Policies & Procedures

The Data Protection Policy

Thimbleby Parish Council recognises its responsibility to comply with the General Data Protection Regulations (GDPR) 2018 which regulates the use of personal data. This does not have to be sensitive data; it can be as little as a name and address.

General Data Protection Regulations (GDPR)

The GDPR sets out high standards for the handling of personal information and protecting individuals’ rights for privacy. It also regulates how personal information can be collected, handled and used. The GDPR applies to anyone holding personal information about people, electronically or on paper.  Thimbleby Parish Council has also notified the Information Commissioner that it holds personal data about individuals. 

When dealing with personal data, Thimbleby Parish Council  staff and members must ensure that:

• Data is processed fairly, lawfully and in a transparent manner

This means that personal information should only be collected from individuals if staff have been open and honest about why they want the personal information.

• Data is processed for specified purposes only

This means that data is collected for specific, explicit and legitimate purposes only.  

• Data is relevant to what it is needed for

Data will be monitored so that too much or too little is not kept; only data that is needed should be held.

• Data is accurate and kept up to date and is not kept longer than it is needed

Personal data should be accurate, if it is not it should be corrected.  Data no longer needed will be shredded or securely disposed of.

• Data is processed in accordance with the rights of individuals

Individuals must be informed, upon request, of all the personal information held about them.

• Data is kept securely

There should be protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Storing and accessing data

Thimbleby Parish Council recognises its responsibility to be open with people when taking personal details from them. This means that staff must be honest about why they want a particular piece of personal information. 

Thimbleby Parish Council may hold personal information about individuals such as their names, addresses, email addresses and telephone numbers. These will be securely kept at the Thimbleby Parish Council  Office and are not available for public access. All data stored on the Thimbleby Parish Council Office computers are password protected. Once data is not needed any more, is out of date or has served its use and falls outside the minimum retention time of Councils document retention policy, it will be shredded or securely deleted from the computer.

Thimbleby Parish Council  is aware that people have the right to access any personal information that is held about them. Subject Access Requests (SARs) must be submitted in writing (this can be done in hard copy, email or social media).  If a person requests to see any data that is being held about them, the SAR response must detail:

• How and to what purpose personal data is processed

• The period Thimbleby Parish Council  tend to process it for

• Anyone who has access to the personal data

The response must be sent within 30 days and should be free of charge.

If a SAR includes personal data of other individuals, Thimbleby Parish Council must not disclose the personal information of the other individual.  That individuals personal information may either be redacted, or the individual may be contacted to give permission for their information to be shared with the Subject.  

Individuals have the right to have their data rectified if it is incorrect, the right to request erasure of the data, the right to request restriction of processing of the data and the right to object to data processing, although rules do apply to those requests.

Please see “Subject Access Request Procedure” for more details.

Confidentiality

Thimbleby Parish Council members and staff must be aware that when complaints or queries are made, they must remain confidential unless the subject gives permission otherwise. When handling personal data, this must also remain confidential.

Appendix 1

Data Breach Policy

GDPR defines a personal data breach as “a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  Examples include:

• Access by an unauthorised third party

• Deliberate or accidental action (or inaction) by a controller or processor

• Sending personal data to an incorrect recipient

• Computing devices containing personal data being lost or stolen

• Alteration of personal data without permission

• Loss of availability of personal data

Thimbleby Parish Council takes the security of personal data seriously, computers are password protected and hard copy files are kept in locked cabinets.

Consequences of a personal data breach

A breach of personal data may result in a loss of control of personal data, discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data, damage to property or social disadvantage.  Therefore a breach, depending on the circumstances of the breach, can have a range of effects on individuals.

Thimbleby Parish Council’s duty to report a breach

If the data breach is likely to result in a risk to the rights and freedoms of the individual, the breach must be reported to the individual and ICO without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.  The Data Protection Officer must be informed immediately so they are able to report the breach to the ICO in the 72 hour timeframe.

If the ICO is not informed within 72 hours, Thimbleby Parish Council via the DPO must give reasons for the delay when they report the breach.

When notifying the ICO of a breach, Thimbleby Parish Council must:

i. Describe the nature of the breach including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned

ii. Communicate the name and contact details of the DPO

iii. Describe the likely consequences of the breach

iv. Describe the measures taken or proposed to be taken to address the personal data breach including, measures to mitigate its possible adverse effects.

When notifying the individual affected by the breach, Thimbleby Parish Council must provide the individual with (ii)-(iv) above. 

Thimbleby Parish Council would not need to communicate with an individual if the following applies:

• It has implemented appropriate technical and organisational measures (i.e. Encryption) so those measures have rendered the personal data unintelligible to any person not authorised to access it;

• It has taken subsequent measures to ensure that the high risk to rights and freedoms of individuals is no longer likely to materialise, or

• It would involve a disproportionate effort

However, the ICO must still be informed even if the above measures are in place.

Data processors duty to inform Thimbleby Parish Council

If a data processor (i.e. payroll provider) becomes aware of a personal data breach, it must notify Thimbleby Parish Council without undue delay.  It is then Thimbleby Parish Council’s responsibility to inform the ICO, it is not the data processors responsibility to notify the ICO.

Records of data breaches

All data breaches must be recorded whether or not they are reported to individuals.  This record will help to identify system failures and should be used as a way to improve the security of personal data.

Record of Data Breaches

Date of breach Type of breach Number of individuals affected Date reported to ICO/individual Actions to prevent breach recurring

To report a data breach use the ICO online system:

https://ico.org.uk/for-organisations/report-a-breach/

Appendix 2

Subject Access Request Procedure

This procedure is to be followed when an individual contacts Thimbleby Parish Council to request access to their personal information held by the Council.  Requests must be completed within 1 month, so it should be actioned as soon as it is received.  SAR’s should be provided free of charge, however, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

The steps below should be followed to action the request:

1. Is it a valid subject access request?
   1. The request must be in writing (letter, email, social media or fax).
   2. Has the person requesting the information provided you with sufficient information to allow you to search for the information?  (You are allowed to request for more information from the person if the request is too broad.)

2. Verify the identity of the requestor.
   1. You must be confident that the person requesting the information is indeed the person the information relates to.  You should ask for the person to attend the office with their passport/photo driving licence and confirmation of their address (utility bill/bank statement).

3. Determine where the personal information will be found
   1. Consider the type of information requested and use the data processing map to determine where the records are stored.  (Personal data is data which relates to a living individual who can be identified from the data (name, address, email address, database information) and can include expressions of opinion about the individual.)
   2. If you do not hold any personal data, inform the requestor. If you do hold personal data, continue to the next step.

4. Screen the information
   1. Some of the information you have retrieved may not be disclosable due to exemptions, however legal advice should be sought before applying exemptions.

Examples of exemptions are:

• References you have given
• Publicly available information
• Crime and taxation
• Management information (restructuring/redundancies)
• Negotiations with the requestor
• Regulatory activities (planning enforcement, noise nuisance)
• Legal advice and proceedings
• Personal data of third parties

5. Are you able to disclose all the information?
   1. In some cases, emails and documents may contain the personal information of other individuals who have not given their consent to share their personal information with others.  If this is the case, the other individual’s personal data must be redacted before the SAR is sent out.

6. Prepare the SAR response (using the sample letters at the end of this document) and make sure to include as a minimum the following information:
   1. the purposes of the processing;
   2. the categories of personal data concerned;
   3. the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data;
   4. where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
   5. the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
   6. the right to lodge a complaint with the Information Commissioners Office (“ICO”);
   7. if the data has not been collected from the data subject: the source of such data;
   8. the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Be sure to also provide a copy of the personal data undergoing processing.

All SAR’s should be logged to include the date of receipt, identity of the data subject, summary of the request, indication of if the Council can comply, date information is sent to the data subject.

Sample letters:

Replying to a subject access request providing the requested personal data

                                                                                                                        “[Name] [Address]

                                                                                                                                                      [Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject]. We are pleased to enclose the personal data you requested.

Include 6(a) to (h) above.

Copyright in the personal data you have been given belongs to the council or to another party. Copyright material must not be copied, distributed, modified, reproduced, transmitted, published or otherwise made available in whole or in part without the prior written consent of the copyright holder.

Yours sincerely”

Release of part of the personal data, when the remainder is covered by an exemption

“[Name] [Address]

[Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject]. To answer your request we asked the following areas to search their records for personal data relating to you:

• [List the areas]

I am pleased to enclose [some/most] of the personal data you requested.  [If any personal data has been removed] We have removed any obvious duplicate personal data that we noticed as we processed your request, as well as any personal data that is not about you. You will notice that [if there are gaps in the document] parts of the document(s) have been blacked out. [OR if there are fewer documents enclose] I have not enclosed all of the personal data you requested.  This is because [explain why it is exempt].

Include 6(a) to (h) above.

Copyright in the personal data you have been given belongs to the council or to another party. Copyright material must not be copied, distributed, modified, reproduced, transmitted, published, or otherwise made available in whole or in part without the prior written consent of the copyright holder.

Yours sincerely”

Replying to a subject access request explaining why you cannot provide any of the requested personal data

“[Name] [Address]

[Date]

Dear [Name of data subject]

Data Protection subject access request

Thank you for your letter of [date] making a data subject access request for [subject].

I regret that we cannot provide the personal data you requested. This is because [explanation where appropriate].

[Examples include where one of the exemptions under the data protection legislation applies.  For example the personal data might include personal data is ‘legally privileged’ because it is contained within legal advice provided to the council or relevant to on-going or preparation for litigation.  Other exemptions include where the personal data identifies another living individual or relates to negotiations with the data subject.  Your data protection officer will be able to advise if a relevant exemption applies and if the council is going to rely on the exemption to withhold or redact the data disclosed to the individual, then in this section of the letter the council should set out the reason why some of the data has been excluded.]

Yours sincerely”

PRIVACY NOTICE

Last updated June 30th, 2025

Thank you for choosing to be part of our community at Thimbleby Parish Council. We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about this privacy notice, or our practices with regards to your personal information, please contact us at clerk@thimblebyparishcouncil.gov.uk

When you visit our website https://thimbleby.lincolnshire.gov.uk/  (the "Website"), and more generally, use any of our services (the "Services", which include the Website), we appreciate that you are trusting us with your personal information. We take your privacy very seriously. In this privacy notice, we seek to explain to you in the clearest way possible what information we collect, how we use it and what rights you have in relation to it. We hope you take some time to read through it carefully, as it is important. If there are any terms in this privacy notice that you do not agree with, please discontinue use of our Services immediately.

This privacy notice applies to all information collected through our Services (which, as described above, includes our Website), as well as any related services, sales, marketing or events.

Please read this privacy notice carefully as it will help you understand what we do with the information that we collect.

1. WHAT INFORMATION DO WE COLLECT?

Names, email addresses, phone numbers, house address and the details given in correspondence with the parish council.  

2. WILL YOUR INFORMATION BE SHARED WITH ANYONE?

In Short:  We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations.

We may process or share your data that we hold based on the following legal basis:

• Consent: We may process your data if you have given us specific consent to use your personal information in a specific purpose.
   
• Legitimate Interests: We may process your data when it is reasonably necessary to achieve our legitimate business interests.
   
• Performance of a Contract: Where we have entered into a contract with you, we may process your personal information to fulfill the terms of our contract.
   
• Legal Obligations: We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).
   
• Vital Interests: We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.

More specifically, we may need to process your data or share your personal information in the following situations:

• Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

3. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short:  We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice.

4. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

In Short:  We may transfer, store, and process your information in countries other than your own.

Our servers are located in. If you are accessing our Website from outside, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information (see "WILL YOUR INFORMATION BE SHARED WITH ANYONE?" above), in and other countries.

If you are a resident in the European Economic Area, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. We will however take all necessary measures to protect your personal information in accordance with this privacy notice and applicable law.

5. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short:  We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). No purpose in this notice will require us keeping your personal information.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

6. DO WE COLLECT INFORMATION FROM MINORS?

In Short:  We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly solicit data from or market to children under 18 years of age. By using the Website, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Website. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at parishclerk9@gmail.com.

7. WHAT ARE YOUR PRIVACY RIGHTS?

In Short:  You may review, change, or terminate your account at any time.

If you are resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm  .

If you are resident in Switzerland, the contact details for the data protection authorities are available here: https://www.edoeb.admin.ch/edoeb/en/home.html  .

Cookies and similar technologies: Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Website. To opt-out of interest-based advertising by advertisers on our Website visit http://www.aboutads.info/choices/  .

8. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

9. DO WE MAKE UPDATES TO THIS NOTICE?

In Short:  Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this privacy notice from time to time. The updated version will be indicated by an updated “Revised” date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.

10. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at clerk@thimblebyparishcouncil.gov.uk

HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it in some circumstances. To request to review, update, or delete your personal information, please submit a request by email to clerk@thimblebyparishcouncil.gov.uk