Data protection and GDPR
Policies and training
We have updated our data protection and cyber security eLearning to make sure our staff are trained in how to handle personal information. We have also updated all of our policies and procedures to make sure our staff have the right information. We will continue to review this material and update it as the regulator publishes new guidance and best practice information.
System review and security
We make sure the systems we use have sufficient controls and security in place to make sure that staff can be managed effectively and to protect against external threats. The Council employs an IT Security Manager to review and ensure IT security compliance and we work with the Data Protection Officer to make sure that both existing systems and new systems have adequate protections and security, including firewalls, encryption and external audit, for example, certification and penetration testing.
Contracts and third parties
GDPR requires us to review our contractual terms to make sure that the other organisations and businesses we work with have the correct protections and clauses in place for using personal data. There are standard terms and conditions approved by our legal services team. Relationships with third parties have been reviewed and either updated contractual terms or information-sharing agreements have been put into place.
Elected councillors will only be able to help with the concerns you raise with them if they can use your personal information. When your information is received, the Councillor becomes the controller of it under the data protection rules. The legal bases for processing your information would include consent; and public task (for example, legitimately dealing with your case). A Councillor may sometimes need to share your data on a ‘need to know’ basis with council officials or with agencies such as the NHS, charities or other Councillors, in order to resolve your issue. Councillors will not pass your personal details to anyone else, unless required to do so by law, and will not use them for any other purpose. Unless you are advised otherwise, councillors hold personal information on a computer system provided and managed by Buckinghamshire Council. Councillors will securely dispose of your information in line with retention periods held by the Council.
Dataset and risk management
We are required to risk assess all the different ways that the council collects, uses, stores, shares and destroys personal data. The council has completed a detailed assessment of its different systems, files and processes and has identified a programme of improvements and best practice to be shared throughout the organisation. The output of this is a register of Data Protection Impact Assessments and an Information Asset Register that helps to show the scale of the data used and its compliance with the GDPR.
Legal basis and legal standards
Buckinghamshire Council is a ‘creature of statute’ and as such the vast majority of what the council does is because there is a legal requirement to do it. The council has identified all the different legal reasons for the collection and use of data which have been captured within the Data Protection Impact Assessments of each dataset.
How to raise a complaint about the processing of your personal data
If you are unhappy with the service you have received in relation to your request and wish to request an internal review of our decision, you can contact us by email or post:
If you are not content with the outcome of your complaint, you may apply directly to the Information Commissioner for a decision.
You can contact the ICO online or by post to:
Information Commissioner’s Office
Wycliffe House, Water Lane
Or call them on 0303 123 1113.