13. Accountability
13.1 Data Controller
The Data Controller (in most cases the Council) must implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles.
The Data Controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
The Council must have adequate resources and controls in place to ensure and to document GDPR compliance including:
- (a) appointing a suitably qualified DPO and an officer accountable for data privacy;
- (b) implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing presents a high risk to rights and freedoms of Data Subjects;
- (c) integrating data protection into internal documents including this Policy, Related Policies, Privacy Guidelines, Privacy Notices or Fair Processing Notices;
- (d) regularly training Council Personnel on the GDPR, this Policy, Related Policies and Privacy Guidelines and data protection matters including, for example, Data Subject's rights, Consent, legal basis, DPIA and Personal Data Breaches. The Council must maintain a record of training attendance by Council Personnel; and
- (e) regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
13.2 Record keeping
The GDPR requires us to keep full and accurate records of all our data Processing activities.
You must keep and maintain accurate corporate records reflecting our Processing including records of Data Subjects' Consents and procedures for obtaining Consents.
These records should include, at a minimum, the name and contact details of the Data Controller and the DPO, clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data's retention period and a description of the security measures in place.
13.3 Training and audit
We are required to ensure that all Council Personnel have undergone adequate training to enable them to comply with data privacy laws. We must also regularly test our systems and processes to assess compliance.
You must undergo all mandatory data privacy related training and ensure your team undergo similar mandatory training.
You must regularly review all the systems and processes under your control to ensure they comply with this Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.
13.4 Privacy by Design and Data Protection Impact Assessment (DPIA)
We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures (like Pseudonymisation) in an effective manner, to ensure compliance with data privacy principles.
You must assess what Privacy by Design measures can be implemented on all programs/systems/processes that Process Personal Data by taking into account the following:
- (a) the state of the art;
- (b) the cost of implementation;
- (c) the nature, scope, context and purposes of Processing; and
- (d) the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the Processing.
Data controllers must also conduct DPIAs in respect to high risk Processing.
You should conduct a DPIA (and discuss your findings with the DPO) when implementing major system or business change programs involving the Processing of Personal Data including:
- (e) use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
- (f) Automated Processing including profiling and ADM;
- (g) large scale Processing of Sensitive Data; and
- (h) large scale, systematic monitoring of a publicly accessible area.
A DPIA must include:
- (i) a description of the Processing and its purposes;
- (j) an assessment of the necessity and proportionality of the Processing in relation to its purpose;
- (k) an assessment of the risk to individuals; and
- (l) the risk mitigation measures in place and demonstration of compliance.
13.5 Automated processing (including profiling) and Automated Decision-Making
Generally, ADM is prohibited when a decision has a legal or similar significant effect on an individual unless:
- (a) a Data Subject has Explicitly Consented;
- (b) the Processing is authorised by law; or
- (c) the Processing is necessary for the performance of or entering into a contract.
If certain types of Sensitive Data are being processed, then grounds (b) or (c) will not be allowed but such Sensitive Data can be Processed where it is necessary (unless less intrusive means can be used) for substantial public interest like fraud prevention.
If a decision is to be based solely on Automated Processing (including profiling), then Data Subjects must be informed when you first communicate with them of their right to object. This right must be explicitly brought to their attention and presented clearly and separately from other information. Further, suitable measures must be put in place to safeguard the Data Subject's rights and freedoms and legitimate interests.
We must also inform the Data Subject of the logic involved in the decision making or profiling, the significance and envisaged consequences and give the Data Subject the right to request human intervention, express their point of view or challenge the decision.
A DPIA must be carried out before any Automated Processing (including profiling) or ADM activities are undertaken.
13.6 Direct marketing
We are subject to certain rules and privacy laws when marketing to our customers.
For example, a Data Subject's prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers known as "soft opt in" allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar products or services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.
The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.
A Data Subject's objection to direct marketing must be promptly honoured. If a customer opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
You must comply with any Council guidelines on direct marketing to customers.
13.7 Sharing personal data
Generally we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
You may only share the Personal Data internally if the recipient has a job-related need to know the information.
You may only share the Personal Data we hold with third parties, such as our service providers if:
- (a) they have a need to know the information for the purposes of providing the contracted services;
- (b) sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject's Consent has been obtained;
- (c) the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
- (d) the transfer complies with any applicable cross border transfer restrictions; and
- (e) a fully executed written contract that contains GDPR approved third party clauses has been obtained.