GDPR & Privacy Policy

North Elmham Parish Council

General Data Protection Regulation Policy

Adopted:  October 2018

To be reviewed annually

Purpose of the policy and background to the General Data Protection Regulation

This policy explains to councillors, staff and the public about GDPR. Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for as long as is necessary for processing and be processed in a manner that ensures its security. This policy updates any previous data protection policy and procedures to include the additional requirements of GDPR which apply in the UK from May 2018. The Government have confirmed that despite the UK leaving the EU, GDPR will still be a legal requirement. This policy explains the duties and responsibilities of the council and it identifies the means by which the council will meet its obligations.

Identifying the roles and minimising risk

GDPR requires that everyone within the council must understand the implications of GDPR. The Council is the data controller and has a duty to undertake an information audit and to manage the information collected, the issuing of privacy statements, dealing with requests and complaints raised and also the safe disposal of information. 

GDPR requires continued care by everyone within the council, councillors and staff, in the sharing of information about individuals, whether as a hard copy or electronically. A breach of the regulations could result in the council facing a fine from the Information Commissioner’s Office (ICO) for the breach itself and also to compensate the individual(s) who could be adversely affected. Therefore, the handling of information is seen as high / medium risk to the council (both financially and to its reputation) and one which must be included in the Risk Management Policy of the council. Such risk can be minimised by undertaking an information audit, issuing privacy statements, maintaining privacy impact assessments (an audit of potential data protection risks with new projects), minimising who holds data protected information and the council undertaking training in data protection awareness.

Data breaches

Personal data breaches should be reported to the Council for investigation.  Investigations must be undertaken within one month of the report of a breach. Procedures are in place to detect, report and investigate a personal data breach. The ICO will be advised of a breach (within 3 days) where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the DPO will also have to notify those concerned directly.

It is unacceptable for non-authorised users to access IT using employees’ log-in passwords or to use equipment while logged on. It is unacceptable for employees, volunteers and members to use IT in any way that may cause problems for the Council, for example the discussion of internal council matters on social media sites could result in reputational damage for the Council and to individuals.

Privacy Notices

Being transparent and providing accessible information to individuals about how the Council uses personal data is a key element of the Data Protection Act 2018 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice. This is a notice to inform individuals about what a council does with their personal information. A privacy notice will contain the name and contact details of the data controller and Data Protection Officer, the purpose for which the information is to be used and the length of time for its use. It should be written clearly and should advise the individual that they can, at any time, withdraw their agreement for the use of this information. Issuing of a privacy notice must be detailed on the Information Audit kept by the council. The council will adopt a privacy notice to use, although some changes could be needed depending on the situation, for example where children are involved.

Information Audit

An information audit must be undertaken which details the personal data held, where it came from, the purpose for holding that information and with whom the council will share that information. This will include information held electronically or as a hard copy. Information held could change from year to year with different activities, and so the information audit will be reviewed at least annually or when the council undertakes a new activity. The information audit review should be conducted ahead of the review of this policy and the reviews should be minuted.

Individuals’ Rights

GDPR gives individuals rights with some enhancements to those rights already in place:

  • the right to be informed 
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • right to data portability
  • the right to object
  • the right not to be subject to automated decision-making including profiling.

The two enhancements of GDPR are that individuals now have a right to have their personal data erased (sometime known as the ‘right to be forgotten’) where their personal data is no longer necessary in relation to the purpose for which it was originally collected and data portability must be done free of charge. Data portability refers to the ability to move, copy or transfer data easily between different computers.

If a request is received to delete information, then the Council must respond to this request within a month.

If a request is considered to be manifestly unfounded then the request could be refused or a charge may apply. The charge will be as detailed in the Council’s Freedom of Information Publication Scheme.


There is special protection for the personal data of a child. The age when a child can give their own consent is 16. If the council requires consent from young people under 16, the council must obtain a parent or guardian’s consent in order to process the personal data lawfully. Consent forms for children age 16 plus, must be written in language that they will understand.


The main actions arising from this policy are:

  • The Council must be registered with the ICO.
  • A copy of this policy will be available on the Council’s website. The policy will be considered as a core policy for the Council.
  • The Clerk’s Contract and Job Description (if appointed as DPO) will be amended to include additional responsibilities relating to data protection.
  • An information audit will be conducted and reviewed at least annually or when projects and services change.
  • Privacy notices will be on the Council’s website.
  • Data Protection will be included on the Council’s Risk Management Policy.


This policy document is written with current information and advice. It will be reviewed at least annually or when further advice is issued by the ICO.

All employees, volunteers and councillors are expected to comply with this policy at all times to protect privacy, confidentiality and the interests of the Council.


Privacy Statement


This privacy statement describes what happens to any personal data that you give to us, or any data that we may collect from or about you. Personal data includes information such as name, address, email address, phone number etc. Your personal data may be processed and stored to enable us to contact you and respond to your correspondence, provide information and/or access our facilities and services.

Source of your Personal Data

We collect data from the following sources:

  • You directly
  • Your family members

Data Protection Principles

We will comply with data protection law. This says that personal data we hold about you must be:

  • Used lawfully, fairly and in a transparent way.
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  • Accurate and, where necessary, kept up to date.
  • Kept for no longer than is necessary.
  • Kept secure.

Legal Basis for Processing your Personal Data

The General Data Protection Regulation   Article 6 sets out the legal basis for processing data. We will rely on one of the following four (sometimes more than one will apply):

  1. Processing is with consent of the data subject
  2. Processing is necessary for the performance of a contract
  3. Processing is necessary for compliance with a legal obligation
  4. Processing is necessary for the performance of a task carried out in the public interest

Sharing your Data

The Council may share your personal data with the following ‘third parties’

  • The District or County Council – so that we can resolve your query or problem
  • Our bank –  for making payments to you
  • Our auditors
  • Other organisations and business who provide services to us such as back-up and email hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back office functions.

We have worked with these third parties to ensure they understand their obligation to put in place appropriate security measures and that they will be responsible to you directly for the manner in which they process and protect your personal data.


We will not process any data relating to a child (under 13) without the express parental/ guardian consent of the child concerned.

Sensitive Data

In limited circumstances, we may approach you for your written consent to allow us to process certain sensitive personal data. If we do so, we will provide you with full details of the personal data that we would like and the reason that we need it, so that you can carefully consider whether you wish to consent.

Your Rights

Here is a list of the rights that all individuals have under data protection laws. They do not apply in all circumstances. If you wish to use any of them, we will explain at that time if they are appropriate or not.

  • The right to be informed about the processing of your personal information.
  • The right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed.
  • The right to object to processing of your personal information.
  • The right to restrict processing of your personal information.
  • The right to have your personal information erased (the “right to be forgotten”).
  • The right to request access to your personal information and to obtain information about how we process it.
  • The right to move, copy or transfer your personal information (“data portability”).

If you wish to exercise any of these rights, please contact us using the details below.

You also have the right to complain to the Information Commissioner’s Office which enforces data protection laws: Tel: 0303 123 1113


In accordance with the law, we only collect a limited amount of information about you that is necessary for correspondence, information and service provision. We do not use profiling, we do not sell or pass your data to third parties. We do not use your data for purposes other than those specified. We make sure your data is stored securely. We delete all information deemed to be no longer necessary. We may update this page from time to time to reflect changes in the law and/or our privacy practices.

Contact Us

North Elmham Parish Council

Address    1 Townshend Green West, Fakenham, Norfolk, NR21 8NQ

Telephone number    01328 855046

Email address

Website address (where Data Protection information is available)

Published: September, 2018

Review date: September 2019

Powered by Charity Edit