Policies

General Data Protection Regulations

You may be aware, the new General Data Protection (GPDR) came into force on May 25th 2018. To ensure Council is compliant with the new regulations we have updated our Email Policy Privacy Policy below:-

Privacy Impact Assessment (PIA)

Introduction

Privacy impact assessments were launched in the UK by the Information Commissioner in December 2007, and mandated by the cabinet office for Information Communications Technology (ICT) projects following the Data Handling review in June 2008.

Purpose;

The purpose of this document is to set out the process for completing Privacy Impact Assessments to identify any impact on privacy where a new service or system is introduced.

Scope:

This procedure is to be followed in the following circumstances:

  • Introduction of a new information system to collect and hold personal data (consultation is seen as one of these purposes)
  • Update or revision of a system that might alter the way in which the Council uses, monitors and reports personal information.
  • Changes to an existing system where additional personal data will be collected, a proposal to collect personal data from a new source or for a new activity.
  • Plans to outsource business processes involving storing and processing personal data.
  • Plans to transfer services form one provider to another that include the transfer of information assets
  • Any change to or introduction of new data sharing agreements
  • Data sharing initiative where two or more organisations seek to pool or link sets of personal data
  • Any change to access of an information asset that involves an external organisation
  • Changes in legislation, policy or strategies which will impact on privacy through the collection of or use of information, or through surveillance or other monitoring.

Responsibility

Any person who is responsible for introducing a new or revised service or changes to an existing service, process or information asset is responsible for ensuring the completion of a PIA and therefore must be effectively informed of these procedures.

 PIA Process

A PIA should incorporate the following steps (ICO, 2016):

  • Identify the need for a PIA
  • Describe the information flows
  • Identify the privacy and related tasks
  • Identify and evaluate the privacy solutions
  • Sign off and record the PIA outcomes
  • Integrate the outcomes into the project plan
  • Consult with internal and external stakeholders as needed throughout the process