General Data Protection Regulations Policy



The GDPR regulations come into force on 25 May 2018. This policy identifies how Surlingham Parish Council will meet the requirements set out in those regulations.The Council has been registered with the Information Commissioner’s Office since2017. Additional to this document is the combined Privacy Statement and Information Audit. This explains what information is held, the reason, how long it is held and who it is shared with.

This means personal data must be:

  • processed lawfully, fairly and transparently;
  • collected for specified, explicit and legitimate purposes;
  • adequate, relevant and limited to what is necessary for processing;
  • accurate and kept up to date;
  • kept only for as long as is necessary for processing;
  • processed in a manner that ensures its security.

IDENTIFYING ROLES & MINIMISING RISKThe GDPR requires that the Council and its staff understand the implications of GDPR and that roles and duties must be assigned. The Council is the data controller (DC) and the Clerk is the data processor (DP). It is the duty of the Council to undertake an information audit and to manage the information collected by the Council, the issuing of a privacy statement, dealing with requests, complaints raised and the safe disposal of information.

The GDPR require continued care by Councillors and staff when sharing information about individuals as hard copy or electronically. A breach of the regulations could result in a fine from the Information Commissioner’s Office (ICO) for the breach itselfand payment of compensation to any individual(s) who are adversely affected. The handling of information is a risk to the Council (both financially and reputationally) and must be included in the Council’s Annual Review of Risk Management. Potential risks will be minimised by minimising who holds protected data, and by Councillors and staff undertaking training in data protection.


Data breaches should be reported to the DC. An investigation will be conducted by the Councillors and the Clerk. Investigations must be undertaken within one month of the report of a breach. The DC will (within 3 days of notification) advise the ICO of any breach where it is likely to result in a risk to the rights and freedoms of individuals, or result in discrimination, damage to reputation, economic loss, loss of confidentiality, or any other significant social disadvantage. Where a breach is likely to result in a substantial risk to the rights and freedoms of an individual(s) the DC will also notify those concerned directly.

INFORMATION & TECHNOLOGY – Access to the Council computer equipment is password protected and passwords are specific to the user and are not to be shared with any Councillor, employee or volunteer. No employee, volunteer or Councillor may use IT in any way that may bring the Council or individuals into disrepute. Or result in a data breach. For example, the discussion of internal Council matters on social media sites.

PRIVACY NOTICE (refer Appendix 1)

The Council will adopt a privacy notice see Appendix 1, to explain what the Council does with their personal information. The privacy notice will contain the details of the DC and the contact details of the DP, the purpose for which the information is to be used and the length of time it will be held. Individuals can, at any time, withdraw their agreement for the use of this information.

INFORMATION AUDIT (refer Appendix 1)

The DPC will undertake an information audit which details the personal data held, where it came from, the purpose for holding that information and with whom the Council will share that information. This will include information held electronically or as a hard copy. Information held could change from year to year with different activities, and so the information audit will be reviewed at least annually or when there is a variation in the Council’s activities. The information audit review should be conducted ahead of the review of this policy and the reviews should be recorded in the minutes.


The GDPR confirms existing rights for individuals:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • right to data portability
  • the right to object
  • the right not to be subject to automated decision-making, including profiling.

The GDPR also give individuals the right to:

  • have their personal data erased (sometime known as the ‘right to be forgotten’) where retention of personal data is no longer necessary for the purpose for which it was originally collected;
  • data portability free of charge. Data portability refers to the ability to move, copy or transfer data easily between different computers.
  • When a request is received to delete information, the DP must respond within a month. The DP has the delegated authority from the Council to delete information.
  • The DP will inform the Council of such requests.CHILDRENThere is special protection for the personal data of a child. For the purposes of these regulations the age when a child can give their own consent is 13. If the Council requires consent from a child under 13 years of age, the Council mustobtain a parent or guardian’s consent to process the personal data lawfully. 


The main actions arising from this policy are:

  • The Council will be registered with the ICO.
  • A copy of this policy will be available on the Surlingham village website. The
  • policy will be considered as a core policy for the Council.
  • The Clerk’s Job Description will be amended to include additional
  • responsibilities relating to data protection.
  • An Information Audit will be conducted and reviewed at least annually or
  • when activities of the Council change.
  • The Privacy Notice and Information Audit See appendix 1 will be published on
  • the Surlingham Village website.
  • This policy document will be reviewed annually or earlier if further guidance is
  • received.
  • All Councillors, employees and volunteers are expected to comply with this
  • policy at all times to protect privacy, confidentiality and the interests of the Council.

GDPR – Privacy Notice & Information Audit May 2018

Data Controller – Parish Council

Data Processor – Parish Clerk Contact Tel: 01603 665341 Email:

Who What we hold How it’s held Collected via Reasons why Shared How long Delete/Shred
Electorate Names and addresses Electronically SNDC Population Data Correspondence No Annually Monthly Updates Delete
Individuals Names/address/email addresses Electronically Author Correspondence Anonymised Content only at meetings Until resolved Delete
Individuals Names/address Hard copy Author Correspondence Anonymised Content only at meetings Until resolved Shred
Individuals Email addresses Electronically Author Communication for reference No Indefinite Delete
Councillors Names/address/telephone numbers Electronically Councillor Correspondence Communication As required Varies, Term of Office Delect
Councillors Email addresses Electronically Councillor Communications As required Term of Office Delete
Suppliers Contractors Name/address/email address/telephone numbers Electronically Contractor Communication Councillors Varies Delete
Financial data VAT/bank details etc Hard copy Contractor Payment Bank,HMRC 7 years Shred
Staff Name/address/email address/telephone numbers Electronic/Hard copy Employee Correspondence Councillors T ermination Delete/Shred
Name/address/NINO/PAYE Electronic/Hard Copy Employee Pay roll Payroll, Bank, HMRC 7 years Delete/Shred
SPATS Names and addresses Hard copy Passenger Confirmation of Journey No 1 year Shred
Name/Postcode/amount paid Electronic Passenger Financial records and statistics Statistics only 7 years Delete