Element (09): Data Protection
In order to deliver services to the various communities in West Lothian, West Lothian Council requires gathering and processing personal data about residents, staff and other individuals.
Data Protection law regulates the processing of personal data by West Lothian Council. Data Protection law gives individuals the right to be advised of and receive copies of any personal data relating to them which is held by West Lothian Council.
Data Protection law is enforced and promoted by the Information Commissioner's Office. The ICO provide guidance and advice on complying with the terms of the law and investigate complaints regarding possible breaches of the obligations contained within the law.
The Information Commissioner maintains a register of fee payers listing all Data Controllers in the UK. Every organisation that processes personal information are required to pay a fee to the ICO, unless they are exempt. West Lothian's registration can be viewed on the Information Commissioner's Office website,registration number Z6925127.
Data Protection law sets out data protection principles which must be complied with when the council is processing personal data. The principles require that personal data is:
- processed lawfully, fairly, and in a transparent manner;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to only what is necessary;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary;
- processed in a manner that ensures appropriate security, including protection against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Chief Solicitor is the Council's Data Protection officer and has responsibility for monitoring data protection compliance throughout the council. Each Head of Service has nominated an Information Liaison Officer who is responsible for providing routine advice on Data Protection to the Head of Service and other officers within the service and for co-ordinating responses to Subject Access Requests made to that service. The Information Liaison Officer will also act as the service representative on the Council's Information Management Working Group, which is chaired by the Data Protection Officer.
The council has an to ensure that the council complies with the requirements of Data Protection law. The Policy will be regularly reviewed by the Data Protection Officer and Information Management Working Group. In addition, the council has developed General Guidelines for officers to ensure compliance with the responsibilities of the council when processing personal data and also policies and procedures for the use of mobile electronic devices, the use of council e-mail and internet systems, the application of passwords to electronic information, the disposal of IT hardware.
The Council will enter into a Data Processing Agreement where a third party requires to be provided with personal data to allow it to deliver a service on behalf of the council. The Council will also ensure that Information Sharing Protocols are entered into when the council is proposing to share personal data in circumstances which are permitted in terms of the data protection principles.
All council officers are required to undertake data protection and information security training to ensure that personal data is processed in accordance with the data protection principles.