- we aim to continue our work in embedding data protection into our culture
- all staff have completed mandatory online UK GDPR training sessions, which needs to be retaken regularly
- we have undertaken a comprehensive internal communication campaign to raise staff awareness of UK GDPR using key message emails, intranet articles and team training sessions
- we will continue training all staff on how to recognise and respond to subject access requests, freedom of information requests, data breaches, and the rights of data
- staff contracts require our employees to adhere to all council policies which include data protection and information security policies, which are reviewed annually
- all new starters undergo induction training which includes data protection and GDPR
The UK GDPR is the UK General Data Protection Regulation. It is UK Law which came into effect on 01 January 2021 following the United Kingdom’s departure from the European Union. UK GDPR replaced the European GDPR for use in the UK. The regulation sets out the key principles, rights and obligations for most processing of personal data in the UK.
Under the regulations, since we hold and process personal information about clients, staff or suppliers, we are legally obliged to protect that information, making sure that:
- processing is lawful and fair
- purposes of processing must be specified, explicit and legitimate
- personal data must be adequate, relevant and not excessive
- personal data must be accurate and kept up to date
- personal data must be kept for no longer than necessary
- personal data must be processed in a secure manner
Our commitment
We honour our residents’ right to data privacy and protection. We demonstrated our commitment by adhering to the Data Protection Act 2018, and we continue to revise our own internal policies in order to meet the requirements of the current data protection legislation, including UK GDPR.
Data protection officer
We have designated Veritau Ltd as our data protection officer.
The data protection officer is the statutory point of contact for all matters relating to data protection and UK GDPR compliance. The data protection officer will ensure that we are accountable and transparent in our processing of data, which includes overseeing the creation and maintenance of our records of processing activities as per article 30 of the GDPR.
For all communication regarding data protection and information governance matters please contact our Data Protection Officer:
Veritau Ltd
County Hall
Racecourse Lane
Northallerton
DL7 8AL
- Email: infogov@northyorks.gov.uk
- Telephone: 01904 55 2848
Staff
Systems
- we are reviewing our systems, including cloud services, to ensure that they meet any specific requirements of UK GDPR, issuing contract variations where appropriate
- our technology and change department administer all internally held systems and they operate an information security management system which is certified to ISO 27001:2013
- Technology and change are also ISO 20000 certified
- ISO 20000 provides quality assurance to the processes, policies and procedures operated in the delivery of ICT services to the council and is the only standard specifically aligned to information technology service delivery and service management
Policies and procedures
- we have an ongoing process of updating privacy notices for data subjects (including employees as well as service users).
- We are reviewing all current policies and business processes and ensuring that they are UK GDPR compliant.
- A retention policy is in place which stipulates the retention and destruction of both electronic and paper documents.
- We are reviewing our information security incident procedure so that we are able to report breaches of data protection to the ICO, and potentially data subjects, within 72 hours.
- We are replacing our existing data protection policies with a new suite of UK GDPR and Data Protection Act 2018 compliant policies.
- Information security polices are reviewed annually under ISO 27001 requirements.
- We are amending our procedures in regards to processing information requests and other data subject rights.
Customer contracts
In order to adhere to the UK GDPR requirement that a data controller must appoint a data processor in the form of binding written agreement, where personal data is processed (including the activities of any sub- processors), and that it is done so only on documented instructions from the controller or within the requirements of the law:
- we are reviewing current data processor arrangements by informing our data processors of changes to legislation
- inserting new data processor clauses in to new contracts and service level agreements
- reviewing existing data processing contracts
This will ensure that relevant wordings are in place to cover aspects such as:
- the duration, nature and purpose of the processing
- the types of data processed
- the obligations and rights of the controller
- it will also, where applicable, cover cross border transfers and the use of any sub processors
Security and business continuity measures
We continually seek to ensure the confidentiality, integrity and availability of the personal data we store or process. We maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.
The requirement to have organisational and technical safeguards in place to protect against breaches of confidentiality, integrity, and availability has remained intact through the migration from the Data Protection Act 1998 to the Data Protection Act 2018 and GDPR. Therefore while our security measures have been reviewed to ensure compliance under the Data Protection Act 2018 and GDPR, we have not deemed any changes to be necessary in this area.
IT infrastructure and network access
- we currently have a suite of information security policies in place which covers general information security, document and record management, IT usage etc
- our servers are held to ISO 27001 standards
- connectivity to the data centre is secured
- data storage is not shared and is under our control
- network access for staff is controlled. Anti-virus is deployed across the network
- we have a routine backup procedure with data also being backed-up offsite
- we use electronic access control in all of our buildings
- locked cupboards are located throughout all offices with a method for the secure disposal of physical documents provided
Data breaches
Under the UK GDPR, where we process any personal or sensitive categories of data we must notify any data breach to the data protection officer without undue delay. We therefore have processes and procedures in place for identifying, reviewing and promptly reporting data breaches and where appropriate informing the ICO and the data subject(s) themselves.
We record:
- a description of the nature of the breach
- severity analysis of the breach
- likely consequences of the breach
- proposed and imposed measures that were taken to limit harmful effects
We have comprehensive technical and organisational security measures in place to mitigate against a data breach.