13.1 All IWE employees have a responsibility to ensure that they and the staff they manage have undertaken the Enfield Council’s Corporate Data Privacy and Information Security training and have sufficient awareness of the law so that they are able to comply with the requirements.
13.2 It is mandatory that all IWE staff (including temporary or casual workers and volunteers) that have access to personal data or to the corporate network to undertake the corporate Data Privacy and Information Security training. New entrants will be expected to undertake and successfully complete the module as part of the corporate induction process. Established staff will be expected to undertake and complete refresher training as directed.
13.3 Managers should encourage and make time for their staff to attend any further Data Privacy and Information Security training or awareness opportunities that may arise.
13.4 Failure to complete the courses within the prescribed period could result in disciplinary action proceedings.
14 Collection of Data
14.1 IWE collects and records personal data from various sources, including that obtained or provided by the data subjects themselves.
14.2 In some instances data may be collected indirectly through monitoring devices, including but not limited to: door access control systems, CCTV, personal recording devices and physical security logs or electronic monitoring systems. For further detail refer to IWE’s Information Security Policy.
15 Accuracy and relevance
15.1 It is the responsibility of those who receive personal information to ensure so far as possible, that it is accurate and up to date. Personal information should be checked at regular intervals, to ensure that it is still accurate.
15.2 If the information is found to be inaccurate, steps must be taken to rectify it. Individuals who input or update information must also ensure that it is adequate, relevant, unambiguous and professionally worded. Data subjects have a right to access personal data held about them and have inaccuracies corrected.
16 Rights to access, correct and remove information
16.1 Data subjects have the right to access any personal information (data) about them that is held.
16.2 Data subjects also have the right to have data about themselves corrected or erased subject to certain conditions.
16.3 IWE aims to comply with requests as quickly as possible but will ensure that it is provided within one calendar month unless there is a good reason for any delay. In such cases the reason for a delay will be explained in writing to the person making the request.
17 Fair and Lawful Processing
17.1 When IWE processes personal data, it must have a legal basis for doing so or a freely given, positive consent. The law provides a list of conditions to ensure that personal information is processed fairly and lawfully:
- Personal information is only processed where it is justified, and this is transparent to the data subject
- Information on the processing is easily accessible and easy to understand, in clear and plain language
- That data subject are aware of risks, rules, safeguards and rights in respect of processing and how to exercise their rights
- That the minimum amount of personal data is kept, and for as short a period as possible
- That sensitive personal information is processed only where necessary and justified, and with permission for this from the ICO unless a legal basis for processing is used.
17.2 Individuals that supply IWE with personal information are provided with a ‘Privacy Notice’ (or online privacy statement) at time of data collection, repeated at time of SAR, which communicates the following:
- Purposes, categories, recipients (esp. outside country)
- Period of storage
- Existence of the right to request rectification, erasure and to object to processing
- Right to complain to supervisory authority and contact
- Information on communication and source
- Information on significance and consequences of processing
18 Data Sharing
18.1 Where IWE shares personal information with any third party a ‘Data Sharing Agreement’ or ‘Data Processing Agreement’ must exist as part of a formally documented written agreement or contract.
18.2 A ‘Data Sharing Agreement’ is required if the information supplied is being used to fulfil requirements of the recipient.
18.3 A ‘Data Processing Agreement’ is required if the information supplied is being used only to fulfil IWE requirements and not used otherwise by the recipient.
18.4 Where the other party uses the personal information for its own purposes (Data Sharing):
- The agreement or contract will clearly describe the purposes for which the information may be used and any limitations or restrictions on the use of that information
- The other party is to provide an undertaking or provide other evidence ofi ts commitment to process the information in a manner that will not contravene the law
18.5 Where the processing of personal information with a third party is required by law, procedures are to ensure that the protocols and controls for the sharing of the data are documented, regularly reviewed and verified.
18.6 Requests for personal information from the Police or other enforcement agencies can be considered where the purpose is for the prevention or detection of a crime and or the collection of taxes. It should be noted however that the Independence and Well Being Enfield Limited is under no obligation to do so. Before providing the information, the requesting agency must provide a sufficient explanation of why the information is necessary to the extent that not providing it may prejudice an investigation. This is to satisfy the relevant information holder that the disclosure is necessary. The request must be on letter headed paper and authorised by a senior officer from the requesting agency (Police Inspector or equivalent). If the information is to be disclosed, the disclosure must be authorised by the relevant Service Manager (or above) and a note for the record should be made of the details about the disclosure with an explanation of why the disclosure is appropriate.
19 Data retention and disposal
19.1 IWE must ensure that personal information is not kept for any longer than is necessary; this is to adhere to any legal, regulatory or specific business justification.
19.2 IWE will retain some forms of information longer than others, but all decisions are to be based upon business requirements; details can be found in
the Record Retention Schedule.
19.3 Data relating to clients is only to be retained for as long as a business justification remains.
19.4 When disposing of information, equipment or media, the Confidential Waste Disposal Policy should be adhered to.
19.5 The retention criteria must be imposed on third parties with who data is shared.
20 Transfer outside of the EEA
20.1 To ensure an adequate level of protection is applied to personal information transferred or processed outside the European Economic Area (EEA) contracts are to include conditions relating to the specific requirements for the protection of the information.
20.2 IWE is responsible for ensuring that ‘due diligence’ is conducted on the other party, and that adequate and appropriate controls and safeguards are applied for the transfer of the personal information.
20.3 Companies outside the EEA are to be required to apply the same controls and requirements as applied within the EEA unless they can demonstrate other adequate procedures are implemented to protect the personal information as part of the ‘due diligence’ process. Periodic reviews of the same are to be conducted to ensure adherence is maintained.
20.4 There are specific issues with Cloud processing covered in the Use of Cloud Security Policy.
20.5 Data received by IWE from third parties may have specific storage and use rules that may further restrict where it can be stored or processed (e.g. Health data cannot be stored outside England & Wales).
21.1 Unauthorised disclosure of personal data is a disciplinary matter that may be considered a gross misconduct and could lead to termination of employment.
21.2 In the case of third parties unauthorised disclosure could lead to termination of the contractual relationship and in certain circumstances this could give rise to legal proceedings.
21.3 Any failure to follow this Policy must be treated as an incident and investigated in accordance with the Security Incident Reporting Procedure.