The privacy of your personal information is important to us. We are committed to providing you with services that are safe, secure, and trustworthy and protect your personal information and privacy.
Our old page on data protection and how to access your personal data has now moved to our Access to Information page.
Process personal data lawfully
Collected and processed lawfully for a specific and legitimate purpose, fairly and in a transparent manner. It will not be used for anything other than the stated purposes. We will aim to be accurate, and where necessary, keep it up to date. Any inaccuracies will be amended or removed without undue delay. It will be stored for as long as required, as specified on our privacy notices and records retention policy.
Be transparent with the information we collect and process
We want you to understand what information we collect and how it is used to provide you with a service. We operate a complex set of services that often mean we need to share your data with suppliers and partners who provide that service on our behalf. We aim to explain what we do with your information through our set of customer privacy notices.
Be a guardian for your data and privacy
You trust us with your personal information and expect us to protect and use it and share appropriately. We operate an information governance regime, train staff in data protection, privacy and security, and have practices to manage personal data from collection through to destruction. We have operated privacy impact assessments for a number of years to ensure the risks to your privacy are assessed when introducing new systems or changes to processes. These will now become data protection impact assessments.
Be accountable to our privacy commitments
We take our commitment to privacy seriously and hold ourselves to a high standard. Our senior managers are accountable for holding and processing customer personal information. We have a Data Protection Officer and supporting function to audit this.
Provide privacy safe services
Personal data will be secured with appropriate solutions, which protect the data against unauthorised or unlawful processing and against accidental loss, destruction or damage. We ask our services to complete a data protection impact assessment when making changes to processes, and for new systems and services. We ensure new suppliers have adequate data protection and security processes in place. We are compliant with the annual NHS ‘toolkit’ to assure us as a trusted organisation to share health and care data with NHS partners. We are compliant with the annual Government security assurance to allow us to use the public service network for email and access to systems.
Data Protection legislation has changed. The General Data Protection Regulation (GDPR) is the new legal framework in the EU which came into force on 25 May 2018. This provides new rights to individuals about how their personal data is handled and stored. You will have the right to know how your data has been processed and make requests to us, depending on the lawful basis. You can find out about these rights on the Regulator’s website, the Information Commissioner (ICO) www.ico.org.uk.
There is also the new Data Protection Act 2018 that came into force on 25 May 2018. This replaces the 1998 Act. GDPR is now enshrined in UK law no matter what the outcome of Brexit is.
Personal data and special category data
The definition has been expanded to include an identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. The special categories (personal sensitive data) now specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
We will apply an appropriate lawful basis for processing your data. For most of our public services this will be because we have a legal obligation or, it’s a task in the public interest or in our official capacity, or a contract with you. Some services will ask for your explicit consent, such as collecting data like cookies when you go on our website or, being able to contact you by email or text for news updates.
In the case where we are relying on your explicit consent as the lawful basis to process your data, you can request to withdraw consent or restrict/object to some elements of the processing. The ICO have a guide to consent. Please note that we may also ask for your consent to share sensitive health and care data with partners to provide seamless continuity of service, under the common law duty of confidentiality. This is separate to data protection legislation.
To comply with the new law we must provide detailed information on why and how we are processing the data – these are called privacy notices and we have used a layered approach as recommended by the ICO. These may be summarised and a web link provided for more information. Printed versions are available. See our main customer privacy notice at www.warwickshire.gov.uk/privacy and links to further service specific notices.
Requesting a copy of your information – subject access requests
There is no change to the new law; everyone can make a request to the council for the information it holds about them. We would be grateful that you only ask for the information you actually need, to save time and allow us to be more efficient. We will not charge for this request, unless we consider it is excessive. Once we have a valid request we will have a month to provide the information requested which we can extend if complex for two further months. We will provide this in an electronic form unless you request otherwise. See our access to information page for help and the section to request personal information.
You will have the right to ask for changes to inaccurate personal data. This may be your contact details or in the case of reports or assessments it may be making a note on the record.
This allows you to ask for personal data to be given in an electronic form to be used in or transferred to another organisation’s electronic processing system. This only applies if the lawful basis is a contract with you or you gave your consent.
Where we rely on your consent as your legal basis to process your personal data, you have the right to withdraw your consent and ask for your data to be deleted. As explained above, we will not rely on consent in many cases to process your information.
Automated decisions and profiling
After 25 May 2018, if we process your personal data based on automated decisions (where no individual was involved in the final decision), and this will have a legal or similarly significant effect on you, then you can request a written explanation of the decision made and you can contest the results of the decision. We will notify you in a privacy notice if we carry out automated decision making or profiling that comes under this definition.
All organisations will have to be able to demonstrate how they comply with the new law when collecting and processing your personal data, if asked by the regulator (ICO). Contracts need to be in place between us and an organisation that we ask to process your data on our behalf to provide a service or host a system is a data processing.
Data Protection Impact Assessments
Organisations are obliged to conduct a data protection impact assessment when processing is likely to result in a high risk to individuals. These assessments look at the privacy risk when introducing new technology, profiling, using special category data, matching data and a number of other types of processing.
Data Protection Officer
As a public authority we have a statutory duty to appoint a Data Protection Officer. Their role is described in the General Data Protection Regulation with guidance given by the ICO. They are independent, provide audit assurance, review Data Protection Impact Assessments and report to the highest authority in their role, the council Corporate Board and Joint Managing Directors. The Officer can be contacted by emailing: firstname.lastname@example.org
We started our preparations in 2016. We have a formal project to manage the preparation for GDPR. The project reports to council Corporate Board and senior management. We have used the expertise of our internal Information Management and Legal staff to advise and audit all our services.
- Appointed the Information Manager as the statutory Data Protection Officer
- Reviewed our key contracts with our suppliers and partners, implemented contract variations for GDPR compliance and technical data and security questions
- Conducted a comprehensive audit of all our services to determine current processing and reviewed high risk areas to see if any changes are needed to meet GDPR requirements
- Determined the lawful basis for processing to meet GDPR requirements
- Developed layered privacy notices: a new customer privacy notice plus service area and service specific privacy notices to inform customers
- Developed a programme of communications to staff to raise awareness with regular presentations, updates and new intranet material
- Implemented, supplementary training material for staff on GDPR and cyber security, in addition to our mandatory information compliance training
- Reviewed and revised information policies and procedures for staff and customers
We will continue the project during 2018 and into 2019 which will include:
- Maintaining a ‘Record of Processing Activity’ for our services to meet GDPR requirements
- Updating all data audits
- Updating our privacy impact assessment procedures to change to data protection impact assessments, following new guidance from the ICO on 15 May 2018
- Developing service specific privacy notices where required
- Ongoing checking of internal and hosted systems for GDPR compliance
A requirement of GDPR is for the Warwickshire County Council (as Data Controller) to perform a risk assessment on the provider of systems or services (as Data Processor) regarding the Confidentiality, Integrity and Availability of data. See Article 32 of GDPR “Security of Processing” .
The personal information (contact details) you provide are needed so we know which system we attribute the answers to and if we need to contact you for more information. Your answers will only be used for existing suppliers for our GDPR security review and will be stored as part of our GDPR review.
See the link below for our questionnaire. There is no right or wrong way to answer these questions, it simply allows us to perform a risk assessment. Questions need to be fully answered (even if it’s just N/A) or it may delay the approval of suppliers, if we require further detail to provide assurance. You make like to view or print off the questions first.
Questionnaire: GDPR Primary Security Risk Assessment