Many of you will have been involved in completing our internal GDPR audit. This has helped build our Register of Processing Activities, which we’re required to maintain under the new law as a record of all the activities the Council undertakes that involve processing personal data. We are now approaching the post-audit phase of achieving GDPR compliancy, beginning first and foremost with implementing our new privacy statements across the Council.
Overall the Council is relatively well prepared for GDPR to come into law on 25th May. However, there are still critical tasks to perform if this preparation is to translate into achieving full compliance with the new law, and this work will extend well beyond the 25th - the steps that we will need to take in the immediate future are outlined below.
For each individual process reported in your department’s GDPR audit there will be an accompanying privacy statement generated. Whenever we collect data from an individual we are required to provide a privacy statement that outlines, among other things, precisely what the data will be used for, who it will be shared with and what the data rights of the individual are for this process. Precisely what needs to go in the privacy statement can vary significantly between different processes: the privacy notices generated from the audit results are designed to include all of the necessary information for the process in question. Departments should start thinking about where you need to provide these statements (e.g. letter packs that need to be updated, identifying forms that will need to be accompanied by the relevant statement) and how best you can provide these at the point you gather personal data from the individual, or as close to this point as you can reasonably achieve.
While we’re aiming to have the majority of the privacy statements ready to go by 25th May there may be some that slip past this date. Your departments will receive the relevant privacy statements once they’re ready.
Under the new legislation we are required to inform the Information Commissioner’s Office of a data breach within 72 hours of it occurring. Please use the new email address firstname.lastname@example.org to inform us of any breaches as soon as possible after they happen. The breach reporting form and the related guidance is available at this link.
A data breach is mainly defined as a security incident that affects the confidentiality, integrity or available data. If you think you know about a personal data breach you must speak to your line manager about it immediately.
Some of the ways that data breaches can happen include:
- An email containing personal data being sent to the wrong email address
- A document containing personal data being saved to a public drive rather than a private one
- Leaving a laptop, USB stick other device containing personal data being left in a public or other unsecure place
- Through an individual gaining access to a filing cabinet that they shouldn’t have access to
- As a result of a cyber-attack
Updating references to the Data Protection Act: websites, forms and other documents
Our main Data Protection information page has been updated to reflect the imminent shift from the Data Protection Act to the GDPR. However, there are many individual pages across the Moray Council site that have references to the old Data Protection Act that will need to be updated in a similar way. Each department will need to check their own web pages and update them accordingly.
It may be best to delete any of your standalone data protection pages entirely and update any existing information to simply refer to our central page at the above link. This is particularly true for any generic or ‘catch-all’ privacy statement/disclaimer pages you may have: the privacy notices being generated from the GDPR audit are intended to supersede these. At the very least references to DPA/Data Protection Act will need to be changed to GDPR/General Data Protection Regulations.
If you wish to replace a current generic privacy statement on the website with the privacy statements generated from the audit then you are free to do so, but this shouldn’t be a substitute for providing the privacy statement in full at the point you gather information from the subject (as so far as doing so is practical).
Your paper documents will also need to be updated in a similar way. Remember that when you are collecting personal data from individuals, as far as possible you should provide the generated privacy statement that’s specific to a given process. In many cases this privacy statement will be a sufficient replacement for your current details regarding data protection.
Don’t forget to keep a copy of your previous privacy statements on a retention schedule of 10 years.
Data Protection Officer
Alison Morris, Records and Heritage Manager, has been appointed as Moray Council’s Data Protection Officer. If you receive any enquiries regarding data rights (for example, someone wants to know what information the Council holds on them under the Right of Access) please pass these on to her. We are expecting GDPR to appear in the news come 25th May so you may find that there are more of these requests than usual.