In this section
Appendices
Appendix A
The 6 principles of data protection
We are committed to working in accordance with the Principles of Data Protection. These 6 Principles which form the basis of the GDPR and DPA are as follows -
- the first data protection principle is that processing personal data must be lawful, fair and transparent
- the second data protection principle is that the purpose for personal data being collected must be specified, explicit and legitimate. Personal data must not be processed in a manner that is incompatible with the purpose for which it is collected
- the third data protection principle is that personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed
- the fourth data protection principle is that personal data undergoing processing must be accurate and, where necessary, kept up to date.
- the fifth data protection principle is that personal data must be kept for no longer than is necessary for the purpose for which it is processed
- the sixth data protection principle is that personal data must be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data. These risks include (but are not limited to) accidental or unauthorised access to, or destruction, loss, use, modification or disclosure of, personal data
Appendix B
Related legislation
- Common Law Duty of Confidence
- The Human Rights Act 1998
- The Data Protection Act 2018
- The EU General Data Protection Regulations 2016
- Computer Misuse Act 1990
- The Freedom of Information Act 2000 (FOI Act)
- The Caldicott Report 1997
- The Regulation of Investigatory Powers Act 2000 (RIPA)
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699)
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
- The Environmental Information Regulations 2004 (SI 2004/3391)
Appendix C
Glossary
- Processing – obtaining, recording or holding information or data, or carrying out any operation or set of operations on that information or data. This will include -
- Collection, recording, organisation, structuring or storage
- Adaptation or alteration
- Retrieval, consultation or use
- Disclosure by transmission, dissemination or otherwise making available
- Alignment or combination
- Restriction, erasure or destruction
- Data subject. Any living individual who can be identified from the data, this data may not necessarily include their name
- Personal data. “Personal data” means any information relating to an identified or identifiable living individual
- Data controller. A person who (either jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed. The Data Controller is usually a company or organisation rather than an individual within that company or organisation. We are the data controller for all of the systems in use within this organisation and is registered with the Information Commissioner’s Office.
- ‘Special Category Data’, also known as ‘Sensitive Personal Data’
Extra care must be taken with the handling and use of special category data, for the purposes of this policy this is -
- the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership
- the processing of genetic data for the purpose of uniquely identifying an individual
- the processing of biometric data for the purpose of uniquely identifying an individual
- the processing of data concerning health
- the processing of data concerning an individual’s sex life or sexual orientation
- the processing of personal data as to -
- the commission or alleged commission of an offence by an individual
- proceedings for an offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of a court in such proceedings
Appendix D
Conditions for processing personal information
We must have a valid lawful basis in order to process personal data.
There are 6 available lawful bases for processing within the GDPR. No single basis is ’better’ or more important than the others. Which basis is most appropriate to use will depend on our purpose and relationship with the individual.
If we are processing special category data, we need to identify a lawful basis for general processing. We also need an extra condition for processing this type of data.
Most lawful bases require that processing is ‘necessary’. If we can reasonably achieve the same purpose without the processing, we won’t have a lawful basis.
We must determine the lawful basis before we begin processing, and should document it. Take care to get it right first time - we should not swap to a different lawful basis at a later date without good reason.
Our privacy notice should include the lawful basis for processing as well as the purposes of the processing.
If our purposes change, we may be able to continue processing under the original lawful basis if the new purpose is compatible with the initial purpose (unless your original lawful basis was consent).
Conditions for processing personal data
GDPR Article 6 (1) states that ‘Processing shall be lawful only if and to the extent that at least one of the following applies' -
- the data subject has given consent to the processing of their personal data for one or more specific purposes
- processing is necessary for the performance of a contract to which the data subject is party. This is in order to take steps at the request of the data subject prior to entering into a contract
- processing is necessary for compliance with a legal obligation to which the controller is subject
- processing is necessary in order to protect the vital interests of the data subject or of another natural person
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. This is in particular where the data subject is a child
Conditions for processing special category data
GDPR Article 9 states that - processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited unless -
- the data subject has given explicit consent to the processing of those personal data for one or more specified purposes
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller. Or, of the data subject in the field of employment and social security and social protection law. This is in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law. This provides for appropriate safeguards for the fundamental rights and the interests of the data subject
- processing is necessary to protect the vital interests of the data subject. It is also important where the data subject is physically or legally incapable of giving consent
- processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. It must be on condition that the processing relates solely to the members or to former members of the body, or to persons who have regular contact with it in connection with its purposes. Personal data must not be disclosed outside that body without the consent of the data subjects
- processing relates to personal data which are manifestly made public by the data subject
- processing is necessary for the establishment, exercise or defence of legal claims. Or whenever courts are acting in their judicial capacity
- processing is necessary for reasons of substantial public interest or on the basis of Union or Member State law. It shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
- processing is necessary for reasons of public interest in the area of public health. This is such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. On the basis of Union or Member State law, which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This is in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued. It will respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
Processing on the basis of consent
The GDPR increases the standard for consent. The Information Commissioner’s Office has made it clear that public authorities and employers, such as the council, will find it very difficult to use consent as the basis for processing personal information. Where a service believes that consent is the appropriate basis for their processing personal information they must consult the Information Governance Team before collecting any information.
It will often still be appropriate to get consent to deliver services, treatment or support. Any such consent must not include consent to process personal information under the GDPR.
Services must ensure that privacy notices are issued to service users at the point personal data is collected. Each notice must provide comprehensive information on how the data will be processed. The Information Governance Team provides advice and support writing privacy notices.
Appendix E
Individual rights under the GDPR and DPA
There are eight data subject rights under the GDPR and DPA.
a) The right to be informed
Individuals have the right to be informed about the collection and use of their personal data. We must provide individuals with information including purposes for processing their personal data, retention periods and who it will be shared with. We call this ‘privacy information’.
We must provide privacy information to individuals at the time we collect their personal data from them.
The information we provide to people must be concise, transparent, intelligible and accessible. It must use clear and in plain language.
b) The right of access
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data and other supplementary information. It helps individuals to understand how and why we are using their data, and check we are doing it lawfully. Requests can be made in writing or verbally and in most cases no fee can be charged.
c) The right to rectification
Individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed. This will depend on the purposes for the processing. This may involve allowing the individual to attach a supplementary statement to the data.
This right has close links to the accuracy principle of the GDPR. Although you may have already taken steps to ensure that the personal data was accurate when you obtained it, this right imposes a specific obligation to reconsider the accuracy upon request.
d) The right to erasure
The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing and we have one month to respond. The right to erasure is not absolute and only applies if -
- the personal data is no longer necessary for the purpose which we collected or processed it for
- we are relying on consent as our lawful basis for holding the data, and the individual withdraws their consent
- we are relying on legitimate interests as the basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
- we are processing the personal data for direct marketing purposes and the individual objects to that processing
- we have processed the personal data unlawfully (for example, in breach of the lawfulness requirement of the GDPR)
- we have to do it to comply with a legal obligation such as a Court Order
- we have processed the personal data to offer information society services (social media) to a child
The right to erasure does not apply if processing is necessary for one of the following reasons -
- to exercise the right of freedom of expression and information
- to comply with a legal obligation
- for the performance of a task carried out in the public interest or in the exercise of official authority
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
- for the establishment, exercise or defence of legal claims
The GDPR also specifies 2 circumstances where the right to erasure will not apply to special category data -
- if the processing is necessary for public health purposes in the public interest (for example protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices)
- if the processing is necessary for the purposes of preventative or occupational medicine (for example, where the processing is necessary for the working capacity of an employee, for medical diagnosis, for the provision of health or social care, or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (for example a health professional)
Requests for erasure must be passed immediately to the Information Governance Team.
f) The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. It is done without affecting its usability.
The right to data portability only applies when -
- our lawful basis for processing the information is consent or for the performance of a contract
- we are carrying out the processing by automated means (i.e. excluding paper files)
Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits. The right only applies to information an individual has provided to us.
g) The right to object
Individuals have the absolute right to object to the processing of their personal data if it is being used for direct marketing purposes. Individuals can also object if the processing is for -
- a task carried out in the public interest
- the exercise of official authority vested in you
- your legitimate interests (or those of a third party)
In these circumstances the right to object is not absolute. There is also a more limited right to object to processing for scientific or historical research, or statistical purposes.
h) Rights in relation to automated decision making and profiling
The GDPR has provisions on -
- automated individual decision-making (making a decision solely by automated means without any human involvement)
- profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process. The GDPR has additional rules to protect individuals if we carry out solely automated decision-making that has legal or similarly significant effects on them. We can only carry out this type of decision-making where the decision is -
- necessary for the entry into or performance of a contract
- authorised by Union or Member state law applicable to the controller
- based on the individual’s explicit consent
Where we undertake any automated decision making or profiling we must make sure that we -
- give individuals information about the processing
- introduce simple ways for them to request human intervention or challenge a decision
- carry out regular checks to make sure that our systems are working as intended
More information can be found on the Information Commissioner’s website at www.ico.org.uk or by calling the Commissioner’s Helpline on 0303 123 1113 (local rate) or 01625 545 745 (national rate).
Appendix F
Data breach procedures for our staff
All actual or suspected data breaches (see 5.4 above), including ‘near misses’, must be reported as soon as they are discovered. Report them using the ‘Information Security Incident’ category on ASSYST or by emailing or calling the Service Desk. Or you may contact the Information Governance Team by telephone or Information@hullcc.gov.uk.
Each case will be assigned to an investigating officer who will in most cases be senior member of the service in which the breach occurred. They will be supported by a member of the Information Governance Team. The investigating officer will ensure the incident is contained, arrange for all necessary parties to be informed and ensure appropriate measures are taken to reduce the risk of similar incident in the future. In order to assist with this, provide the following when reporting an incident -
- what data is involved?
- what format it is in and whether it is encrypted or otherwise protected?
- who is affected, what type of information and how many records?
- how sensitive is the information?
- are there any potential risks to individuals?
- what steps have already been taken to recover and locate the information?
- if items have been stolen, ensure the incident has been reported to the police and provide the crime number.
- what actually happened and which employees were involved?
- details of any ongoing, immediate risk to information security
If as a result of an incident you have concerns for any person’s immediate safety you must make all reasonable efforts to warn them straight away.
Depending on the circumstances you may also need to think about consulting the Police. For example, if the address of a person fleeing domestic violence has been disclosed to the perpetrator.
Appendix H
Transmitting personal information – email, post and fax other methods
There are always risks associated with transferring personal information. Appropriate security must be used for every transfer in order to minimise risk. The severity and type of these risks will vary depending on the method of transfer. Examples of such risks include -
- information being lost, damaged or intercepted in transit. For example, stolen laptops, lost memory sticks, opened envelopes
- delivery service delivering mail incorrectly
- information being sent to the wrong address via email, post or fax
- information received by the organisation but not delivered to the correct person
- personal information not being disposed of appropriately
- information that is deliberately transferred with criminal and fraudulent intent. For example, ID theft
Where personal information is compromised there may be an impact on the following -
- individuals - whose information has been put at risk
- staff - whose actions placed the information at risk. Such staff may have breached local policy. This could potentially lead to disciplinary action. There may also be legal implications and potential criminal action taken if they have breached key legislation
- organisations - whose actions placed the information at risk. Such organisations may experience a lack of trust confidence or reputation from the public and potential prosecution under information legislation
Guidelines for transferring personal information are included below. Wherever an employee is unsure of the most appropriate method for transmitting personal data, they should consult the council’s Information Governance Team. ICT may also be able to provide secure solutions for regular or bulk transfers of personal information.
Email – SFX and secure envoy email systems
Personal information may only be sent by council email to another 'hullcc.gov.uk’ email address. Where it is necessary to send personal or otherwise confidential information to an email address outside the Hull City Council network, this must be done using a secure email tool.
Staff may not email council information to their personal email accounts. Staff may email their own personal information to themselves at their own risk. For example, a copy of their online payslip. They must not forward any information they have access to as part of their job to their personal email account.
If you regularly send personal information to a particular public sector organisation such as the NHS, Department of Work and Pensions, the Police or another Local Authority, there may be more efficient ways to safely email between organisations. Contact the Information Governance Team using information@hullcc.gov.uk if you need more advice on this subject.
Secure envoy
If you need to send personal information to an email account which is not on the Public Service Network, such as Gmail or Hotmail, this must be sent by SFX or the Secure Envoy system.
Or you can contact the Service Desk to have the ‘Send Secure’ button added to your email account. The Secure Envoy system will send an encrypted email. It is necessary to agree a password with the recipient before the email is sent to them.
Post – internal and external
Wherever possible, documents should be scanned. The electronic copy sent by email or other secure electronic means.
Internal post services
Personal information sent by internal mail must always be in a sealed envelope and addressed to a named recipient. Where the information is sensitive, the envelope should be protectively marked.
Care should be taken when re-using envelopes to ensure any previous address is properly removed or obscured. This is to avoid the correspondence being sent to the old address by mistake.
There might be situations where the contents relate to an employee's personal life. This could involve occupational health issues or their pension. The envelope needs to be marked ‘Private & Confidential’.
External post
Postal and courier services can be used to transfer personal information either in paper format or as electronic information on removable media.
An assessment of the risk posed by sending personal information by post or courier must always be carried out. This is to decide whether it is appropriate to use these methods. The following should be considered, and a senior manager consulted should there be any doubt -
- the nature of the information, its sensitivity, confidentiality or value
- the damage or distress that could be caused to individuals if the information was lost or stolen
- the effect any loss would have on us
There are many standard requirements which must be adhered to when transferring information by post or courier services -
- confirm the name, department and address of recipient. Enter details correctly on the envelope or parcel
- mark the envelope or parcel, private and confidential. Add on return address details where this will not compromise confidentiality
- package securely to protect the contents from being tampered with or from any physical damage likely to arise during transit
- consider use of an approved courier, registered post or other secure mail method which can be tracked and is signed for
- electronic information on USB stick or hard drive being sent by post or courier, must be encrypted prior to transfer. Consult ICT for advice in each case
- couriers must be made aware of the sensitivity of the contents and any delivery instructions. For example ‘do not leave with neighbours’ or ‘return to sender if unable to deliver'. These instructions should be confirmed with the courier service in advance
Fax
Always consider alternatives to faxing personal information. Secure email or delivery by courier are other options. Fax should always be a last resort.
If it is absolutely necessary to fax personal information, the following measures must be taken -
- telephone the recipient of the fax let them know that you are about to send a fax containing confidential information
- ask if they will wait by the fax machine whilst you send the document
- ask if they will acknowledge the receipt of the fax
- check the fax number you have dialled and check again that it is correct before sending
- if this fax machine is going to be used regularly, store the number in your fax machines memory
- request a report sheet to confirm that the transmission was O.K
- do not leave the fax on the machine when it has been sent
- make sure that you have clearly stated on the fax cover sheet that the information you are sending is confidential. See below for suggested wording. Suggested wording for fax cover sheet
The information contained in this fax is STRICTLY CONFIDENTIAL and intended for the named recipient only. If you are not the named recipient you must not copy, distribute or disseminate this information, nor disclose its contents to any person. If you have received this fax in error, notify the sender immediately. Thank You.
When sending personal information by fax you must not -
- send faxes where you know that the information will not be promptly collected by the intended recipient
- send faxes at times that maybe outside the recipient’s hours of work
- leave information unattended whilst a fax is being transmitted
Transporting data by hand (paper and electronic)
Wherever possible, data should be transferred by secure electronic means such as secure email.
There may be occasions when it is necessary for an employee to transport information outside the council ‘by hand’. This includes by paper files or on a portable electronic device. In all such cases these rules must be followed -
- wherever reasonably practical original files should not be removed from our offices and systems. Instead, a copy of the original information should be taken
- only the minimum information necessary for the task may be transported. Copies of full files must not be used if only a small section is required
- a record must be kept of all original documents which are taken outside the council. Enough detail must be recorded to ensure we would know what had been lost if it went missing or was destroyed
- information should be de-personalised, as far as practical, in order to limit the damage if it were to be lost or stolen. Any details which are not necessary should be removed. For example, an officer making regular visits to vulnerable individuals may only need a list of the customers’ initials and the time of each appointment rather than a print-out titled ‘Supported Housing Visits’ with each customers’ name, address, date of birth and telephone number
- any electronic device used to transport personal information must have been encrypted by our ICT Service. As well as laptops, tablet computers and smartphones, encryption must be applied to storage devices. This includes portable hard drives and USB memory sticks. Note that the use of a log on password or PIN does not necessarily mean that a device is encrypted. If you are unsure whether a device is appropriately encrypted, consult ICT immediately
- staff may not use their personal computer, mobile phone or any other electronic device to store or transport council information. The exception is if they have written permission of their City Manager. Where the information contains personal data written, permission must also be obtained from the Data Protection Officer. If the information contains health or social care information, written permission must also be obtained from the council’s Caldicott Guardian
- wherever practical, devices or records containing personal information should be returned to our premises at the end of the working day. They should not be taken home by the employee
- where it is necessary for an employee to take a device or records home overnight they must make all reasonable efforts to keep them safe. They must be stored in a place which is out of sight to visitors, preferably in a locked cabinet or room. The employee must ensure the information is not accessed by any member of their household or person visiting their home
- staff using paper diaries or notepads which are taken outside our premises must remove any personal information from them at the earliest opportunity. Any details which need to be retained should be moved onto the relevant paper file or computer system. If the original version is not to be retained on file it should be securely shredded
- where information must be transported by hand all reasonable security measures to protect it must be taken. These should include as a minimum -
- devices or records must not be left unattended in public
- devices or records should be transported in secure lockable bags. When using public transport, the employee must not leave the bag containing the records or electronic device unattended on luggage racks. They should instead keep it with them. Extra care should be taken to remember the bag when getting off the train, bus or other transport
- devices or records should not be left in private vehicles. If it is unavoidable they must not be left where they can be seen. Instead, they should be locked in the boot or a lockable storage compartment
- any loss, theft or destruction of the information must be reported as an Information Security Incident at the earliest possible opportunity. We will treat any failure to report lost, damaged or destroyed personal information very seriously in accordance with its disciplinary procedures
Appendix I
Information governance representatives
Role
- act as the first point of contact for the Information Governance Team for Subject Access Requests
- act as the first point of contact on data protection issues including information security incidents
Responsibility
- signpost other staff within the service to the Information Governance Team
- help locate personal information in order to answer subject access requests
- co-ordinate their services’ responses containing personal information to the Information Governance Team
- aid the Information Governance Team with service specific knowledge in respect of information requests and decisions on disclosing or withholding information
The Information Governance Representatives perform the same role for each service in respect of Freedom of Information requests.
Appendix J
Sharing personal information
1. Remember that the GDPR and DPA is not a barrier to sharing information
It provides a framework to ensure that personal information about living persons is shared appropriately.
2. Seek advice
If you are in any doubt seek advice about the proposed sharing. Contact the Information Governance Team if you have any questions.
3. Be open and honest
Let the person (or their family where appropriate) know from the outset why, what, how and with whom information will, or could be shared. Seek their agreement, unless it is unsafe or inappropriate to do so.
4. Share with consent where appropriate
Where possible, respect the wishes of those who do not consent to share confidential information. You may still share information without consent if, in your judgement, that lack of consent can be overridden in the public interest. You will need to base your judgement on the facts of the case. In such cases it is recommended that you consult the Information Governance Team or an appropriately qualified professional such as a social worker.
5. Consider safety and well-being
Base your information sharing decisions on considerations of the safety and well-being of the person. Others who may be affected by their actions should also be considered.
6. Necessary, proportionate, relevant, accurate, timely and secure
Remember that the data protection principles still apply. You will need to ensure that the information you share is necessary for the purpose for which you are sharing it. It must be shared only with those people who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely. Do not provide details that are not needed or asked for.
7. Keep a record of your decision to share information
Remember to record the reasons for sharing whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.
Although these principles cover sharing of information with anyone or any organisation, staff should ensure that if they are sharing information on a regular basis with an organisation that they have a formal information sharing protocol in place.
If you are sharing or disclosing personal information to a third party, ensure that you have proper authorisation to do so either as part of your normal working practice.
The Police may request information from us for the purposes of preventing or detecting crime. Locally such requests may be marked ‘DP9’ or ‘Schedule 2 Part 1 5(3) of the Data Protection Act 2018’.
All requests from the Police should normally be referred to the Information Governance Team. Pass any such requests to the Information Governance Team as quickly as possible.
If you are in any doubt whether you can share information or disclose it to a third party, contact the Information Governance Team before taking any action.