Data Protection

The Data Protection Act 2018 and General Data Protection Regulation (GDPR) regulates the way we use your personal information. You provide this information when you seek services from, or come in to contact with us. The Act provides a legal framework to the way we handle this data. Data Protection compliance is not an activity that is done ‘once’ and requires ongoing compliance measures and reviews. To ensure this compliance is managed in a structured way the Council employs a Data Protection Officer and covers the following activities:

Policies and Training:

It is important that the Council ensure that the right information is available to staff and that they are trained in how to handle personal information. To ensure this is occurs, the Council has updated Data Protection and Cyber Security E-learning and all its policies and procedures relating to data protection legislation have been updated. The Council will continue to review this material and update it over time as best practice and guidance from the regulator is made available.

System Review and Security:

It is also important that the Council ensures that the systems it uses have sufficient controls and security in place to ensure that both staff can be managed effectively and also external threats are protected against. The Council employs an IT security manager to review and ensure IT security compliance and they work with the Council’s Data Protection Officer to ensure that existing systems and new systems have adequate protections and security. This includes sufficient firewalls, encryption and external audit such as certification and penetration testing.

Contracts and third parties:

GDPR has required Bucks County Council to review all of its contractual terms to ensure that the use of third parties have the correct protections and clauses in place around the use of personal data. There are standard terms and conditions approved by our legal services team. Relationships with third parties have been reviewed and either updated contractual terms or information sharing agreements have been put into place.

Dataset and Risk Management:

There is a requirement to risk assess all the different ways that the Council collects, uses, stores, shares and destroys personal data. The Council has completed a detailed assessment of its different systems, files and processes and has identified a programme of improvements and best practice to be shared throughout the organisation. The output of this is a register of Privacy Impact Assessments and an Information Asset Register that helps to show the scale of the data used and its compliance with GDPR legal standards.

Legal Basis and legal standards:

Buckinghamshire County Council is a ‘creature of statute’ and as such the vast majority of what the Council does is because there is a legal requirement to do it. The Council has identified all the different legal reasons for the collection and use of data which have been captured within the Privacy Impact Assessments of each dataset. Where there is no legal requirement, the Council has ensured that a legal basis has been identified within the GDPR legislation that allows that personal data to be used.