Data Protection and UK GDPR - Ceredigion County Council

Data Protection and UK GDPR Policy

Corporate Lead Officer, Customer Contact, ICT & Digital

Published: 08/10/2025 Version 6.0

1 Definition of the Policy
2 Principles of the Policy
3 Implementation of the Policy
4 External Advisory Standards Affecting This Policy
5 Policy Monitoring and Review

1 Definition of the Policy

1.1 Purpose of the Policy

Ceredigion County Council (“the Council”) collects and uses a wide range of information about individuals in order to carry out its functions and deliver its services. These people include our customers, clients, employees, residents of the County, job applicants and anybody who undertakes works on behalf of the Authority. Much of the information we hold about them is their personal data.

Compliance with this policy will assist the Council in meeting the requirements of the United Kingdom General Data Protection Regulation (‘UK GDPR’) and the accompanying Data Protection Act 2018 (‘DPA’).

This policy sets out how the Council seeks to protect personal data and ensure that staff and elected Members understand the rules governing their use of personal data to which they have access in the course of their work. All staff and elected Members must make themselves familiar with this policy and comply with its terms.

This policy also relates to the following legislative requirements incumbent on the Council:

Local Government Act 1972
Local Government (Access to Information) Act 1985
Freedom of Information Act 2000
Environmental Information Regulations 2004
Re-use of Public Sector Information Regulations 2005

This policy complements and sits alongside the following related Council policies:

Information and Records Management Policy
Information Security Policy
Freedom of Information Policy

This policy also sits alongside and complements the Council’s privacy notice, which outlines how services within the Council collect and use personal data. The privacy notice lists individuals’ rights to access and correct the data that is held on them, and in certain circumstances to object to its processing. The corporate privacy notice, which should be read in combination with this policy, is to be found at:

Privacy Notice - Ceredigion County Council

Failure to effectively implement this policy creates risks for the Council of non-compliance with legislation, significant monetary penalties from the Information Commissioner’s Office (ICO), distress or harm to individuals whose data we hold, reputational damage to the Council and detriment to the Council’s ability to deliver effective and reliable services.

1.2 Scope

This policy applies to all staff and elected Members who have access to Council records and information in whatever format in the course of their work. ‘Staff’ for these purposes includes permanent and temporary employees of the Council, volunteers and work experience interns, and external agents working for or on behalf of the Council.

This policy applies to all information held, maintained and used by the Council in all locations and in all media.

The responsibilities within this Policy extend to staff beyond their period of employment or to Elected Members beyond their period of office. This paragraph refers specifically to their continued responsibility to keep secure and not publicly disclose the personal data of any third party (particularly any sensitive personal information) to which they may have had privileged access by virtue of their period of employment or office.

1.3 Policy Definition

The following is a set of general definitions relevant to this policy. Some other definitions are given in the text where the term occurs, and these can be identified by the emboldened text.

1.3.1 Personal Data

Personal Data is information which relates to a living individual who can be identified from the information itself or by linking it with other information – for example a person’s name and address, an online profile, a member of staff’s HR record or records relating to individuals such as school pupils or service users.

1.3.2 Special Categories of Personal Data

Special category data means personal data consisting of information as to:

Genetic and biometric data
Political opinions
Religious or other beliefs
Trade union membership
Physical or mental health/condition
Sexual life
Sexual orientation
Racial or ethnic origin

And although not specifically described as special category data, this information requires the same treatment:

The commission or alleged commission of any offence
Any proceedings for any offence committed/alleged to have been committed, the disposal of such proceedings or the sentence of such proceedings

1.3.3 Data Controller

The Data Controller is a person or organisation who determines the purpose and manner in which any personal data are/or to be processed.

1.3.4 Data Processing

Processing data, means obtaining, recording or holding data. It also includes the carrying out of any operation on data, including:

The organising, adapting or altering the data
The retrieval, consultation or use of the data
The disclosure of data by transmission, dissemination or otherwise making available
The alignment, combination, blocking, erasure or destruction of the information or data

1.3.5 Data Processors

The Data Processor is a person/organisation who processes data on behalf of a Data Controller and under their instruction.

1.3.6 Data Subject

The Data Subject is the person whose personal information is held by a controller.

2 Principles of the Policy

The Council will implement technical and organisational measures to show that it has considered and integrated data protection into all its processing activities, in accordance with the applicable data protection principles, laws and rights of individuals as set out below in this section. The Council’s approach to data protection will be, as required by UK GDPR, ‘data protection by design and default’ and ‘privacy by design’.

2.1 Compliance With the UK GDPR Data Protection Principles

The Council will take steps to ensure that all the personal data processing it undertakes accords with the six data protection principles. These data protection principles are:

Personal data must be processed lawfully, fairly and transparently
Personal data can only be collected for specified, explicit and legitimate purposes
Personal data must be adequate, relevant and limited to what is necessary for processing
Personal data must be accurate and kept up to date
Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing
Personal data must be processed in a manner that ensures its security

There is also an overarching principle of accountability which means that the Council must not only comply with the six UK GDPR principles but must be seen to be complying with them and be able to demonstrate compliance if inspected by regulatory bodies, such as the ICO.

2.2 First UK GDPR Principle: Fair and Lawful Processing

Processing of personal data must only be undertaken where the Council has a lawful basis for carrying out the activity. There are 6 potentially applicable lawful bases for general processing of Personal data and 10 lawful bases for processing Special Category Data. If Special Category Data is being processed, both a lawful basis for general processing and an additional condition for processing this type of data must be identified.

The legal basis for processing personal information for most of the Council’s work will be carried out in the public interest or in the exercise of official authority vested in the controller.

The Council’s legal basis for processing most ‘special category’ personal information will be necessary for reasons of substantial public interest, on the basis of UK law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

2.3 Second UK GDPR Principle: Specified and Legitimate Purposes

When gathering personal data or establishing new data protection activities, staff should ensure that data subjects receive appropriate privacy notices to inform them how the data will be used. There are limited exceptions to this requirement, which are specified in UK GDPR. A ‘privacy notice’ is a statement that explains some or all of the ways an organisation gathers, uses, discloses, and manages the personal data it collects from its customers or clients. It fulfils part of the organisation’s legal requirement to respect a customer or client's privacy when collecting and sharing personal data. The Council must have especial regard for its processing of the data of vulnerable individuals including children, and take appropriate measures to ensure that privacy notices are communicated to such data subjects in ways they will understand.

2.4 Third UK GDPR Principle: Adequate, Relevant and Limited

Staff should make sure data processed by them is adequate, relevant and proportionate for the purpose for which it was obtained. Personal data obtained for one purpose should not generally be used for unconnected purposes unless the individual has agreed to this or would otherwise reasonably expect the data to be used in this way. The Council will not re-use data obtained for one purpose without due regard to this purpose compatibility principle, and where necessary a purpose compatibility test will be carried out with the assistance of the Council's Data Protection Team.

2.5 Fourth UK GDPR Principle: Accuracy

Personal data must be accurate and where necessary kept up to date. This principle ensures that individuals may ask the Council to correct personal data relating to them which they consider to be inaccurate. If a member of staff receives such a request and does not agree that the personal data held is inaccurate, they should nevertheless record the fact that it is disputed and inform the Data Protection Officer (DPO).

2.6 Fifth UK GDPR Principle: Retention Only as Long as Necessary

Personal data should not be retained for any longer than necessary. Staff should follow the corporate records retention schedule for guidance. The length of time for which data should be retained may vary from this schedule depending upon particular circumstances, including any special reasons why it was obtained.

2.7 Sixth UK GDPR Principle: Security

Staff must keep personal data secure against loss or misuse in accordance with the Information Security Policy. Appropriate technical and organisational measures will be implemented to ensure that data is processed to a level of security commensurate with its sensitivity. Where the Council uses external organisations to process personal data on its behalf, additional security arrangements need to be implemented in contracts with those organisations to safeguard the security of personal data. Staff should consult the DPO to discuss the necessary steps to ensure compliance when setting up any new data processing agreement or altering any existing agreement.

2.8 Compliance With Individuals’ Rights Under UK GDPR

The Council will implement a set of rules and procedures, creating a workflow for the evaluation of requests, with regard to the following individual rights under UK GDPR:

The right to be informed
The right of access
The right to rectification
The right to restrict processing
The right to object
Rights on automated decision making and profiling
Right to data portability
Right to erasure or ‘right to be forgotten’

2.9 The Right to be Informed

The Council will explain at the point of collection how it intends to use the data it is collecting, whether it will share the data with anyone else, what the legal basis for processing is and which individual rights apply. The primary method for communicating this information will be the corporate privacy notice, supplemented by brief privacy statements at the point of collection which reference amongst other things the full notice. Other versions of the privacy notice will complement it, suitable for explaining the concepts of privacy and data protection to children and to others who may reasonably expect the information to be available in other, more accessible formats.

2.10 The Right of Access

Individuals are entitled (subject to certain exemptions specified in the Data Protection Act) to request access to information held about them. All such Subject Access Requests should be logged at a corporate level and referred onward immediately to the relevant officer(s) for action. The Council must respond to a valid request within legally prescribed time limits of one month This may legally be extended for a period of up to three months in complex cases.

2.11 The Right to Rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. The Council must respond within one month to any reasonable request for rectification, although this can be extended by two months where the request for rectification is complex. If the Council has shared the personal data in question with other agencies, each agency must be informed and asked to make the same rectification - unless this proves impossible or involves disproportionate effort. If asked to, staff must also inform the data subjects about these agencies whose data may also be inaccurate. If the request for rectification is refused (for example where the data subject’s authenticity is contested), staff must explain why to the individual, informing them of their right of appeal to the DPO, the ICO and potentially to seek a judicial remedy. Staff who have received a right to rectification request should contact the IRMS team for direction and advice.

2.12 The Right to Restrict Processing

Individuals are entitled to block the processing of their personal data in certain circumstances. The data may continue to be stored but processing of it must cease. The Council is only required to restrict the processing of personal data in the following circumstances: where an individual contests the accuracy of the personal data; where following an objection to processing the Council is considering whether its legitimate grounds override those of the individual (this is only applicable where the legal basis for processing is either performance of the public task or the exercise of legitimate interests, see 2.13 below); when processing is unlawful and the individual opposes erasure and requests restriction instead; if the Council no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.

2.13 The Right to Object to Processing

Where the legal basis for processing is performance of a public task or the exercise of legitimate interests, individuals have the right to object to processing, including any profiling based on those provisions. The Council shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject. Where the legal basis for processing is consent, individuals have an absolute right to object to the Council processing their data for this purpose, to which demand staff must immediately respond without question. This legal basis for processing and this right applies in particular to any direct marketing undertaken by the Council, for example marketing for its cultural, leisure and other discretionary/optional services.

2.14 Rights on Automated Decision Making and Profiling

Individuals have the right to be informed when their data is subject to automated decision making and profiling.

2.15 Right of Portability

Individuals have the right to demand that their personal data is transferred to another agency (for example when moving to another area). It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. This limited right only applies where the legal basis for processing is performance of a contract or based on consent, hence is not applicable in any great degree to local authorities.

2.16 Right to Erasure or ‘Right to be Forgotten’

Individuals also have the right, in the case of reliance on consent, to demand that their personal data be removed entirely from the particular processing activity, the so-called ‘right to be forgotten’. This limited right applies mostly to direct marketing activity by the Council.

3 Implementation of the Policy

The Council will take the necessary actions to ensure that it complies with all other legal obligations imposed on it by UK GDPR and the Data Protection Act. Specifically, this involves appointing a DPO, maintaining a Register of Processing Activities; maintaining records of consent; undertaking Data Protection Impact Assessments; promptly investigating data breaches; not transferring personal data to countries deemed as having an inadequate level of data protection regulation without additional recognised legal safeguards.

The existence of an information governance structure within the Council in no way negates or reduces the individual accountability and responsibility of all staff and elected members for protecting the personal data to which they have access.

3.1 Register of Processing Activities

The Council will maintain a Register of Processing Activities which will record all data processing activity undertaken by the Council, amongst other things defining the legal basis for each activity, the categories of data contained within each system and identifying cases where the Council shares the data and with whom.

3.2 Maintaining Records of Consent

Where the legal basis for processing is consent, the Council must explain why the data is being collected, how it will be processed and whether it is to be shared with anyone else, before obtaining the data subject’s consent. Consent of this type is usually gathered through a tick box, which cannot be pre-ticked, or other form of affirmative action. A record must be made and maintained of the data subject’s consent.

Where the legal basis for processing is consent and the categories of data to be collected include sensitive personal data, it will be necessary to have an individual’s explicit consent to process sensitive personal data, unless exceptional circumstances apply. Explicit consent of this type is usually gathered through a signature obtained below a clear privacy statement. A record must be made and maintained of the data subject’s explicit consent.

3.3 Data Protection Impact Assessments

A ‘Data Protection Impact Assessment’ is a tool for identifying and assessing privacy risks throughout the development life cycle of a program or system containing personal data. The Council must carry out Data Protection Impact Assessments when, for example, building new systems for storing or accessing personal data; developing policies or strategies that have privacy implications; embarking on a data sharing initiative; or using data for new purposes. An assessment is required where new or changed processing involves large amounts of personal data, where new regional partnerships or commercial outsourcing involve the transfer of personal data to third parties, or in the case of a data breach which brings to light risks in existing methods of processing.

In determining whether a Data Protection Impact Assessment is necessary, the advice of the Data Protection Officer must be sought. A DPIA template can be found on Cerinet intranet pages.

3.4 Data Breaches

In the event of a Data Breach the DPO will carry out an assessment to determine whether the data subject and/or the ICO should be informed of the breach. If required, the ICO will be informed within the 72-hour timeframe as prescribed by UK GDPR.

3.5 International Transfers

There are restrictions under UK GDPR on international transfers of personal data to countries operating data protection regimes not regarded by the Information Commissioner’s Office as providing adequate levels of protection to personal data. Where such transfers (known as ‘restricted transfers’) are necessary, the International Data Transfer Agreement (IDTA) and, where required, the UK Addendum, will be incorporated into documentation governing the transfer. A list of countries and territories covered by a UK adequacy decision can be found here:

A guide to international transfers | ICO

3.6 Information Sharing

The Data Protection Act is not a barrier to sharing information but rather provides a framework to ensure that personal information about living persons is shared appropriately. Staff should not hesitate to share personal information in order to prevent abuse or serious harm, in an emergency or in life-or-death situations. If there are concerns relating to child or adult protection issues, then the relevant procedures should be followed.

The Wales Accord on the Sharing of Personal Information (WASPI) was developed as a practical approach to multi agency sharing for the public sector in Wales, to which the Council signed up in June 2011.

Information sharing is key to joined-up service delivery. Decisions on whether to share information must be taken on a case-by-case basis which should then be supported by, at minimum, a legally binding data sharing agreement, and, where practicable, the production of either an Information Sharing Protocol (ISP) or a Data Disclosure Agreement (DDA).

Each ISP and/or DDA must have a clearly defined purpose for the sharing and must be seen and registered by the IRM Service before being signed off at Corporate Lead Officer level.

3.7 Protection of Children and Vulnerable People

Where information is passed to the Council concerning safeguarding, then the risk posed and the individual’s right to privacy will have to be balanced against each other.

If information received by the Council relating to any person(s) who may come into contact in any way with children and/or vulnerable persons raises concerns as to the appropriateness of the person(s) having contact with children and/or vulnerable people and/or as to the future well-being of such children and/or vulnerable persons, the Council will consider it a duty to share that information. It may be shared with any appropriate agency if the balance of risk is deemed to require the sharing of such information.

3.8 Data Protection Officer

The Council must have a Data Protection Officer. The Data Protection Officer will provide strategic and operational guidance to the Council on all matters related to the Council's compliance with this policy and the Data Protection Legislation. The DPO will report to the Senior Information Risk Owner (SIRO) and Monitoring Officer. The SIRO is responsible for the controller's compliance with this policy and the Data Protection legislation.

3.9 Senior Information Risk Officer

The Council’s Senior Information Risk Officer (SIRO) is the Officer responsible for the Authority’s compliance with this policy. The SIRO will accept advice and guidance from the Data Protection Officer but has ultimate responsibility for decisions made in respect of the processing of personal data in the authority.

3.10 Corporate Lead Officers

Corporate Lead Officers are responsible and accountable for maintaining appropriate procedures and standards of data protection within their service unit. The requirements of this policy will be acknowledged and included in each service unit’s business plans, along with the related issues of information management, records retention, and compliance with Freedom of Information requests.

Corporate Lead Officers will ensure that all staff within their service unit:

Are aware of their responsibilities for data protection, for example by monitoring the compliance of their staff with mandatory data protection training
Do not enter into contractual arrangements which do not comply with the requirements of UK GDPR with appropriate clauses about data protection and privacy
Know where to look and who to approach for advice and guidance on the subject of data protection
Ensure that staff are appropriately trained to the correct level and have signed appropriate undertakings in certain cases where highly sensitive personal data is processed, in order to protect and responsibly manage the personal data to which they have access through their employment

3.11 Council Staff

All staff are responsible and accountable for following established corporate and departmental procedures with regard to data protection and for undertaking all mandatory training which includes Data Protection and information security modules. Further guidance to staff for the proper management and protection of personal data can be found on Cerinet intranet pages.

Misuse and unauthorised disclosure of personal data can lead to personal prosecution and failure to comply with this policy may be dealt with in accordance with the Council’s disciplinary policy.

Managers are responsible for ensuring that volunteers, apprentices, trainees and work experience interns working alongside them temporarily are given, where necessary, an appropriate basic training as part of their induction about data protection and respect for individual privacy rights.

3.12 Councillors

All elected members are responsible and accountable for following established procedures and keeping their training and understanding up to date with regards to data protection. Corporate guidance to elected members for the proper management and protection of personal data will be shared during training. Councillors must be mindful that when representing their constituents or campaigning they are data controllers in their own right and should familiarise themselves with those responsibilities. Specific training for Councillors that explains this is provided.

4 External Advisory Standards Affecting This Policy

This policy is informed by the ICO’s guidance on the implementation of UK GDPR. The guidance can be found at:

UK GDPR guidance and resources | ICO

This policy will be reviewed and if necessary, amended following any revision by the ICO in its guidance and/or any significant legal case interpreting UK GDPR or the Data Protection Act especially in so far as it might affect the responsibility of public authorities.

5 Policy Monitoring and Review

Effectiveness of the implementation of the policy will be assessed at intervals by internal audit and/or the DPO, who may carry out an internal investigation without prior notice or consent.

Such audits of service areas may, amongst other measures:

Identify areas of operation within the service area that are covered or not covered by the policy and to identify any relevant processing and/or procedures which fail to adhere to the policy
Demand that a Data Protection Impact Assessment be carried out immediately where current methods of data processing present a corporate risk (for example where large quantities of sensitive personal data are being processed with potentially inadequate safeguards), or where a significant data breach has already occurred
Set requirements for implementing new operational procedures with regard to data protection, processing of data and dealing with requests for information
Identify where non-compliance with the operational procedures is occurring and suggest appropriate adjustments in the form of an improvement action plan

The SIRO and DPO will formally review the policy annually and amend if necessary. The amended policy will be distributed to all staff.

The policy will be reported to Council on a 5 yearly basis or when significant changes are made.

Ceredigion County Council website