*
Data Protection and Freedom of Information
Home > Services > Council and democracy > Data Protection and Freedom of Information > London Borough of Lambeth Data Protection Policy

London Borough of Lambeth Data Protection policy


Introduction

This policy outlines how the London Borough of Lambeth ('the council') will comply with its responsibilities under the Data Protection Act 1998 ('the Act').

The council is a data controller, as defined under the Data Protection Act 1998. It fully endorses and adheres to the Eight Principles of the Act (see The Eight Data Protection Principles).

All council employees, contractors and elected members will be bound by its conditions and will be responsible for compliance with this policy and the Act.

The council's Data Protection Advisor has responsibility for overseeing compliance with this policy and producing guidelines to achieve the standards laid down in this policy.

All council departments will have at least one nominated Data Protection Officer. These Officers will assist the Data Protection Advisor in ensuring that their department fulfils their obligations under this policy and the Act.

The council may take necessary remedial action (including disciplinary action) against any employee, contractor or elected member found to be in breach of this policy or the Act.

The requirement to notify with the Information Commissioner

Under the Act Data Controllers are required to notify with the Information Commissioner.

The council's notification with the Information Commissioner outlines in general terms, the purposes for which the council will process personal data and the type of personal information that is processed.

The council will maintain its notification entry and regularly review its processing to ensure that the notification entry is accurate and up to date.

The council's notification can be viewed on the Data Protection Public Register (the council's notification number is Z7599824).

Information handling and collection (first and second principles)

The council will process all personal data for the purpose of providing an effective delivery of service in accordance with the aims, responsibilities and obligations of the council.

All personal data will be processed in accordance with the council's notification with the Information Commissioner.

Personal data will only be collected where there is a specific purpose. It will not be used for any other purpose except where allowed by the Act or required by law.

The council will, at the point of collection and as far as it is practicable, inform individuals of the purposes for which the council will use their personal data.

The council carries out data matching exercises to identify any anomalies or inconsistencies and also:

  • For the prevention and detection of fraud; and
  • When required by law.

Records management (third, fourth and fifth principles)

Council departments will take all reasonable steps to ensure that the personal data they hold is accurate in respect of matters of fact and where necessary, kept up to date.

Opinions recorded on file will be carefully and professionally expressed.

The council will hold only that personal data which is needed to carry out its duties.

The council will not hold personal data for longer than it is reasonably required in line with the councils Document Retention and Disposal Standard.

Individual rights (sixth principle)

The council will process personal data in line with data subject rights (see Individual rights under the Data Protection Act 1998).

All requests for personal data from data subjects will be dealt with in accordance with the council's Subject Access Request policy.

Performance in processing subject access requests will be regularly monitored and evaluated.

Queries about how the council processes personal data will be promptly and courteously dealt with.

Security (seventh principle)

All staff processing personal data on the council's behalf will be appropriately trained and understand that they are contractually responsible for following good Data Protection practice.

Methods of processing personal information are clearly communicated within the council.

Access to the council's systems will be password protected to ensure that personal information is only accessible by those individuals that need it to undertake their job.

Paper files and manual records containing personal data will be stored in secure environments.

When working away from one of the council's offices, staff are responsible for ensuring that personal data is held securely and in line with the council's remote working agreement.

Records containing personal data will be safely and responsibly disposed of when they are no longer required.

All staff will adhere to the council's IT and Security Policies and Procedures.

All reasonable steps will be taken to guarantee that any Data Processor that the council uses has appropriate technical and organisational security measures in place to safeguard personal data.

Disclosures of personal data

The council reserves the right to disclose information under certain circumstances where allowed by law.

Disclosures routinely made by the council are listed in the council's notification with the Information Commissioner.

When a request for disclosure is made by an organisation, the council will consider each request individually and where a disclosure takes place, the council will disclose only the minimum amount necessary.

If the council is sharing personal data on a regular basis with other organisations we will ensure that there are written protocols in place governing the sharing of that personal data and that these are published on our website.

While information relating to deceased individuals is not covered by the provisions of the Data Protection Act, confidentiality will still be maintained in respect of this information. Disclosures of deceased individuals' information will only occur where they are allowed by law.

Criminal offences

There are a number of criminal offences contained within the Act (see appendix 4).

Any council employee, contractor, or elected member who is accused of a criminal offence under the Act must report it immediately to the council's Data Protection Advisor.

Any council employee, contractor or elected member that is found guilty of a criminal offence under the Act may face disciplinary or other action where appropriate.

Any council employee, contractor, or elected member who suspects a criminal offence has been committed must report it to the council's Data Protection Advisor.

Complaints, enforcement and dealing with breaches

Complaints regarding the handling of requests for information under the Data Protection Act should be passed to our Corporate Complaints team in line with the Data Protection Internal Review Procedure.

Any council employee, contractor or elected member who suspects that a breach of the Act has or will occur, must report it to the council's Data Protection Advisor immediately.

All council employees, contractors and elected members are expected to co-operate in full with any investigation undertaken by (or on behalf of) the Data Protection advisor or the Monitoring Officer into an alleged breach of the Act.

Contact information

The council's Data Protection Advisor can be contacted at:

  • Data Protection Advisor
    Strategy, Transformation and Technology
    c/o Lambeth Town Hall
    Brixton Hill
    London SW2 1RW
    Tel: 020 7926 2341.

Further information about the Data Protection Act is available from:

  • The Information Commissioner's Office
    Wycliffe House
    Water Lane
    Wilmslow SK9 5AF
    Tel: 01625 545745
    Website: www.ico.gov.uk

Appendices

 

Useful Information
Forms
Useful Websites
© Copyright | Disclaimer | Privacy | Web Data Protection Charter | Accessibility | Site map
Home | Services A to Z | News | Forms | Payments | About Lambeth | Contact us | How to use this site