Latest News – Page 24

Data Protection Policy

8 March 2022 by Dee Holroyd

Hanworth Parish Council Data Protection Policy

Purpose of the policy and background to Data Protection

This policy explains to councillors, staff and the public about data protection. Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for as long as is necessary for processing and be processed in a manner that ensures its security. This policy explains the duties and responsibilities of the council and it identifies the means by which the council will meet its obligations.

Identifying the roles and minimising risk

Data protection legislation requires that everyone within the council understands the implications and that roles and duties are assigned. The Council is the data controller and the clerk is the data processor. It is the Clerk’s duty to undertake an information audit, manage the information collected by the council, issue privacy statements, deal with requests and complaints raised and arrange for the safe disposal of information.

Data protection legislation requires continued care by everyone within the council, councillors and staff, in the sharing of information about individuals, whether as a hard copy or electronically. A breach of the regulations could result in the council facing a fine from the Information Commissioner’s Office (ICO) for the breach itself and to compensate the individual(s) who could be adversely affected. Therefore, the handling of information is seen as high / medium risk to the council (both financially and reputationally) and one which will be included in the risk assessments of the council. Such risk can be minimised by undertaking an information audit, issuing privacy statements, maintaining privacy impact assessments (an audit of potential data protection risks with new projects), minimising who holds data protected information and the council undertaking training in data protection awareness.

Data breaches

The Clerk will investigate data breaches. Investigations will be undertaken within one month of the report of a breach and the details and findings will be reported to the full council. Procedures are in place to detect, report and investigate a personal data breach. The ICO will be advised of a breach (within 3 days) where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the clerk will also notify those concerned directly.

It is unacceptable for non-authorised users to access IT using employees’ log-in passwords or to use equipment while logged on. It is unacceptable for employees, volunteers and councillors to use IT in any way that may cause problems for the Council, for example the discussion of internal council matters on social media sites could result in reputational damage for the Council and to individuals.

Privacy Statement and Privacy Notices

Being transparent and providing accessible information to individuals about how the Council uses personal data is a key element of the data protection legislation. The most common way to provide this information is in a privacy statement. This statement informs individuals about what the council does with their personal information, how it will be circulated to and between councillors and their legal rights

Privacy notices will be used from time-to-time when data is collected for specific purposes e.g. allotment holders. The notice will contain the name and contact details of the data controller, the purpose for which the data is to be used and the length of time it will be retained. It will be written clearly and will advise the individual that they can, at any time, withdraw their agreement for the use of this data (if applicable). Issuing of a privacy notice will be detailed on the Information Audit kept by the council. The council will adopt a privacy notice to use, although some changes could be needed depending on the situation, for example where children are involved. Where consent is being relied on as the lawful basis for processing the data, privacy notices must contain a positive opt-in and be verifiable.

Information Audit

The Clerk will undertake an information audit which details the personal data held, where it came from, the purpose for holding that information and with whom the council will share that information. This will include information held electronically or as a hard copy. Information held could change from year to year with different activities, and so the information audit will be reviewed at least annually or when the council undertakes a new activity. The information audit review will be conducted ahead of the review of this policy and the reviews will be minuted.

Individuals’ Rights

Data protection legislation gives individuals rights:

the right to be informed
the right of access
the right to rectification
the right to erasure
the right to restrict processing
right to data portability
the right to object
the right not to be subject to automated decision-making including profiling.

If a request is received to delete information, then the Clerk must respond to this request within a month. The Clerk has the delegated authority from the Council to delete information.

If a request is considered to be manifestly unfounded then the request could be refused, or a charge may apply. The Council will be informed of such requests and will determine the charge.

Children

There is special protection for the personal data of a child. The age when a child can give their own consent is 13. If the council requires consent from young people under 13, the council must obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children aged 13 plus, must be written in language that they will understand.

Summary

The main actions arising from this policy are:

The Council must be registered with the ICO.
A copy of this policy will be available on the Council’s website.
An information audit will be conducted and reviewed at least annually or when projects and services change.
A privacy statement will be available on the council’s website and reference to it will be made in all emails sent from the council’s email address.
Privacy notices will be issued where appropriate.
Data Protection will be included in the Council’s risk assessment.
The full council manages the process.

This policy document is written with current information and advice. It will be reviewed at least annually or when further advice is issued by the ICO.

All employees, volunteers and councillors are always expected to comply with this policy to protect privacy, confidentiality and the interests of the Council.

Reviewed…26^th May 2021………………….

For review …May 2022…………………

Transparency Code

8 March 2022 by Dee Holroyd

Transparency for Smaller Exempt Councils

What is a smaller exempt council?

Councils where neither gross receipts nor gross payments for the financial year exceed £25,000.

Two sets of rules

There are two sets of special rules for these councils: the requirement to comply with the Transparency Code for Smaller Authorities and ‘exempt authority’ status. The

Transparency Code for Smaller Authorities (‘the Code’) became mandatory on 1 April 2015. It applies to all ‘under £25,000’ councils whether or not they choose to become ‘exempt authorities’.

What you must do in relation publication of information

The Code requires all ‘under £25,000’ councils to publish certain information on a freely accessible website (not necessarily a dedicated council website but obviously councils will wish to consider issues of control and access if they use someone else’s website).

The first category of information relates to information about meetings. Councils must publish minutes, agendas and ‘associated meeting papers’ of all council, committee and sub-committee meetings on the website. Agendas and meeting papers must be published at least three clear days before the meeting. Minutes or draft minutes must be published not later than one month after the meeting. There is no objection to publishing draft (unapproved) minutes as long as they are clearly marked as such; they should be replaced by approved minutes shortly after the meeting at which they were approved.

The Code does not say how long agendas, minutes and papers should remain on the website but the template guide to information published by the Information Commissioner’s Office in relation to a Publication Scheme says ‘current and previous council year’.

The rest of the information relates to a financial year and must be published on the website by 1 July* following the end of the financial year. The information is:

The approved and signed AGAR (Annual Governance Statement – Section 1 and Accounting Statements – Section 2), and the internal auditor’s report page from the AGAR.
The year-end bank reconciliation and explanation of significant variances.
A list of all payments over £100 (date incurred, summary of purpose, amount and VAT that cannot be recovered).
A list of ‘councillor responsibilities’, such as member of the Playing Fields Committee, Trustee of the Village Hall, member of the Norfolk Day working group.
Details of the council’s land and building assets (description, location, owner/custodian, date and cost of acquisition and present use).

The Code sets out what details of expenditure, councillor responsibilities and land and building assets are required. However, the Code does not say how long financial information must remain on a website but it would be sensible to have information for the most recent financial year and the preceding one.

How must you deal with ‘Exemption’?

‘Exempt authorities’ (see below) do not have an audited Annual Return (called the AGAR) but they must publish the unaudited (but approved and signed) AGAR by 1 July* as part of the requirements of the Transparency Code for Smaller Authorities.

A decision to certify as an exempt authority must be made at a full council meeting and the council must publish a notice stating that it has taken this decision and explain the effect of the decision.

An exempt authority must still prepare the AGAR and have it approved at a Full Council meeting by 30 June**, publish the approved and signed Annual Return on a website (by 1 July at the latest*) and advertise electors’ rights. The RFO must also publish a statement to state that the accounts will not be audited unless an elector makes an objection to the accounts.

Councils which certify as exempt authorities must notify the SAAA Ltd (1) that they are exempt authorities. SAAA Ltd will not appoint an external auditor for an exempt authority unless an elector makes an objection and if this does happen the external auditor’s work will be limited to dealing with the objection.

(1) The ‘sector led body’ is called the Smaller Authorities’ Audit Appointments Ltd (‘SAAA Ltd’). SAAA Ltd will essentially perform the procurement function formerly performed by the Audit Commission. In other words it will provide an external auditor for any town or parish council which has not ‘opted out’ and will also set the audit fees for such an auditor.

Risk Management

8 March 2022 by Dee Holroyd

Hanworth Parish Council

Risk Management Policy

About the Council

Hanworth Parish Council is a small parish council as defined by the Local Audit and Accountability Act 2014. The Council has varying activities and functions and is currently insured through Came & Company. The Insurance Policy is for a term of 1 year, and is due for renewal /05/2022.

The contact details for the insurers are:

Came & Company

Blenheim House

1-2 Bridge Street

Guildford GU1 4RY

The Clerk retains the insurance file and will deal with all matters relating to risk and insurance. This is detailed in the Clerk’s Job Description and supported by ‘Governance and Accountability 2019’. The Council supports the Clerk in this role by providing training opportunities. The Council agrees the Risk Management Policy which is reviewed every year.

Main Actions in relation to risk management

The Asset Register is updated during the course of the year by the Clerk.
Risk assessments (Health and Safety) are written and updated by the Clerk where appropriate, or another designated body. Copies of risk assessments are retained.
Sites are inspected at least annually and records are retained.
Play Areas are inspected weekly and an annual inspection must be carried out by an external qualified inspector. All inspections must be retained for at least 22 years.
The Council reviews the Insurance Policy prior to renewal.
Financial Risk Assessments are carried out by the Clerk / Responsible Financial Officer, as required.
Documentation is kept safely and securely.
The Council reviews its systems of Internal Control at least annually.

The Risks identified for the Council [Example below]:

Risks	Likelihood v Impact = Risk Rating	Mitigation	By what means	Action
Operational
Staff (Clerk)	High · Accident at work · Sickness · Terminates employment	Employer’s Liability in place Lone Worker’s Policy Adequate Working Balance Adequate Working Balance	Insurance Policy Budgeted	Clerk and Council
Members of the public attending meetings	Low · Accident · Incident	Public Liability Insurance Visual Inspection – recorded Standing Orders in place	Insurance Policy Village Hall Chairman / Committee or Council	Clerk VH Chairman / Committee
SAM2 Speed watch volunteers	Medium · Roadside accident · Lifting heavy equipment	Risk Assessment and training for use of SAM2 provided Public Liability Insurance Asset Insurance	Westcotec Council £10 million Public Liability Insurance Policy Asset Register maintained and Insurers advised	Clerk arranged Asset Register updated annually by Clerk
Contractors	Medium · Public accident	Public Liability Insurance Contractors own Public Liability	Insurance Policy Council and Contractor (£10 million)	Clerk
Risks	Likelihood v Impact = Risk Rating	Mitigation	By what means	Action
Financial
Cash flow and end of year balance	Medium	Budget prepared Budget Monitoring document provided to members Reserve funds allocated Fidelity Guarantee in place Internal Controls in place	Clerk / RFO Insurance Policy Policies reviewed annually	Council to agree and review
Handling of cash	Medium	Two people designated to count and bank cash	Insurance cover for retention of cash	Council to agree and review
Audit challenges	Medium	Audit control policies in place and reviewed	Clerk / RFO	Council to agree and review
Data Protection	Medium	DPO appointed Clerk and Councillors trained Finance Committee has delegated power to manage the process Data Protection Policy adopted	Clerk / RFO Clerk / Councillors Finance Committee Council	Council to agree and review

[Policy Document]

Date agreed: 24/05/2020

Date to be reviewed: August 2021

(1 year from date of agreement)

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.