We regularly update our Data Protection Policy Statement; it was last updated in December 2022. The date of formal approval was 8 September 2021, by the then Director of Governance and Monitoring Officer, and the Responsible Officer is Lorraine Lunt.
The next review for the Data Protection Policy Statement will be in December 2023. We will retain this version of the document until it has been superseded.
This Data Protection Policy Statement sets out our commitment to:
- comply with data protection law and follow good practice
- protect the rights of staff, citizens and partners
- being open about how we store and process individuals' data
- protect ourselves from the risks of a data breach
The scope of the Policy Statement applies to:
- all substantive and temporary employees of City of York Council
- any individual including contractors, volunteers and others who work on behalf of the council
- all students and those undertaking a work experience placement
- Elected Members
This policy outlines the behaviours and responsibilities expected in order to ensure the council continues to fulfil its obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (DPA) 2018, and any other related legislation.
Statement of commitment
All council employees, Councillors, volunteers and organisations working on behalf of the council are committed to:
- ensuring that we comply with the data protection principles, as listed within current Data Protection legislation
- meeting our legal obligations as laid down by current Data Protection legislation
- ensuring that data is collected and used fairly, lawfully and in a transparent manner
- processing personal data only in order to meet our operational needs or fulfil legal requirements
- taking steps to ensure that personal data is up to date and accurate
- establishing appropriate retention periods for personal data and ensuring these are complied with
- ensuring individuals are informed appropriately about their rights and that we action these correctly
- providing adequate organisational, technical and security measures to protect personal data
- ensuring that all staff are aware of data protection and privacy requirements
- providing adequate training for all staff responsible for personal data
- ensuring that everyone handling personal data knows where to find further guidance
- ensuring that queries about data protection, whether internal or external to the council, are dealt with effectively and promptly
- regularly reviewing data protection procedures and guidelines within the council
Roles and Accountability
The Chief Operating Officer must appoint a manager of an appropriate seniority as its Senior Information Risk Owner (SIRO).
Senior Information Risk Owner
The SIRO is accountable and responsible for information risk across the council and they ensure that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately.
The SIRO will also:
- act as an advocate for information governance and assurance at Council Management Team (CMT) and in internal discussions
- chair the Governance Risk and Assurance Group (GRAG)
- ensure reports are provided to the Audit and Governance Committee relating to information risk
- manage delivery of information governance and assurance services
- ensure that information risks are treated as a priority for the council
- play a vital role in getting the council to recognise the value of its information
- ensure that risks are addressed, managed and capitalised upon, by treating information not only an ICT issue, but as a business priority
The current SIRO is Bryn Roberts, Director of Governance and Monitoring Officer.
Information Asset Owner
Information Asset Owners (IAO) are senior members of staff who are the nominated owner for one or more identified information assets in the council. They must be senior or responsible individuals involved in running the relevant service areas.
IAOs should be in position to have a good knowledge of their asset and how and why it is processed to give them a good understanding of the risks and opportunities associated with it. They also need to be aware of the consequences and impacts of those risks materialising.
The IAO will also:
- lead and foster a culture that values, protects and uses information correctly
- provide assurance for the security and use of their asset annually to the SIRO and the Governance Risk and Assurance Group (GRAG)
- be responsible for approving, monitoring and minimising data transfers or sharing
- approve data protection impact assessments (DPIA) for any new systems or projects that involve the processing of their information asset
Information Asset Administrator
The role of Information Asset Administrators (IAAs) is to support the IAO.
The IAA should be closely associated with the information asset and its day-to-day processing so that they have a full understanding of what information is held, what is added and what is removed, how information is moved, and who has access and why, in their information asset.
The IAA will also:
- identify, assess, address and manage risks to the information, and ensure that its use is fully within the law
- ensure that opportunities for the use of the information asset can be exploited more efficiently and safely
- input into DPIAs for any new systems or projects that will involve the processing of their asset
- know who has access to their information asset, and why, and ensure their use is monitored
The council’s registered Caldicott Guardians (CGs) are:
- Sharon Stoltz, Director of Public Health
- Michael Melvin, Director of Adults Safeguarding
The CGs are responsible for protecting the confidentiality of people’s health and care information and making sure such data is used properly. The key responsibilities are:
- strategy and governance - to act as a champion for data confidentiality at Directorate Management level and as part of an organisations Information Governance Board
- to provide confidentiality and data protection expertise - to develop a knowledge of confidentiality and data protection matters including links with external sources of advice and guidance
- internal information processing - to ensure that confidentiality issues are appropriately reflected in organisational strategies, policies and working procedures for staff
- information sharing - to oversee all arrangements, protocols and procedures where confidential social care information may be shared with external bodies including disclosures to other public sector agencies and other outside interest
Data Protection Officer
The role of the Data Protection Officer (DPO) is to:
- assist the council to monitor internal compliance
- inform and advise the council on its data protection obligations
- provide advice regarding DPIAs
- act as a contact point for data subjects and the relevant supervisory authority, such as the Information Commissioner’s Office (ICO) in the UK
- help the council demonstrate compliance
- be an easily accessible point of contact for staff, individuals and the ICO
The DPO must:
- report directly to our highest level of management
- be given the required independence to perform their tasks
- have expert knowledge of data protection law and practices
- be involved in a timely manner, in all issues relating to the protection of personal data
- be sufficiently well-resourced to be able to perform their tasks
- not be penalised for performing their duties
The DPO contact details are published on the council’s website, intranet, and have been communicated to the ICO.
The Council’s Corporate Directors and Directors
Corporate Directors and Directors have responsibility for:
- ensuring the council’s compliance with the current Data Protection legislation
- assigning responsibilities for adherence to the council’s policies and procedures
- ensuring that complaints from the public or from the ICO are dealt with promptly and appropriately
All staff with line management or supervisory responsibilities
Managers and supervisors are responsible for ensuring that staff under their control who process personal data in any way:
- are made aware of their personal obligations and responsibilities under the current data protection legislation
- receive appropriate training
- are made aware of the council’s policies and procedures relating to personal information
All individuals who have access to council data
Individuals who have access to council data are responsible for:
- complying with the council’s policies and legislation
- ensuring good data protection and privacy practices are followed at all times
- seeking advice, assistance and training when required
Associated and further reading
Further reading and information on data protection and privacy is available on the Information Commissioner’s Office website.