Data Protection Policy

Data Protection Policy

1. Purpose and Scope

Mudford Parish Council is committed to protecting personal data and being transparent about how it collects, uses and safeguards information. This policy sets out how the council complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to all personal data processed by the council, including data relating to:

• Employees, former employees and job applicants
• Councillors and former councillors
• Contractors, consultants and volunteers
• Parishioners, residents and members of the public
• Suppliers and representatives of partner organisations

Together these individuals are referred to as data subjects.

The Parish Clerk is the Council’s Data Protection Lead and is responsible for compliance. All queries and requests should be directed to the Clerk.

2. Definitions

“Personal data” is any information that relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information. It includes both automated personal data and manual filing systems where personal data are accessible according to specific criteria. It does not include anonymised data.

“Processing” is any use that is made of data, including collecting, recording, organising, consulting, storing, amending, disclosing or destroying it.

“Special categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic or biometric data as well as criminal convictions and offences.

“Criminal records data” means information about an individual’s criminal convictions and offences, and information relating to criminal allegations and proceedings.

3. Data Protection Principles

All personal data is processed in accordance with the relevant data protection principles. The council will ensure data is:

• Processed lawfully, fairly and transparently
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary
• Accurate and kept up to date
• Kept no longer than necessary
• Processed securely using appropriate technical and organisational measures

Mudford Parish Council has also adopted a Privacy Policy for Website Users and a Privacy Notice (Mudford Cemetery), which operate alongside this policy and provide additional information.

4. Lawful Bases for Processing

The Council will only process personal data where a lawful basis applies, including:

• Consent (where required)
• Performance of a contract (e.g. employment or services)
• Compliance with a legal obligation
• Performance of a task carried out in the public interest or official authority
• Legitimate interests (where these are not overridden by individual rights)
• Protection of vital interests

Where consent is relied upon, it may be withdrawn at any time.

Personal data related to council employees:

Sometimes the council will share employee personal data with contractors and agents to carry out its obligations under a contract with the individual or for its legitimate interests. The council requires those individuals or companies to keep personal data confidential and secure, and to protect it in accordance with data protection law and council policies. They are only permitted to process that data for the lawful purpose for which it has been shared and in accordance with the council’s instructions.

The council will update HR-related personal data promptly if advised that employee information has changed or is inaccurate. The employee may be required to provide documentary evidence in some circumstances.

The council keeps a record of its processing activities in respect of HR-related personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

5. Special Category and Criminal Records Data

Special category and criminal records data will only be processed where permitted by law, including for employment obligations, safeguarding, legal claims, public interest functions, or where explicit consent has been given.

6. Individual Rights

All data subjects have rights under data protection law, including the right to:

• Be informed about how their data is used
• Access their personal data (subject access request)
• Rectify inaccurate or incomplete data
• Request erasure of data where applicable
• Restrict or object to processing in certain circumstances
• Complain to the Information Commissioner’s Office (ICO)

Subject access requests and rights requests should be made in writing to the Parish Clerk. Proof of identity may be required. The council has adopted a Subject Access Request Policy, which provides further information.

7. Information Security and Retention

The council has a duty to keep personal data secure. Appropriate technical and organisational measures are in place to protect data against unauthorised access, loss or disclosure.

Personal data will only be retained for as long as necessary for the purpose for which it was collected, in line with retention schedules. Data will be securely destroyed when no longer required.

8. Data Sharing and Contractors

Where necessary, personal data may be shared with contractors or service providers. All third parties are required to:

• Act only on the Council’s instructions
• Keep data confidential and secure
• Comply with data protection legislation

Personal data is not sold or shared for marketing purposes.

9. Data Breaches

The council adopted a Data Breach Policy. All data breaches must be reported immediately to the Parish Clerk. The council will record all breaches and, where required, notify the ICO within 72 hours and affected individuals without undue delay.

10. International Transfers

The Council does not routinely transfer personal data outside the UK or EU. Any such transfer will only take place in accordance with the law and with appropriate safeguards.

11. Responsibilities

Everyone working for or on behalf of the council has a responsibility to protect personal data. Individuals must:

• access only data that they have authority to access and only for authorised purposes;
• not disclose data except to individuals (whether inside or outside the council) who have appropriate authorisation;
• to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, locking computer screens when away from desk, and secure file storage and destruction including locking drawers and cabinets, not leaving documents on desk whilst unattended);
• not to remove personal data, or devices containing or that can be used to access personal data, from the council’s premises without prior authorisation and without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
• to never transfer personal data outside the EU except in compliance with the law and with express authorisation from the Clerk or Chair of the Council
• to ask for help from the council’s data protection lead if unsure about data protection or if you notice a potential breach or any areas of data protection or security that can be improved upon.

Council employees are responsible for keeping their personal data up to date. They should let the council know if data provided to the council changes, for example if they move to a new house or change their bank details.

Failure to comply with this policy may result in disciplinary action.

12. Complaints

If you have concerns about how your personal data has been handled, you should contact:

Parish Clerk / Data Protection Lead

Email: clerk@mudford-pc.gov.uk
You also have the right to complain to the Information Commissioner’s Office: https://ico.org.uk/

This policy was adopted by the council at its meeting held on 28^th May 2026.