General Data Protection Regulations (GDPR)

On 25 May 2018 General Data Protection Regulations (GDPR)/Data Protection Act 2018 replaced the Data Protection Act 1998. This statement provides information in relation to the Council’s compliance with these regulations.

What is the Council doing to prepare for GDPR?

The Council has undertaken a number of actions to ensure it complies with GDPR. In the main actions include (but are not limited to):

• ensuring staff undertake appropriate training
• relevant policies and procedures have been amended including the Data Protection Policy, Data Breach Policy, Information Security Policy, Information Sharing Policy, other local policies, etc.
• services have devised appropriate action plans
• each service have appointed GDPR champions
• a GDPR working group has been formed which is attended by the GDPR champions.

What technical and organisational security measures are in place?

The Council has a number of technical and organisational measures in place including:

• the Council conducts in-house and independent vulnerability assessments on a frequent basis, this is also followed up by proactive monitoring
• utilisation of change management methodologies and processes across our ICT service giving us compliance and monitoring reports
• a risk framework to identify potential risks and mitigate the threat they could pose if realised
• use of an enterprise antivirus products and secure backup and retention technologies across our organisation
• mobile devices are encrypted and are managed by a mobile device management system
• our data centres are housed in secure locations with only authorised personnel able to access
• remote admin access to our environment and data centre access is strictly restricted to key staff within our ICT Service
• we provide internet and classroom monitoring solutions to ensure the usage of the internet complies with internal governance arrangements
• ensuring that network passwords comply with the councils password management policy for corporate accounts
• the Council uses a secure email system called Zivver.

Data processed by the Council is either stored on secure servers held at Council locations or on secure Microsoft servers located securely in Europe. View information about Privacy at Microsoft.

Extra details about Microsoft security can be found via the following links:

• Microsoft Privacy Statement
• EU Model Clauses — Frequently Asked Questions (FAQs)
• Microsoft and European Union Model Clauses
• Office 365 - where is your data located?
• Microsoft - where is your data located?.

Appropriate organisational security measures are also in place, in the main these include (but not limited to):

• training staff in data protection
• ensuring adequate policies and procedures are in place
• fit for purpose building security measures.

Do we have appropriate information management accreditation?

The Councils IT security, network arrangements and information management services are also audited on a regular basis by various third party organisations.

How does the Council handle personal data?

View the Councils Privacy Policy.

Last updated: 13/07/2023 09:21