This policy bas been formally adopted by the Barrow-in-Furness
Borough (the Council), and applies to all employees, and those
acting on the Council's behalf.
An essential activity within the Council is the requirement to
gather and process information about its staff and people in the
community in order to operate effectively. This will be done in
accordance with the Data Protection Act 1998 (the Act), and other
related government legislation.
The Council, acting as custodians of personal data, recognises
its moral duty to ensure that all such data is handled properly and
confidentially at all times, irrespective of whether it is held on
paper or by electronic means. This covers the whole lifecycle,
- the obtaining of personal data;
- the storage and security of personal data;
- the use of personal data;
- the disposal / destruction of personal data
The Council also has a responsibility to ensure that data
subjects have appropriate access, upon written request, to details
regarding personal information relating to them.
The Council ensures that any third party processing such
information on Barrow-in-Furness Borough Council's behalf is
contractually obliged to put in place similar measures.
By following and maintaining strict safeguards and controls,
the Council will:
Al. Acknowledge the rights of individuals to whom personal
data relates, and ensure that these rights may be exercised in
accordance with the Act;
A2. Ensure that both the collection and use of personal data
is done fairly and lawfully;
A3. Ensure that personal data will only be obtained and
processed for the purposes specified;
A4. Collect and process personal data on a need to know basis,
ensuring that such data is fit for the purpose, is not excessive,
and is disposed of at a time appropriate to its purpose;
A5. Ensure that adequate steps are taken to ensure the
accuracy and currency of data;
A6. Ensure that for all personal data, appropriate
security measures are taken, both technically and organisationally,
to protect against damage, loss or abuse;
A7. Ensure that the movement of personal data is done in
a lawful way, both inside and outside the Council and that suitable
safeguards exist at all times.
In order to support these actions, the Council will:
El. Nominate a Data Protection Officer
for the Council, responsible for gathering and disseminating
information and issues relating to information security, the Data
Protection Act and other related legislation;
E2. Ensure that Chief Officers are
responsible - for communications and issues relating to
information security, the Data Protection Act, and other related
legislation within their department;
E3. Ensure that all activities that
relate to the processing ¹ of personal data have
appropriate safeguards and controls in place to ensure
information security and compliance with the Act;
E4. Ensure that all contracts and service level
agreements between the Council and external third parties,
where personal data is processed, make reference to the
Act as appropriate;
E5. Ensure that all staff acting on the
Councils behalf understand their responsibilities regarding
information security under the Act, and that they receive
the appropriate training / instruction and supervision so
that they carry these duties out effectively and consistently and
are given access to personal information
that is appropriate to the duties they
E6. Ensure that all third parties acting
on the Councils behalf are given access to
personal information that is appropriate to the
duties they undertake and no more;
E7. Ensure that any requests for access to
personal data are handled courteously, promptly and
appropriately, ensuring that either the data subject or
his/her authorised representative has a legitimate right to access
under the Act, that the request is valid, and that information
provided is clear and unambiguous ²
E8. Work towards adopting, as best working
practice, the key principles of BS7799, the British
Standard on Information Security Management;
E9. Review this policy and the
safeguards and controls that relate to it annually, to ensure that
they are still relevant, efficient and effective.
¹ Processing as
defined by the Act as obtaining, recording, holding, organisation,
adaptation, alteration, retrieval, consultation, use, disclosure,
alignment, combination, blocking, erasure and
² All actions regarding data subject
access requests will be logged. This audit trail will include
details regarding the nature of the request, the steps taken to
validate it, the information provided as well as any withheld, e.g.
for legal reasons.
An explanation of your rights under the Data Protection Act
What are your rights?
- To ask what the Council uses the information
- To be provided with a copy of the information
- To be given details of the purposes for which the council
uses the information and other persons/organisations to whom it is
- To ask for incorrect data to be corrected
Why do we keep personal information?
The Council keeps personal information about you in order
- It can provide you with the services you
- Collect Council Tax
- Assess the correct level of benefit for your
- Provide you with up to date information about these
services and the most appropriate service for your
The information about you is also used to maintain a record of
any help provided in order that we can look at it from time to time
to see if it is still what you need and to plan for any
changes. The personal information you provide may also be
shared with other agencies involved in the provision of services to
you, and between departments of the Council where we are legally
required to do so.
Link to more information about fair
processing of data in data matching exercises.
Who do we share information with?
Depending on the original purpose for which is was obtained and
the use to which it is to be put, information may be shared with a
variety of services, examples include Housing sharing with
Health or Housing Benefits sharing with the DWP. It may also
be shared, where necessary, with other organisations that provide
services on our behalf, e.g. contractors working for the
In all of these examples the information provided is only the
minimum necessary, to enable them to provide services to you.
Personal information about you may also be provided to
Government departments, where we are required to do so by law, or
to other local councils. An example would be when you have
moved from one Councils area to another, and the new Council
requires confirmation of the services you were receiving.
Information about you may also be provided for statistical
research. This will not include your name and address unless
you have given us permission to provide the information.
What sort of information do we hold?
The personal information held will depend on the service being
provided. Basic information; that is, your name and address,
age, date of birth, sex, next of kin; plus a note of the service
provided, decisions regarding the provision, and any meetings
between you and the department of the Council providing the service
will appear on all records.
Other more sensitive data may also be held. Depending on
the needs of the service being provided such data may include for
example; details of a person's physical or mental health,
disabilities and racial, or ethnic origin. Data relating to
specific services include; the level of payment and the current
state of the account - council tax, property details and extent of
proposed alterations - planning.
How do we keep the information, and who is responsible?
The information is kept on secure computer systems and in
secure manual filing systems. Maintaining the record and
keeping it secure is the responsibility of the departments of the
Council providing the services you receive.
Are the records confidential?
The Council's employees have a duty of care when providing
services. This includes respecting the right to
confidentiality, and ensuring that information about you is only
used and given to others for the purposes of the service being
provided. Care is taken to ensure that third parties cannot
access the information without permission and that data about you
is not disclosed - to third parties or others - without your
How long are records about you held?
Normally, your records will be kept only for as long as the
service is provided to you, or as is required by law. if
there is no legal requirement to keep the records they will be
destroyed as soon as is practicable. Where there is a legal
requirement to retain information it is not normally kept for more
than six years.
How do you ask to see your information?
You can print our Subject Access Request
You can also obtain a copy of this from by contacting the
Council's Data Protection Officer.
Please complete this form
and, together with proof of identity (copy of driving
licence, passport etc.), and a fee of £10 (cheque or
postal order made payable to "Barrow Borough
Council", send it to:
The Data Protection Officer,
Alternatively you can write to the Council, addressing
the letter to the Data Protection Officer, or call at the Council
Offices in person. When you do so you must provide your name and
address; proof of identity; details of the services you are
receiving; and any other information such as date of birth, sex,
householder status (eg tenant, owner) you think may help the
Council find your information. You must state that you are making
the request under the Data Protection Act regime.
If you have any difficulty with the form, help will be
What information will you receive?
All of the personal information we hold about you on both our
computer, and manual record systems. You will also be given a
description of the purposes for which we process your data, a list
of those to whom we disclose the data, and information about
sources where this is available.
Can you see information about members of your family or any
You may not see information about other persons, unless they
have given their consent. This includes information about
members of your family. If you are a parent or a member of an
elderly person's family you may be provided with information about
your child, or the elderly person, but only where you have written
permission to ask for it, or have been granted powers to do so by
the courts, and the Council is satisfied that such permissions are
Will you be charged a fee for information provided?
Yes, the Council charges a fee of £10 to contribute
towards administrative costs.
How long does it take to provide you with the information?
The Council must respond within 40 days of receiving your
application and payment. The 40 days starts from the date on
which you sent in the written application, and any additional
information required by the Council.
What should you do when you get the information?
You should check it to ensure that you have received all of
the information to which you are entitled, and to make sure it is
What do you do if the information provided is incorrect?
You should tell the Council that the data is incorrect and ask
them to correct it. You must do so in writing. The
Council must inform you if they have, or have not corrected the
data within 21 days of you asking them to. If the department
does not agree that the information is incorrect you can ask it to
record your disagreement on the record itself.
If the Council does not correct the information you may also
appeal to the Information Commissioner or the courts. These
organizations have the power to order the Council to correct
What can you complain to the Commissioner about?
You can complain to the Commissioner if you consider the
Council has breached any of the requirements of the Data Protection
Act. These include;
- A breach of any of the Data Protection
- Processing data without having notified the
- Failure to respond to any of your written notices (see
- Processing data without your consent (where consent is
- Refusing to provide you with the personal information you
This list is not exhaustive.
What will the Commissioner do?
At your request the Commissioner will carry out an assessment
of the Council's processing to establish whether or not we are
doing so in compliance with the Act.
Should the Commissioner find we are not, then the Council will
be issued with a notice requiring it to take steps to ensure
Do we provide you with help in understanding the
If you need help in understanding the information provided,
please inform the Council, and we will provide someone to