Data Protection & Privacy Policies

DATA PROTECTION POLICY

This is a statement of the Data Protection Policy adopted by NESTRANS, the North East Transport Partnership.

This policy is applicable to all personal data held by NESTRANS. It applies to all Members, Observers and employees of NESTRANS and to any contractors or agents performing work for or on behalf of NESTRANS.

NESTRANS is a partnership of Aberdeen City Council and Aberdeenshire Council. NESTRANS is responsible to Scottish Ministers for the formulation and delivery of a Regional Transport Strategy for the region bounded by the two Local Authorities.

NESTRANS needs to process certain types of data about people with whom it deals in order to operate (“personal data”). This includes current, past and prospective employees, suppliers, clients and customers, and others with whom it communicates.

In order to comply with the GDPR and the Data Protection Act 2018 (GDPR), NESTRANS must ensure that all personal data are securely stored and processed lawfully, however it is collected, recorded and used. Safeguards are in place to support compliance with the legislation and these are detailed below.

NESTRANS regards the safekeeping of all personal data as paramount to maintaining confidence between it and those with whom it deals. NESTRANS endeavours to fulfil all the requirements of the GDPR while remaining open and accessible by the public.

SCOPE

This policy is applicable to all personal data held by NESTRANS whether the information is held or accessed on NESTRANS premises or accessed remotely via mobile or home working or by using network access from partner organisations. Personal information held on removable devices and other portable media is also covered by this policy.

THE DATA PROTECTION PRINCIPLES

To that end, NESTRANS fully endorses and adheres to the six GDPR Principles set out below. These Principles are that personal data must be:

Lawfulness, Fairness and Transparency

  • Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose Limitation

  • Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).

Data Minimisation

  • Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy

  • Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage limitation

  • Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of appropriate technical and organisational measures in order to safeguard the rights and freedoms of the data subject.

Integrity and confidentiality

Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability

In addition, NESTRANS is responsible for, and must be able to demonstrate compliance with, the data protection principles listed above, in accordance with the principle of accountability. It must keep a full and accurate record of its personal data processing activities, e.g., the lawful basis for the processing in question, who is undertaking these activities and with what data, the results of any data protection impact assessment or data protection audit and details of any data breaches and actions taken.

RESPONSIBILITIES

  • The Partnership Director has specific senior responsibility for data protection within NESTRANS. The Partnership Director has responsibility for ensuring that the information under their control is collected, processed and held in accordance with this policy and the GDPR.
  • Transport Executive Travel Plan and Delivery is the designated Data Protection Officer for NESTRANS, advising on and monitoring NESTRANS’s compliance with GDPR and providing a point of contact for data subjects and the Information Commissioner’s Office.
  • All employees and elected members of the Regional Transport Partnership and any contractors or agents performing work for or on behalf of the Regional Transport Partnership and any other individuals with access to NESTRANS’s information have a responsibility to ensure that personal information is properly protected at all times. This requires continued compliance with the NESTRANS’s information policies, procedures and other guidance.
  • All users have a responsibility to report any observed or suspected breach of this Data Protection Policy or related information procedures and guidance. All incidents must be reported to the Data Protection Officer

WHAT NESTRANS WILL DO

To ensure compliance NESTRANS will, through appropriate management and strict application of criteria and controls;

  • maintain appropriate and accurate transparency information (a privacy notice) on its website clearly signposted from any portals or forms which may collect personal data
  • meet its legal obligations to specify the purposes for which data is used
  •  collect and process appropriate data, and only to the extent that it is required to fulfill operational needs or to comply with any legal requirements
  • ensure the quality of the data used
  • apply the retention policy set out in Nestrans Records Management Plan to determine the length of time the data is held
  • ensure that rights of people about whom data is held can be fully exercised under the GDPR. (these are described below)
  • ensure that materials are only distributed to corporate email addresses or to the personal email addresses of current board members, current forum members or individuals who have agreed/requested to receive them
  • ensure that the Data Protection Officer has sight of all new projects and business activities to consider whether data protection issues arise and to include Privacy By Design as appropriate;
  • take appropriate technical and organisational security measures to safeguard personal data;
  • ensure that personal data is not transferred outside the European Economic area without suitable safeguards.

In addition, NESTRANS will ensure that:

  • there is a designated Data Protection Officer for the organisation;
  • everyone managing and handling personal data understands that they are contractually responsible for following good data protection practice
  • everyone managing and handling personal data is appropriately trained do to so
  • anyone wishing to make enquiries about handling personal data knows what to do
  • queries about handling personal data are competently and courteously dealt with
  • methods of handling personal data are clearly described
  • an annual review and audit is made of the way personal data is managed
  • methods of handling personal data are annually accessed and evaluated; and
  • performance with handling personal data is regularly accessed and evaluated as part of Records Management Plan

If you information is being collected to use by Aberdeenshire Council for the following purposes: –

Payables: To allow Aberdeenshire Council to make payments to you, if and when they become due

Your information will be shared with the following recipients or categories of recipient

HM Revenue and Customs, National Fraud Initiative, Spikes Cavell, Sheriff Officers and Debt Collection Agencies and Department of Work Pensions

The Retention period for the data is: 7 years

 

Receivables: To allow Aberdeenshire Council to collect payments from you, if and when they become due.

Your information will be shared with the following recipients or categories of recipient

HM Revenue and Customs, National Fraud Initiative, Spikes Cavell, Sheriff Officers and Debt Collection Agencies and Department of Work Pensions

The Retention period for the data is 7 years. If legal action has been sought and a decree is granted, all information will be retained until the debt is paid in full.

 

DATA RIGHTS

NESTRANS will ensure individuals’ rights are respected with regard to their personal data. Rights under GDPR include:

  • anyone wishing to make enquiries about handling personal data knows what to do
  • queries about handling personal data are competently and courteously dealt with
  • methods of handling personal data are clearly described
  • a regular review and audit is made of the way personal data is managed
  • methods of handling personal data are regularly accessed and evaluated; and
  • performance with handling personal data is regularly accessed and evaluated.
  • the right to rectify or restrict inaccurate data
  • the right or erase data or to data portability in certain circumstances
  • the right to challenge processing reliant on legitimate interests or public interest
  • the right to make a complaint to the UK Information Commissioner.

All requests relating to GDPR rights must be directed to the Data Protection Officer and or Scottish Commissioner who will ensure that appropriate actions are taken, and a response issued without undue delay, and except in certain circumstances at least within one month

PERSONAL DATA BREACHES

Any incident which may impact on the confidentiality, integrity or availability of personal data held by NESTRANS must be reported immediately to the Data Protection Officer.

Data Protection Officer will record the incident, ensure appropriate mitigation measures are in place and consider whether the incident is a personal data breach which presents a risk to individuals.

The Data Protection Officer will present a report to the Partnership Director including if appropriate, a recommendation on whether to report a breach to the Information Commissioner’s Office within 72 hours of NESTRANS becoming aware of the incident.

If the Partnership Director decides that an incident constitutes a reportable breach, the Data Protection Officer will report the incident to the ICO and liaise as appropriate. Affected data subjects may also require to be informed if there is a high risk to their rights and freedoms as a consequence of the data breach.

GENERAL

This document states NESTRANS’s primary, general policy with regard to Data Protection. NESTRANS also has policies, procedures and guidance, as appropriate, for specific types of data maintenance and data type. Additional data specific policies, procedures and guidance will be adopted as and when necessary.

REVIEW

This policy will be reviewed annually, along with our Records Management Plan take account of developments within NESTRANS and legislative requirements

 

Use of personal data at NESTRANS

This document describes how NESTRANS uses personal data (information relating to individuals)

NESTRANS is a Data Controller (ICO Registration Number Z966516X) which means we are responsible in Law for how we use any personal information

Our Data Protection Officer, Kelly Wiltshire can be contacted with any concerns or requests relating to our use of personal data:

Kelly Wiltshire

Transport Executive Travel Plan and Delivery

Archibald Simpson House

27-29 King Street

Aberdeen

AB24 5AA

Telephone: 01224 346680
Email: Nestransinfo@Nestrans.org.uk

 

Why does NESTRANS process personal data?

NESTRANS processes a minimal amount of personal data in the exercise of our official authority under the Transport (Scotland) Act 2005 including:

  • Administration of the partnership
  • Development and publication of regional transport strategies
  • Consultation, promotion and communication on issues relating to sustainable and efficient transport in the partnership area
  • Administration of projects and grant schemes

NESTRANS also processes personal data relating to its staff to meet our legal obligations as an employer (including in connection with employment law, social security and social protection law) and for the performance of our contracts of employment with our staff. This may include processing some special categories of personal data such as health information.

What personal data does NESTRANS process?

The personal data NESTRANS processes includes:

  • For the public: Names and contact details for individuals responding to consultations, raising concerns or complaints or attending events
  • For staff: Name and contact details, banking details for payroll management; performance and health information for employment administration and contract purposes
  • For suppliers and contractors: Names and contact details for the management of the supplier relationship; bank details of sole traders for the purposes of making payments
  • For Forum members, Consultative and other groups/meeting Nestrans chair/administer: Names and contact details for the administration of meetings and distribution and information on NESTRANS activities
  • For partnership board members: Name and contact details; banking details for payment of expenses; records of views expressed and of attendance at and contributions to meetings. With whom will NESTRANS share personal data?
  • The following organisations will receive personal data as necessary from NESTRANS:
  • NESTRANS undertakes no automated decision making affecting individuals or profiling of personal data.
    • Microsoft UK are data processors, hosting NESTRANS’s IT systems on Microsoft Office 365 Version 2016 via Aberdeen City Council, manage our ICT
    • Partner local authorities or the Scottish Public Sector Ombudsman may receive data relating to complainants or correspondents where correspondence from the public should appropriately be redirected to the authority or SPSO
    • Aberdeenshire Council will receive personal data relating to employees and contractors for the purposes of the management of our payroll and for financial management, which they provide on our behalf
    • Aberdeenshire Council will receive personal data relating to staff and job applicants for the purposes of the human resources management support they provide on our behalf

NESTRANS will put appropriate written arrangements in place with these organisations to protect your personal data.

NESTRANS transfers no personal data outside the European Economic Area. Microsoft hosts data on our behalf on servers within the UK and the European Union.

How long does NESTRANS retain personal data?

Personal data is managed in line with our records retention policy. For example, consultation responses are retained for five years before being securely deleted.

Your Rights to personal data

You have the right to:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

These rights are subject to certain caveats and exemptions under GDPR.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

To exercise these or any of your rights under GDPR, please contact the Data Protection Officer using the details above.

For more information on data rights see the website of the Information Commissioner’s Office.

Complaints or concerns relating to NESTRANS’s use of personal data

If you have any concerns relating to NESTRANS management of personal data, you can raise them with the Data Protection Officer, Kelly Wiltshire at the contact details above.

If you remain dissatisfied you can complain to the Information Commissioner’s Office by phoning their helpline on 01334 464610, by using their online portal for raising concerns or by post at:

Scottish Information Commissioner
Kinburn Castle
Doubledykes Road
St Andrews
Fife
KY16 9DS

Version 1 23 May 2018