Data protection and confidentiality policy

1. Introduction

This policy sets out our approach to handling the personal information of identifiable living persons. It is designed to ensure we follow our legal obligations. In particular, the General Data Protection Regulation 2016 (GDPR), Data Protection Act 2018 (DPA) and the Human Rights Act 1998 (HRA). An extended list of information legislation can be found at Appendix B. The legislation governs handling personal data.

This policy is designed to ensure that our employees, elected members and other parties acting on our behalf understand their obligations when handling personal information. They need to comply with the GDPR and DPA. Contact the information governance team if you need more detailed support or guidance. A glossary of the terms used within the GDPR and DPA and this policy can be found at Appendix C.

The information governance team maintains this policy. For more information on the team and town clerk's service, via email information@hullcc.gov.uk.

2. Statement of policy

We need to collect information about the people it works with. This is in order to carry out its functions and deliver services to our residents. Through our policy, procedures and training will make all efforts to -

  • comply with the law and good practice
  • respect individual’s rights and protect their privacy
  • be open and honest with people about the data we hold
  • ensure employees handling personal data have training and support that allows them to act confidently and consistently

Data protection is to protect people’s personal information and treat it with respect. Where we collect and use personal data we will strive to work by the 6 data protection principles of the GDPR and DPA. These are listed at Appendix A.

The GDPR provides individuals with expanded rights over how their personal information is processed. These can be found at Appendix E. A request must be passed immediately to the Information Governance Team if a data subject wants to exercise any of these rights.

3. Scope

The policy applies to all employees of the council. Agency staff, contractors and any others employed under a contract of service and volunteers are included. The policy also applies to Elected Members in their role as a member of the council. This policy does not apply to Elected Members where they process personal data for constituency or political purposes. It does not apply to schools with delegated powers, unless adopted by the governing body.

This policy governs the processing of all personal information relating to identifiable, living persons. This includes electronic, paper or other permanent formats or file systems holding information. The policy applies throughout the lifecycle of the information. It is either destroyed or held permanently in the city archives at the Hull History Centre.

4. Roles and responsibilities

4.1 Members

All elected members are to be made aware of this policy and of their duties and responsibilities under the GDPR and DPA. Members must handle personal information in accordance with the six data protection principles.

When members are covered by their political party’s policies and rules. This includes when handling personal information for political purposes. When accessing personal information as a member of the council, they are covered by our data protection policy and its registration with the Information Commissioner (Registration no. Z6005621).

Each member is responsible for the personal information they use in their constituency work. We register all Members with the Information Commissioner’s Office. This is as a separate data controller for their constituency work. The Register of Data Controllers can be viewed on the Information Commissioner's Office (ICO) website.

The Information Governance Team can provide general advice to Members. This is in respect of personal information they process for their constituency work.

4.2 Corporate Strategy Team (CST)

The Corporate Strategy Team will ensure we comply with its legal obligations as a data controller under the GDPR and DPA.

CST will approve the corporate framework for data protection. They receive regular reports from the Information Governance Group. CST will ensure an appropriate member of staff is nominated to act as our Senior Information Risk Owner (SIRO).

4.3 Information Governance Group

The Information Governance Group will co-ordinate and oversee activity through regular meetings. They will ensure we meet its obligations to keep information safe, accurate and accessible. The Information Governance Group -

  • will be chaired by our Senior Information Risk Owner (SIRO)
  • will provide advice to service areas on developing service specific procedures and applying the Data Protection Policy
  • will ensure that staff have received adequate data protection training, and that adequate procedures and support are in place to allow them to comply with policies and the law
  • will review and update the Data Protection Policy and procedures when legislative, technical or corporate changes occur
  • will review information security breaches involving personal data to ensure risks are mitigated and, where necessary, escalated to CST
  • will oversee and approve corporate Data Protection Impact Assessments

The Information Governance Group will operate by its Terms of Reference.

4.4 City managers

Each City Manager is accountable for data protection compliance within their service. They must ensure that their service complies with the principles of the GDPR and DPA when processing personal data. Staff need to be aware of their responsibilities under the GDPR and DPA and have received appropriate training. They will ensure that good Data Protection practice is established and followed by -

  • ensuring that appropriate staff are appointed as information governance representatives. They will assist with subject access requests and other information rights issues (see Appendix I)
  • ensuring employees, including contractors, consultants and volunteers employed to undertake our business have read and understood the data protection policy and guidance. They must have completed the e-learning testing before they are given access to customer data
  • addressing any extra training needs for their service in the areas of privacy, confidentiality or security
  • ensuring appropriate resources are in place to enable their staff to comply with the data protection policies and procedures
  • notifying the information governance group of any areas of information risk as they are identified
  • reminding their staff that information security incidents involving personal information must be reported immediately (see Appendix F)

4.5 The Information Governance Team

The information governance team is responsible for -

  • maintaining the Data Protection Policy
  • briefing senior managers on data protection responsibilities
  • providing guidance and advice to staff on data protection issues. For example, support writing privacy statements and information sharing agreements
  • notification with the information commissioner’s office
  • handling subject access requests (except social care see Appendix G)
  • approving, in consultation with the monitoring officer and SIRO, unusual or controversial disclosures of personal data (for instance as part of Freedom of Information requests)
  • providing advice and assistance in the completion of Data Protection Impact Assessments where new or changed processing of personal information is under consideration
  • supporting service areas in developing information sharing agreements in accordance with the Humber Information Sharing Charter
  • recording and investigating information security incidents

4.6 Data Protection Officer

The Data Protection Officer will -

  • inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
  • monitor compliance with the GDPR and other data protection laws. These include managing internal data protection activities and advise upon data protection impact assessments. They will also train staff and conduct internal audits
  • act as the first point of contact for supervisory authorities and for individuals whose data is processed

4.7 Other specific staff

4.7.1 Information Security Management

The Assistant City Manager responsible for ICT networks is accountable for electronic information security. Access to electronic systems and personal information stored on our networks is included.

4.7.2 Corporate procurement and legal services

We have standard wording in tender documents and contracts. They require parties to follow the requirements of the GDPR and DPA. The Procurement Team and Legal Services will ensure that extra contractual conditions are included. This is where they are needed to ensure data protection compliance. More specific data handling or processing requirements must be included in contracts or appendices. Or, contracts must make provision for separate data handling and processing protocols. In most cases, parties commissioned or contracted to deliver social care services will also be required to complete the NHS Digital Data Security and Protection Toolkit.

4.7.3 Caldicott Guardians

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information. They enable appropriate information sharing. The guardian plays a key role in ensuring that us and partner organisations meet the highest practical standards for handling patient identifiable information.

The guardians support work to enable information sharing where it is appropriate. They advise on options for lawful and ethical processing of information. Their remits cover all social care records for children and adults.

They have responsibilities relating to confidential information and information sharing. The Caldicott Guardians also have a strategic role. It involves representing and championing Information Governance requirements and issues at management team level. This at a range of levels within the organisation's overall governance framework. Our Caldicott Guardians are members of the Information Governance Group.

The Caldicott Guardian ensures that where confidential personal information is shared, for example with local NHS or other care partners, this is done properly, legally and ethically in line with the Caldicott principles.

4.7.4 Managers

All managers must ensure the people they manage have the necessary skills and knowledge to perform their duties. All their staff accessing personal information must have read and understood the Data Protection Policy. This includes paper or other manual record. Any associated guidance must be followed and completed on the online Data Protection testing.

The new starter must read and understand the Data Protection Policy and guidance if they will have access to personal data held by us. They will have completed the relevant e-learning packages. A record of completion must be kept in the new starter’s induction records.

4.7.5 All staff

Intentional breaches of this policy will be handled under our disciplinary procedures. Criminal activity will be reported to the police if identified or reasonably suspected. It will also be reported to the Information Commissioner's Office.

All employees are individually responsible for complying with the GDPR and DPA. Maintaining confidentiality is also a requirement of all council contracts of employment. Unauthorised access to, use of, or disclosure of personal data is a criminal offence under Section 170 of the DPA 2018. For example, viewing a person’s file you have no business need to look at will breach the DPA, your contract of employment and the council’s policies. Disclosing personal information learned at work to a third party without our permission will also breach the DPA and your contract of employment.

Where it is suspected that an employee has intentionally breached the GDPR and DPA. We will report the details to the Information Commissioner’s Office. It is unlikely that ICO will ever prosecute individuals for honest mistakes. They actively prosecute those who wilfully or recklessly access or disclose data where it is clearly wrong to do so.

Any unauthorised use, unauthorised disclosure or inappropriate access to personal information held by us will be dealt with under the disciplinary procedures. Any council employee who wilfully and deliberately breaches this Policy and the GDPR and DPA should expect to be dismissed. The details will also be reported to the ICO and the Police and we will fully support any prosecutions.

5. Service area and corporate procedures

Procedures and guidance may need to be developed from this policy and appendices. Each service will need to consider what specific guidance it must have in place to follow the data protection principles. Staff should exercise extra caution whenever their day-to-day work may impact on how we process personal information, including -

  • how we collect it
  • how much we collect
  • what we do with it
  • whether it can be used for a new or changed purpose
  • how and where we store it
  • how we keep it secure
  • how we share it
  • who we share it with inside the council
  • who we share it with outside the council
  • how we respond to subject access requests
  • how we respond to official information requests from Police, HMRC, DWP etc
  • how we dispose of it

If advice or help is needed, contact the Information Governance Team.

5.1 How to process or use personal data

The definition of processing (using) data is very broad in the GDPR and DPA. Doing anything with personal data is likely to count as ‘processing’ under the Act. When Officers and Members use personal information, they must ensure it is done lawfully and fairly. This is the first Data Protection Principle.

We need to meet one or more of the conditions listed at Appendix D of this policy so that the processing can be considered to be ‘fair’. Wherever possible we must be clear when it collects personal information what purposes it has been collected for. All later uses must be compatible with these conditions.

Where we can, we must process personal information with the full knowledge of the data subject. This is done easiest by providing effective privacy notices at the point the information is collected. Services can contact the Information Governance Team for help writing simple and straightforward privacy notices. These include application forms and web forms. Individuals are clearly informed about how their information will be used in the future. Doing this will help avoid customer complaints and dissatisfaction.

Steps to take, and some to avoid, in the processing of personal information -

Do -
  • handle other people’s personal data with the same care and respect you would give your own information
  • be particularly careful about sensitive ‘special category’ data. This concerns race, political opinion, religious belief, trade union membership, physical or mental health, sexual life, criminal offences
  • where possible, tell people you hold personal data about them and explain why you need it. You need to include how long it will be kept, who you will share it with and who to contact for more information
  • ensure personal data is kept accurate and up-to-date
  • be very careful about passing personal information to third parties
  • consult the Information Governance Team before using personal information for any new or significantly changed purposes. We may need to complete a Data Protection Impact Assessment
  • ask questions to confirm the identity of people who call you on the telephone. This must happen before discussing personal details with them
  • always use the smallest level of information necessary to get the job done. For example, do not take a full file out of the office if you only need to take a few pages or one section
  • use lockable bags when taking sensitive paper records outside the office. Ensure there is a return address and telephone number on the case
  • review personal data kept in files often
Do not -
  • use personal information if you are not sure if it is appropriate. Always ask your manager or the Information Governance Team for advice
  • use personal data collected for one purpose for other reasons. This is unless you have a clear legal basis and have established whether the data subjects should be provided with a new privacy notice
  • reveal personal data to third parties without the data subject's permission. This is unless there is a clearly established legal basis for sharing
  • disclose any personal data over the telephone unless the caller has been identified
  • leave personal data unsecured, (physical documents or electronic information). You must keep a clean desk, lock confidential records in desks or cabinets and lock your computer when you move away from it
  • share system passwords. You will be held accountable for any activity on our systems that happens under your log in
  • take personal data home or remove it from our computer network. This is unless you have a valid business need to do so and the data is appropriately protected. You must have explicit permission of the manager who is responsible for the data
  • leave council laptop computers or paper records in vehicles overnight. You must take them indoors and lock them safely away
  • place or create council information on personal electronic devices or personal email accounts. This is not permitted in any circumstances
  • discuss confidential work matters with family, friends or anyone else outside work
  • open suspicious emails and always report them via the service desk. If you click on an attachment or web link in an email and then realise it may be malicious, it is important that you inform the Service Desk immediately. Disciplinary action will not be taken against any person who makes an honest mistake. Report any incident as quickly as possible

5.2 How to keep personal information (records management)

The GDPR and DPA places a duty on organisations to keep personal information accurate and up-to-date. Our Records Management Policy provides guidance on how we manage its records. It also provides retention guidelines. Information can then be up-to-date and not held longer than necessary.

Under the corporate Records Management Policy, City Managers have a responsibility to review their service’s procedures. They need to ensure they are keeping accurate and consistent records. They will take the necessary steps to ensure any personal data held or processed by their service is accurate. It must be stored securely in accordance with the GDPR and DPA. The following are some of the actions that may be required to make sure data is stored accurately and is up-to-date.

5.2.1 Updating

As part of their responsibilities under the Records Management Policy, services will have processes for regularly checking and updating records and discarding old data.

5.2.2 Storage

In most cases, keeping personal information under lock and key is enough to meet the requirements of the GDPR and DPA. Sometimes, extra security measures may be considered necessary.

5.2.3 Retention periods

Different records will have different retention periods. We need to comply with the fifth data protection principle. We must make sure it has clear retention periods for the various types of personal information it holds. Retention periods can vary widely between document types.

5.2.4 Disposal

If personal information is to be disposed of, this must be done securely. City Managers must ensure their services have appropriate arrangements in place for disposal. This includes disposal of personal or otherwise sensitive information. Our Facilities Management Team has advice on the secure disposal of personal and confidential information.

5.3 How to keep personal information secure

We must take all reasonable measures to ensure that personal information is kept safe and secure. Appropriate protective measures are taken when personal information is collected, stored or transferred. This may require encrypted and password protected devices. Use of secure email or ensuring cabinets containing paper files are kept locked. Appendix H provides guidance on transferring data safely. Employees, elected members or others acting on behalf of us must only collect, access and use the minimum level of information needed. This is in order to properly carry out their duties and responsibilities. More on keeping personal information secure will be provided through service specific training. Online training packages can also provide this. Staff must also be aware of the relevant sections of the ICT Information Security policies. They are designed to safeguard all information, not just personal data.

5.4 Data breaches – what to do if something goes wrong

On occasion, personal data may be lost, stolen, or compromised. When this happens the incident must be reported immediately. This is vitally important as people may be put at risk of harm. Quick action can reduce the potential for damage and distress to the victims (see Appendix F). We may also need to report the breach to the ICO within 72 hours.

A data breach is any incident involving the loss, damage, inappropriate disclosure or inappropriate access to council information. Unauthorised access to our data systems is also included. Such incidents can lead to identity fraud or have other significant impacts upon individuals. They must be treated very seriously. A data breach can involve electronic or paper records or the verbal disclosure of details held in our systems or records.

Incidents must be reported immediately. Contact the Information Governance Team on 01482 613 378 or via the above email.

All the following should be reported as potential information security incidents -

  • human errors. For example sending letters or emails to the wrong address or selecting the wrong email attachment or putting the wrong letters in envelopes
  • loss or theft of equipment containing personal information. Laptops, mobile phones, USB drives, external hard drives and DVDs for example
  • computer failures putting data at risk of loss, damage or being inaccessible for long periods
  • breach of policies. For example, employees looking at records they do not need to see or discussing confidential matters outside work
  • computer hacking attack where third parties attempt to access our systems without permission
  • failure to properly protect information. For example, a file is left on the bus or a confidential email is sent without using the secure email system
  • a ‘blagging’ attack where somebody tricks us into releasing information
  • any other incident where information is not kept safe or is used in a way that may be in appropriate

Warn a person straight away if you have concerns for their safety after an incident.

Depending on the circumstances, you may also wish to consult the police. For example, if the address of a person fleeing domestic violence has been disclosed to the perpetrator.

All incidents should be reported to the Information Governance Team immediately (see Appendix F). It will normally be appropriate to notify the service manager and City Manager. This is particularly if there may be serious consequences for victims or if the incident is likely to attract publicity.

In deciding how to proceed consider the following -

  • what data is involved
  • how sensitive is it
  • what format is it in and is it encrypted or otherwise protected
  • who are the affected individuals
  • what could be the impacts on them
  • are there any things we can do right now to recover the information or limit impact on the victims

Any ‘near-miss’ situation (data was not compromised, lost or stolen but nearly was) must be reported for investigation. It is vital that all employees play their part in protecting information. They need to make their manager and the Information Governance Team aware of any risks they identify.

It is not our policy to pursue serious disciplinary action against employees who make genuine human errors. Any failure to report an incident, however, will be treated extremely seriously.

5.5 Requests for copies of personal data (Subject Access Requests)

Under the GDP and DPA any person has a right to ask for a copy of their personal information from any organisation. When someone requests their own information, this is called a Subject Access Request (SAR). We must provide any information it holds within 30 calendar days. There are some limited exemptions from this right of access. In most cases all information must be provided.

It will not always be appropriate to use the SAR process. For example, if a customer asks how much council Tax they owe or for the balance of their rent account this should be dealt with as a normal service request. If a customer requests a copy of all information the Council Tax Team holds about them or a full copy of their Housing file, this should be dealt with as a Subject Access Request. It will then be passed to the Information Governance Team.

Where a customer asks for a copy of their personal information they should be directed to the Subject Access Request form (Appendix G). This is on our website, or be advised to contact 01482 300 300 or the council’s Information Governance Team. Send any recordings of details to the customer to their contact details if they verbally request recordings. Send recordings to the Information Governance Team as well.

Contact the Information Governance Team if you are unsure how to deal with a request for information. They will be able to help you.

Written requests for information which do not include the applicant’s own personal data will be handled under the Freedom of Information Act. All such requests should be sent to the Information Governance Team.

5.6 Sharing personal information with a partner organisation

We need to share information to deliver better, efficient public services for the needs of our customers. It is essential to enable early intervention and preventative work. In some cases it is also used for safeguarding and public protection.

At the same time, we acknowledge that the public want to be confident that their personal information is kept safe and secure. Council officers must maintain a balance between the privacy of individuals, operational requirements and the law.

Our staff making decisions about information sharing must do so on a case-by-case basis. The checklist at Appendix J outlines considerations for sharing in accordance with the GDPR and DPA. In cases where there is a regular exchange of personal data the Humber Information Sharing Charter should be used to agree the sharing.

5.7 New projects or systems involving personal information

Any new uses of personal information must be assessed to ensure they are lawful and will not put personal data at risk. Any new, or significantly changed, use of personal information must be assessed. Where appropriate, a Data Protection Impact Assessment (DPIA) must be completed. The Information Governance Team can provide assistance in completing a DPIA before they are submitted to the Information Governance Group for feedback and approval.

6. Training and awareness

All staff and councillors will need to be aware of our Data Protection and Confidentiality Policy. Employees with access to our ICT and data systems are required to complete annual data protection. This training is on Oracle Learning Management. For some posts additional training and guidance will also be provided.

6.1 Induction

When staff and councillors join us, it is important that they are introduced to their basic responsibilities under the GDPR and DPA. This level of understanding will be met by reading this policy and completing the online training packages. Staff may need additional awareness based on specific induction requirements in their service groupings.

6.2 Continuing training

If staff need more Data Protection training or awareness is required beyond this policy, this to be brought to their manager’s attention. If you need help with any particular data protection issue, contact the Information Governance Team.

7. Notification to the information commissioner

We are registered with the Information Commissioner’s Office. We are included on the public register of data controllers (Registration no. Z6005621).

Any changes to the register must be notified to the Information Commissioner within 28 days. Any new processing of personal data must be brought to the attention of the Information Governance Team. Hull City Council’s notification can then be updated as necessary.

8. Policy review

This policy will be reviewed at least once every 3 years. Appendices will be updated as necessary. This Policy is maintained by the Information Governance Team who can be contacted via the email above.