Your Guide to Data Protection

In order to operate effectively, the City and County of Swansea Council (the Authority) has to obtain certain types of information about persons working and residing in its area.

The information the Authority holds on individuals, which identifies that individual is known as personal data; for example, Members, former and current and prospective employees, suppliers, clients/customers and information on an individual which the Authority is occasionally required by law to provide to government departments.

The term personal data applies to any material which identifies a living individual for example photographs, CCTV footage, information held on computer disk and most paper records. To ensure that the Authority handles personal data lawfully and appropriately it must comply with the Data Protection Act 1998 (the Act) and in particular the 8 Data Protection principles as set out in Part 1, Schedule 1 of the Act.

The Authority endorses and adheres to the Data Protection principles.

The Data Protection principles require that personal data:-

• Shall be processed fairly and lawfully and in particular shall not be processed unless specific conditions are met
  
• Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
  
• Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  
• Shall be accurate and when necessary kept up to date.
  
• Shall not be kept for longer than is necessary for that purpose or those purposes
  
• Shall be processed in accordance with the rights of the Data subject under the Act
  
• Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.
  
• Shall not be transferred to a country of territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedom of data subjects in relation to the processing of personal data.
  

As part of its commitment to maintaining public confidence and the successful operation of this policy, the Authority will:-

• Ensure that is designated Data Protection Officer with specific responsibility for data protection.
  
• Ensure that employees handling personal data understand that they are contractually responsible for compliance with the data protection policy and are appropriately trained and supervised for these purposes.
  
• Formulate a data subject access request procedure for corporate use.
  
• Conduct a regular review, assessment, evaluation and audit of the way personal data is managed within the Authority.
  
• Ensure that persons making enquiries about personal data are dealt with promptly and are appropriately advised of their rights and the Authority's procedure in making requests for personal data under the Data Protection Act, 1998.