Sutton Parish Council 

GENERAL PRIVACY NOTICE 
 
Your personal data – what is it? 
“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address). Identification can be directly using the data itself or by combining it with other information which helps to identify a living individual (e.g. a list of staff may contain personnel ID numbers rather than names but if you use a separate list of the ID numbers which give the corresponding names to identify the staff in the first list then the first list will also be treated as personal data). The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR) and other legislation relating to personal data and rights such as the Human Rights Act. 
 
Who are we? 
This Privacy Notice is provided to you by Sutton Parish Council which is the data controller for your data. 
 
Other data controllers the council works with: 
Local Authorities 
Community groups 
Charities 
Other not for profit entities 
Contractors 
 
We may need to share your personal data we hold with them so that they can carry out their responsibilities to the council. If we and the other data controllers listed above are processing your data jointly for the same purposes, then the council and the other data controllers may be “joint data controllers” which mean we are all collectively responsible to you for your data. Where each of the parties listed above are processing your data for their own independent purposes then each of us will be independently responsible to you and if you have any questions, wish to exercise any of your rights (see below) or wish to raise a complaint, you should do so directly to the relevant data controller. 
A description of what personal data the council processes and for what purposes is set out in this Privacy Notice. 
 
The council will process some or all of the following personal data where necessary to perform its tasks: 
Names & titles, and aliases, photographs; 
Contact details such as telephone numbers, addresses, and email addresses; 
 
How we use sensitive personal data 
We may process sensitive personal data: in – order to comply with legal requirements. 
These types of data are described in the GDPR as “Special categories of data” and require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. 
We may process special categories of personal data in the following circumstances: 
In limited circumstances, with your explicit written consent. 
Where we need to carry out our legal obligations. 
Where it is needed in the public interest. 
Less commonly, we may process this type of personal data where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. 
 
Do we need your consent to process your sensitive personal data? 
In limited circumstances, we may approach you for your written consent to allow us to process certain sensitive personal data. If we do so, we will provide you with full details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. 
 
The council will comply with data protection law. This says that the personal data we hold about you must be: 
Used lawfully, fairly and in a transparent way. 
Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes. 
Relevant to the purposes we have told you about and limited only to those purposes. 
Accurate and kept up to date. 
Kept only as long as necessary for the purposes we have told you about. 
Kept and destroyed securely including ensuring that appropriate technical and security measures are in place to protect your personal data to protect personal data from loss, misuse, unauthorised access and disclosure. 
 
We use your personal data for some or all of the following purposes: 
To deliver public services including to understand your needs to provide the services that you request and to understand what we can do for you and inform you of other relevant services; 
To confirm your identity to provide some services; 
To contact you by post, email, telephone or using social media (e.g., Facebook, Twitter, WhatsApp); 
To enable us to meet all legal and statutory obligations and powers including any delegated functions; 
To promote the interests of the council; 
To maintain our own accounts and records; 
To seek your views, opinions or comments; 
To notify you of changes to our facilities, services, events and staff, councillors and other role holders; 
To send you communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other new projects or initiatives; 
To process relevant financial transactions including grants and payments for goods and services supplied to the council 
To allow the statistical analysis of data so we can plan the provision of services. 
 
What is the legal basis for processing your personal data? 
The council is a public authority and has certain powers and obligations. Most of your personal data is processed for compliance with a legal obligation which includes the discharge of the council’s statutory functions and powers. Sometimes when exercising these powers or duties it is necessary to process personal data of residents or people using the council’s services. We will always take into account your interests and rights. This Privacy Notice sets out your rights and the council’s obligations to you. 
We may process personal data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract. An example of this would be processing your data in connection with the use of sports facilities, or the acceptance of an allotment garden tenancy 
Sometimes the use of your personal data requires your consent. We will first obtain your consent to that use. 
 
Sharing your personal data 
This section provides information about the third parties with whom the council may share your personal data. These third parties have an obligation to put in place appropriate security measures and will be responsible to you directly for the manner in which they process and protect your personal data. It is likely that we will need to share your data with some or all of the following (but only where necessary): 
 
The data controllers listed above under the heading “Other data controllers the council works with”; 
Our agents, suppliers and contractors. For example, we may ask a commercial provider to publish or distribute newsletters on our behalf, or to maintain our database software; 
On occasion, other local authorities or not for profit bodies with which we are carrying out joint ventures e.g. in relation to facilities or events for the community. 
 
How long do we keep your personal data? 
We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 8 years to support HMRC audits or provide tax information. We may have legal obligations to retain some data in connection with our statutory obligations as a public authority. The council is permitted to retain data in order to defend or pursue claims. In some cases the law imposes a time limit for such claims (for example 3 years for personal injury claims or 6 years for contract claims). We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim. In general, we will endeavour to keep data only for as long as we need it. This means that we will delete it when it is no longer needed. 
 
Your rights and your personal data 
You have the following rights with respect to your personal data: 
When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights. 
 
1) The right to access personal data we hold on you 
At any point you can contact us to request the personal data we hold on you as well as why we have that personal data, who has access to the personal data and where we obtained the personal data from. Once we have received your request we will respond within one month. 
There are no fees or charges for the first request but additional requests for the same personal data or requests which are manifestly unfounded or excessive may be subject to an administrative fee.  
2) The right to correct and update the personal data we hold on you 
If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated. 
3) The right to have your personal data erased 
If you feel that we should no longer be using your personal data or that we are unlawfully using your personal data, you can request that we erase the personal data we hold. 
When we receive your request we will confirm whether the personal data has been deleted or the reason why it cannot be deleted (for example because we need it for to comply with a legal obligation). 
4) The right to object to processing of your personal data or to restrict it to certain purposes only 
You have the right to request that we stop processing your personal data or ask us to restrict processing. Upon receiving the request we will contact you and let you know if we are able to comply or if we have a legal obligation to continue to process your data. 
5) The right to data portability 
You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request. 
6) The right to withdraw your consent to the processing at any time for any processing of data to which consent was obtained 
You can withdraw your consent easily by telephone, email, or by post (see Contact Details below). 
7) The right to lodge a complaint with the Information Commissioner’s Office. 
You can contact the Information Commissioners Office on 0303 123 1113 or via email at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. 
 
Transfer of Data Abroad 
Any personal data transferred to countries or territories outside the European Economic Area (“EEA”) will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union. Our website is also accessible from overseas so on occasion some personal data (for example in a newsletter) may be accessed from overseas. 
 
Further processing 
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing. 
 
Changes to this notice 
We keep this Privacy Notice under regular review and we will place any updates on this web page. This Notice was last updated in July 2018. 
 
Contact Details 
Please contact us if you have any questions about this Privacy Notice or the personal data we hold about you or to exercise all relevant rights, queries or complaints at: 
Sutton Parish Council, 9 Sutton Road, Poynton, SK12 1SU 
Approved – July 2018 – Res 77-18 
 
SUTTON PARISH COUNCIL 
PRIVACY NOTICE 
 
For staff*, councillors and Role Holders** 
*“Staff” means employees, workers, agency staff and those retained on a temporary or permanent basis 
**Includes, volunteers, contractors, agents, and other role holders within the council including former staff*and former councillors. This also includes applicants or candidates for any of these roles. 
 
Your personal data – what is it? 
“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photograph, video, email address, or address). Identification can be directly using the data itself or by combining it with other information which helps to identify a living individual (e.g. a list of staff may contain personnel ID numbers rather than names but if you use a separate list of the ID numbers which give the corresponding names to identify the staff in the first list then the first list will also be treated as personal data). The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (the “GDPR”) and other legislation relating to personal data and rights such as the Human Rights Act. 
 
Who are we? 
This Privacy Notice is provided to you by Sutton Parish Council which is the data controller for your data. 
 
The council works together with: 
Other data controllers, such as local authorities, public authorities, central government and agencies such as HMRC and DVLA 
Staff pension providers 
Former and prospective employers 
DBS services suppliers 
 
We may need to share personal data we hold with them so that they can carry out their responsibilities to the council and our community. The organisations referred to above will sometimes be “joint data controllers”. This means we are all responsible to you for how we process your data where for example two or more data controllers are working together for a joint purpose. If there is no joint purpose or collaboration then the data controllers will be independent and will be individually responsible to you. 
 
The council will comply with data protection law. This says that the personal data we hold about you must be: 
 
Used lawfully, fairly and in a transparent way. 
Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes. 
Relevant to the purposes we have told you about and limited only to those purposes. 
Accurate and kept up to date. 
Kept only as long as necessary for the purposes we have told you about. 
Kept and destroyed securely including ensuring that appropriate technical and security measures are in place to protect your personal data to protect personal data from loss, misuse, unauthorised access and disclosure. 
 
What data do we process? 
Names, titles, and aliases, photographs. 
Start date / leaving date 
Contact details such as telephone numbers, addresses, and email addresses. 
Where they are relevant to our legal obligations, or where you provide them to us, we may process information such as gender, age, date of birth, marital status, nationality, education/work history, academic/professional qualifications, employment details, hobbies, family composition, and dependants. 
Non-financial identifiers such as passport numbers, driving licence numbers, vehicle registration numbers, taxpayer identification numbers, staff identification numbers, tax reference codes, and national insurance numbers. 
Financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers. 
Financial information such as National Insurance number, pay and pay records, tax code, tax and benefits contributions, expenses claimed. 
Other operational personal data created, obtained, or otherwise processed in the course of carrying out our activities, including but not limited to, CCTV footage, recordings of telephone conversations, IP addresses and website visit histories, logs of visitors, and logs of accidents, injuries and insurance claims. 
Next of kin and emergency contact information 
Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process and referral source (e.g. agency, staff referral)) 
Location of employment or workplace. 
Other staff data (not covered above) including; level, performance management information, languages and proficiency; licences/certificates, immigration status; employment status; information for disciplinary and grievance proceedings; and personal biographies. 
Information about your use of our information and communications systems. 
 
We use your personal data for some or all of the following purposes: – 
Please note: We need all the categories of personal data in the list above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. 
Making a decision about your recruitment or appointment. 
Determining the terms on which you work for us. 
Checking you are legally entitled to work in the UK. 
Paying you and, if you are an employee, deducting tax and National Insurance contributions. 
Providing any contractual benefits to you 
Liaising with your pension provider. 
Administering the contract we have entered into with you. 
Management and planning, including accounting and auditing. 
Conducting performance reviews, managing performance and determining performance requirements. 
Making decisions about salary reviews and compensation. 
Assessing qualifications for a particular job or task, including decisions about promotions. 
Conducting grievance or disciplinary proceedings. 
Making decisions about your continued employment or engagement. 
Making arrangements for the termination of our working relationship. 
Education, training and development requirements. 
Dealing with legal disputes involving you, including accidents at work. 
Ascertaining your fitness to work. 
Managing sickness absence. 
Complying with health and safety obligations. 
To prevent fraud. 
To monitor your use of our information and communication systems to ensure compliance with our IT policies. 
To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution. 
To conduct data analytics studies to review and better understand employee retention and attrition rates. 
Equal opportunities monitoring. 
To undertake activity consistent with our statutory functions and powers including any delegated functions. 
To maintain our own accounts and records; 
To seek your views or comments; 
To process a job application; 
To administer councillors’ interests 
To provide a reference. 
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data. 
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: 
Where we need to perform the contract we have entered into with you. 
Where we need to comply with a legal obligation. 
We may also use your personal data in the following situations, which are likely to be rare: 
Where we need to protect your interests (or someone else’s interests). 
Where it is needed in the public interest [or for official purposes]. 
 
How we use sensitive personal data 
We may process sensitive personal data relating to staff, councillors and role holders including, as appropriate: 
information about your physical or mental health or condition in order to monitor sick leave and take decisions on your fitness for work; 
your racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation; 
in order to comply with legal requirements and obligations to third parties. 
These types of data are described in the GDPR as “Special categories of data” and require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data. 
We may process special categories of personal data in the following circumstances: 
In limited circumstances, with your explicit written consent. 
Where we need to carry out our legal obligations. 
Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our pension scheme. 
Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards. 
Less commonly, we may process this type of personal data where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. 
 
Do we need your consent to process your sensitive personal data? 
We do not need your consent if we use your sensitive personal data in accordance with our rights and obligations in the field of employment and social security law. 
In limited circumstances, we may approach you for your written consent to allow us to process certain sensitive personal data. If we do so, we will provide you with full details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. 
You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us. 
 
Information about criminal convictions 
We may only use personal data relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy. 
Less commonly, we may use personal data relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. 
We will only collect personal data about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect personal data about criminal convictions as part of the recruitment process or we may be notified of such personal data directly by you in the course of you working for us. 
 
What is the legal basis for processing your personal data? 
Some of our processing is necessary for compliance with a legal obligation. 
We may also process data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract. 
We will also process your data in order to assist you in fulfilling your role in the council including administrative support or if processing is necessary for compliance with a legal obligation. 
 
Sharing your personal data 
Your personal data will only be shared with third parties including other data controllers where it is necessary for the performance of the data controllers’ tasks or where you first give us your prior consent. It is likely that we will need to share your data with: 
 
Our agents, suppliers and contractors. For example, we may ask a commercial provider to manage our HR/ payroll functions , or to maintain our database software; 
Other persons or organisations operating within local community. 
Other data controllers, such as local authorities, public authorities, central government and agencies such as HMRC and DVLA 
Staff pension providers 
Former and prospective employers 
DBS services suppliers 
Payroll services providers 
Professional advisors 
Trade unions or employee representatives 
 
How long do we keep your personal data? 
We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 8 years to support HMRC audits or provide tax information. We may have legal obligations to retain some data in connection with our statutory obligations as a public authority. The council is permitted to retain data in order to defend or pursue claims. In some cases the law imposes a time limit for such claims (for example 3 years for personal injury claims or 6 years for contract claims). We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim. In general, we will endeavour to keep data only for as long as we need it. This means that we will delete it when it is no longer needed. 
 
Your responsibilities 
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us. 
 
Your rights in connection with personal data 
You have the following rights with respect to your personal data: – 
When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights. 
 
1. The right to access personal data we hold on you 
At any point you can contact us to request the personal data we hold on you as well as why we have that personal data, who has access to the personal data and where we obtained the personal data from. Once we have received your request we will respond within one month. 
There are no fees or charges for the first request but additional requests for the same personal data or requests which are manifestly unfounded or excessive may be subject to an administrative fee. 
2. The right to correct and update the personal data we hold on you 
If the data we hold on you is out of date, incomplete or incorrect, you can inform us and your data will be updated. 
3. The right to have your personal data erased 
If you feel that we should no longer be using your personal data or that we are unlawfully using your personal data, you can request that we erase the personal data we hold. 
When we receive your request we will confirm whether the personal data has been deleted or the reason why it cannot be deleted (for example because we need it for to comply with a legal obligation). 
4. The right to object to processing of your personal data or to restrict it to certain purposes only 
You have the right to request that we stop processing your personal data or ask us to restrict processing. Upon receiving the request we will contact you and let you know if we are able to comply or if we have a legal obligation to continue to process your data. 
5. The right to data portability 
You have the right to request that we transfer some of your data to another controller. We will comply with your request, where it is feasible to do so, within one month of receiving your request. 
6. The right to withdraw your consent to the processing at any time for any processing of data to which consent was obtained 
You can withdraw your consent easily by telephone, email, or by post (see Contact Details below). 
7. The right to lodge a complaint with the Information Commissioner’s Office. 
You can contact the Information Commissioners Office on 0303 123 1113 or via email or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. 
 
Transfer of Data Abroad 
Any personal data transferred to countries or territories outside the European Economic Area (“EEA”) will only be placed on systems complying with measures giving equivalent protection of personal rights either through international agreements or contracts approved by the European Union. Our website is also accessible from overseas so on occasion some personal data (for example in a newsletter) may be accessed from overseas. 
 
Further processing 
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where and whenever necessary, we will seek your prior consent to the new processing, if we start to use your personal data for a purpose not mentioned in this notice. 
 
Changes to this notice 
We keep this Privacy Notice under regular review and we will place any updates on www.suttonparish.co.uk 
This Notice was last updated in July 2018. 
 
Contact Details 
Please contact us if you have any questions about this Privacy Notice or the personal data we hold about you or to exercise all relevant rights, queries or complaints at: 
Mrs S Giller, 9 Sutton Road, Poynton, SK12 1SU. 
You can contact the Information Commissioners Office on 0303 123 1113 or via email or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. 
Approved July 2018 – Res 77-18 
 
Email Contact Privacy Notice 
 
When you contact us 
The information you provide (personal information such as name, address, email address, phone number, organisation) will be processed and stored to enable us to contact you and respond to your correspondence, provide information and/or access our facilities and services. Your personal information will be not shared or provided to any other third party. 
 
The Councils Right to Process Information 
General Data Protection Regulations Article 6 (1) (a) (b) and (e) 
Processing is with consent of the data subject or Processing is necessary for compliance with a legal obligation or Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller 
 
Information Security 
Sutton Parish Council has a duty to ensure the security of personal data. We make sure that your information is protected from unauthorised access, loss, manipulation, falsification, destruction or unauthorised disclosure. This is done through appropriate technical measures and appropriate policies. Copies of these policies can be requested. 
 
We will only keep your data for the purpose it was collected for and only for as long as is necessary. After which it will be deleted. (You many request the deletion of your data held by Sutton Parish Council at any time). 
 
Children We will not process any data relating to a child (under 13) without the express parental/ guardian consent of the child concerned. 
 
Access to Information 
You have the right to request access to the information we have on you. You can do this by emailing our Data Information Officer: Mrs S Giller. 
 
Information Correction 
If you believe that the information we have about you is incorrect, you may contact us so that we can update it and keep your data accurate. Please email Mrs S Giller to request this. 
 
Information Deletion 
If you wish Sutton Parish Council to delete the information about you please email Mrs S Giller to request this. 
 
Right to Object 
If you believe that your data is not being processed for the purpose it has been collected for, you may object: Please contact Mrs S Giller to object. 
 
Rights Related to Automated Decision Making and Profiling Sutton Parish Council does not use any form of automated decision making or the profiling of individual personal data. 
 
Complaints 
If you have a complaint regarding the way your personal data has been processed you may make a complaint to Sutton Parish Council Data Information Officer by emailing Mrs S Giller and the Information Commissioners Office email or Tel: 0303 123 1113 
 
Summary: In accordance with the law, Sutton Parish Council only collect a limited amount of information about you that is necessary for correspondence, information and service provision. Sutton Parish Council do not use profiling, we do not sell or pass your data to third parties. Sutton Parish Council do not use your data for purposes other than those specified. Sutton Parish Council make sure your data is stored securely. Sutton Parish Council delete all information deemed to be no longer necessary. Sutton Parish Council constantly review our Privacy Policies to keep it up to date in protecting your data. (You can request a copy of our policies at any time). 
 
Approved May 2018 Res 60-18 1 4. Document Retention and Disposal Policy – May 2018 Res 60-18 
 
Retention and Disposal Policy 
1. Introduction 
1.1 The Council accumulates a vast amount of information and data during the course of its everyday activities. This includes data generated internally in addition to information obtained from individuals and external organisations. This information is recorded in various different types of document. 2.2 There are some records that do not need to be kept at all or that are routinely destroyed in the course of business. This usually applies to information that is duplicated, unimportant or only of a short-term value. Unimportant records of information include: 
1.2 Records created and maintained by the Council are an important asset and as such measures need to be undertaken to safeguard this information. Properly managed records provide authentic and reliable evidence of the Council’s transactions and are necessary to ensure it can demonstrate accountability. 
1.3 Documents may be retained in either ‘hard’ paper form or in electronic forms. For the purpose of this policy, ‘document’ and ‘record’ refers to both hard copy and electronic records. 1.4 It is imperative that documents are retained for an adequate period of time. If documents are destroyed prematurely the Council and individual officers concerned could face prosecution for not complying with legislation and it could cause operational difficulties, reputational damage and difficulty in defending any claim brought against the Council. 
1.5 In contrast to the above the Council should not retain documents longer than is necessary. Timely disposal should be undertaken to ensure compliance with the General Data Protection Regulations so that personal information is not retained longer than necessary. This will also ensure the most efficient use of limited storage space. 
 
2. Scope and Objectives of the Policy 
2.1 The aim of this document is to provide a working framework to determine which documents are: 
Retained – and for how long; or 
Disposed of – and if so by what method. 
2.2 There are some records that do not need to be kept at all or that are routinely destroyed in the course of business. This usually applies to information that is duplicated, unimportant or only of a short-term value. Unimportant records of information include: 
‘With compliments’ slips. 
Catalogues and trade journals. 
Non-acceptance of invitations. 
Trivial electronic mail messages that are not related to Council business. 
Requests for information such as maps, plans or advertising material. 
Out of date distribution lists. 
2.3 Duplicated and superseded material such as stationery, manuals, drafts, forms, address books and reference copies of annual reports may be destroyed. 
2.4 Records should not be destroyed if the information can be used as evidence to prove that something has happened. If destroyed the disposal needs to be disposed of under the General Data Protection Regulations 
 
3. Roles and Responsibilities for Document Retention and Disposal 
3.1 Councils are responsible for determining whether to retain or dispose of documents and should undertake a review of documentation at least on an annual basis to ensure that any unnecessary documentation being held is disposed of under the General Data Protection Regulations. 3.2 Councils should ensure that all employees are aware of the retention/disposal schedule. 
 
4. Document Retention Protocol 
4.1 Councils should have in place an adequate system for documenting the activities of their service. This system should take into account the legislative and regulatory environments to which they work. 
4.2 Records of each activity should be complete and accurate enough to allow employees and their successors to undertake appropriate actions in the context of their responsibilities to: 
Facilitate an audit or examination of the business by anyone so authorised. 
Protect the legal and other rights of the Council, its clients and any other persons affected by its actions. 
Verify individual consent to record, manage and record disposal of their personal data. 
Provide authenticity of the records so that the evidence derived from them is shown to be credible and authoritative. 
4.3 To facilitate this the following principles should be adopted: • Records created and maintained should be arranged in a record-keeping system that will enable quick and easy retrieval of information under the General Data Protection Regulations • Documents that are no longer required for operational purposes but need retaining should be placed at the records office. 
4.4 The retention schedules in Appendix A: List of Documents for Retention or Disposal provide guidance on the recommended minimum retention periods for specific classes of documents and records. These schedules have been compiled from recommended best practice from the Public Records Office, the Records Management Society of Great Britain and in accordance with relevant legislation. 
4.5 Whenever there is a possibility of litigation, the records and information that are likely to be affected should not be amended or disposed of until the threat of litigation has been removed. 
 
5. Document Disposal Protocol 
5.1 Documents should only be disposed of if reviewed in accordance with the following: 
Is retention required to fulfil statutory or other regulatory requirements? 
Is retention required to meet the operational needs of the service? 
Is retention required to evidence events in the case of dispute? 
Is retention required because the document or record is of historic interest or intrinsic value? 
5.2 When documents are scheduled for disposal the method of disposal should be appropriate to the nature and sensitivity of the documents concerned. A record of the disposal will be kept to comply with the General Data Protection Regulations. 
5.3 Documents can be disposed of by any of the following methods: 
Non-confidential records: place in waste paper bin for disposal. 
Confidential records or records giving personal information: shred documents. 
Deletion of computer records. 
Transmission of records to an external body such as the County Records Office. 
5.4 The following principles should be followed when disposing of records: 
All records containing personal or confidential information should be destroyed at the end of the retention period. Failure to do so could lead to the Council being prosecuted under the General Data Protection Regulations. 
the Freedom of Information Act or cause reputational damage.  
Where computer records are deleted steps should be taken to ensure that data is ‘virtually impossible to retrieve’ as advised by the Information Commissioner.  
Where documents are of historical interest it may be appropriate that they are transmitted to the County Records office. 
Back-up copies of documents should also be destroyed (including electronic or photographed documents unless specific provisions exist for their disposal). 
5.5 Records should be maintained of appropriate disposals. These records should contain the following information: 
The name of the document destroyed. 
The date the document was destroyed. 
The method of disposal. 
 
6. Data Protection Act 1998 – Obligation to Dispose of Certain Data 
6.1 The Data Protection Act 1998 (‘Fifth Principle’) requires that personal information must not be retained longer than is necessary for the purpose for which it was originally obtained. Section 1 of the Data Protection Act defines personal information as: 
Data that relates to a living individual who can be identified: 
a) from the data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of the data controller. 
6.2 The Data Protection Act provides an exemption for information about identifiable living individuals that is held for research, statistical or historical purposes to be held indefinitely provided that the specific requirements are met. 
6.3 Councils are responsible for ensuring that they comply with the principles of the under the General Data Protection Regulations namely: 
Personal data is processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met. 
Personal data shall only be obtained for specific purposes and processed in a compatible manner. 
Personal data shall be adequate, relevant, but not excessive. 
Personal data shall be accurate and up to date. 
Personal data shall not be kept for longer than is necessary. 
Personal data shall be processed in accordance with the rights of the data subject. 
Personal data shall be kept secure. 
6.4 External storage providers or archivists that are holding Council documents must also comply with the above principles of the General Data Protection Regulations. 
 
7. Scanning of Documents 
7.1 In general once a document has been scanned on to a document image system the original becomes redundant. There is no specific legislation covering the format for which local government records are retained following electronic storage, except for those prescribed by HM Revenue and Customs. 
7.2 As a general rule hard copies of scanned documents should be retained for three months after scanning. 
7.3 Original documents required for VAT and tax purposes should be retained for six years unless a shorter period has been agreed with HM Revenue and Customs. 
 
8. Review of Document Retention 
8.1 It is planned to review, update and where appropriate amend this document on a regular basis (at least every three years in accordance with the Code of Practice on the Management of Records issued by the Lord Chancellor). 
8.2 This document has been compiled from various sources of recommended best practice and with reference to the following documents and publications: • Local Council Administration, Charles Arnold-Baker, 910h edition, Chapter 11 
Local Government Act 1972, sections 225 – 229, section 234 
SLCC Advice Note 316 Retaining Important Documents 
SLCC Clerks’ Manual: Storing Books and Documents 
Lord Chancellor’s Code of Practice on the Management of Records issued under Section 46 of the Freedom of Information Act 2000 
 
9. List of Documents 
9.1 The full list of the Council’s documents and the procedures for retention or disposal can be found in “List of Documents for Retention and Disposal”. This is updated regularly in accordance with any changes to legal requirements. 
Approved May 2018 Res 60-18 
 
General Data Protection Regulations (Service) Consent to hold Contact Information 
 
I agree that I have read and understand Sutton Parish Council Privacy Notice. I agree by signing below that the Council may process my personal information for providing information and corresponding with me. 
 
I agree that Sutton Parish Council can keep my contact information data for an undisclosed time or until I request its removal. 
 
I have the right to request modification on the information that you keep on record. 
I have the right to withdraw my consent and request that my details are removed from your database. Name 
Date of birth if under 18 
Parental/Guardian Consent for any data processing activity 
Address 
Telephone No. 
Email Address 
Facebook 
Twitter 
Signature 
Date 
For office use only: 
Guidance Notes Data Sharing Checklist – systematic data sharing 
Scenario: You want to enter into an agreement to share personal data on an ongoing basis is this form relevant and the sharing justified? Read the below: 
Key points to consider: 
What is the sharing meant to achieve? Have you assessed the potential benefits and risks to individuals and/or society of sharing or not sharing? 
Is the sharing proportionate to the issue you are addressing? 
Could the objective be achieved without sharing personal data? 
Do you have the power to share? 
Key points to consider: 
The type of organisation you work for. 
Any relevant functions or powers of your organisation. 
The nature of the information you have been asked to share (for example was it given in confidence?). 
Any legal obligation to share information (for example a statutory requirement or a court order). 
If you decide to share 
It is good practice to have a data sharing agreement in place. As well as considering the key points above, your data sharing agreement should cover the following issues: 
What information needs to be shared? 
The organisations that will be involved. 
What you need to tell people about the data sharing and how you will communicate that information. 
Measures to ensure adequate security is in place to protect the data. 
What arrangements need to be in place to provide individuals with access to their personal data if they request it? 
Agreed common retention periods for the data. 
Processes to ensure secure deletion takes place. 
Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings