Issue - meetings
Data Management Policies
Meeting: 21/07/2025 - Policy and Resources Committee (Item 8)
8 Data Management Policies 
PDF 136 KB
Data Protection Policy
Privacy Policy
Subject Access Request (SAR) Policy
Freedom of Information (FOIA) Policy and Environmental Information Regulations (EIR) Policy
Data Retention Policy
Special Category Personal Data and Criminal Offence Data Policy
1.1 The option detailed at 4.1 is selected.
1.2 The Committee agrees to give delegated Authority to Associate Director of Corporate, Customer and Community to authorise minor changes to the policy, such as terminology, clarification, or administrative corrections with no significant impact.
1.3 That public access to the report be immediate.
Additional documents:
- Enc. 1 for Data Management Policies, item 8
PDF 346 KB
- Enc. 2 for Data Management Policies, item 8
PDF 410 KB
- Enc. 3 for Data Management Policies, item 8
PDF 315 KB
- Enc. 4 for Data Management Policies, item 8
PDF 440 KB
- Enc. 5 for Data Management Policies, item 8
PDF 584 KB
- Enc. 6 for Data Management Policies, item 8
PDF 403 KB
Minutes:
Members received a covering report which set out the various policies to be updated. The updated documents aim to ensure compliance with legal obligations, enhance transparency and protect the rights of individuals regarding their personal data.
· Data Protection Policy (update to existing policy)
· Privacy Policy (new)
· Subject Access Request (SAR) Policy (previously contained within the Data Protection Policy)
· Freedom of Information (FOIA) and Environmental Information Regulations (EIR) Policy (replaces current FOIA guidance for staff)
· Data Retention Policy (update to existing policy)
· Special Category Personal Data and Criminal Offence Data Policy (new)
Councillor cooper raised an amendment to add under 13. Data Sharing and Transfers on page 8 of the Data Protection Policy:
“In accordance with the Information Commissioner Office's "Guide to International Transfers" dated 29th May 2025 and the EDPS "Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR" dated 14th February 2023, use of a device by an employee or councillor outside the UK will not be considered a transfer under this or any other council policy, and they shall therefore not be prohibited from accessing or require prior notification or approval to access their emails.”
Officers clarified that while data transfer outside of the UK is not prohibited, all listed policies require adequate safeguards when transferring data internationally. Each request for international access is reviewed on its own merits, considering data protection laws and cyber security risks in the destination country. Notably, Australia is no longer on the approved list due to GDPR considerations. Officers further noted that the IT policy on working abroad builds on an existing policy and is not part of this current data set. Reviews include legal compliance and cyber security implications.
Some members felt that although the EU adequacy framework is understood, councillor access to emails while abroad had been inconsistently applied. Members felt that accessing council emails while overseas via a secure device should not always constitute a formal data transfer and denials of access have occurred without full consideration. Officers clarified that past rejections were appealed and subsequently reviewed, affirming that each case is assessed individually, with cybersecurity risk as a primary concern.
Officers noted that councillors should not correspond with officers via personal email accounts and highlighted that all systems must pass an annual security inspection. It was clarified that verbal communication via phone call while abroad was allowed.
The amendment moved to a vote; with 4 votes in favour and 5 against with 3 abstentions, the amendment fell.
The Vice Chair called for a vote on the substantive motion and was carried by general assent.