Oak Tree in the College Valley, Northumberland National Park

Data Protection Policy

Objective

We aim to  provide user guidance on the processing of personal data for the Authority to enable staff to meet the legal requirements placed on them as employees of a public body.

Introduction

It is necessary for the Authority to process personal data in the normal and proper day to day operations.

Such processing will be conducted fairly and lawfully in accordance with the Data Protection Act 1998.

If you have a query regarding the accuracy of your personal data then your query will be dealt with fairly and impartially.

General Use of Personal Data
The National Park Authority holds data on: prospective, current and former staff; prospective, current and former members; other business, farming and academic contacts; and other individuals interested in the Authority.

This personal data is held in a variety of formats, electronic and manual.

The processing of personal data is subject to the rules laid down under the Data Protection Act 1998. Your personal data will be used only for proper purposes that are considered by the Authority to be for your benefit.

For staff this will include (but not be restricted to) the conduct of normal business management and employment matters.

For other individuals this will include (but not be restricted to) the normal conduct of National Park Authority and business relationships.

The protection of your personal data will be governed by the provisions of the Data Protection Act 1998. Access to your data will be restricted to those personnel to whom it is necessary and for proper purposes.

The Authority will not sell your personal data to third parties. Your personal data will only be transferred to third parties where this is for proper purposes, for example where this is required by professional bodies, government or where it is necessary for the delivery of services by third parties to you.

The Principles of Data Protection

There are eight Data Protection principles set out under the Act. In summary they are that personal data should be:

  • Obtained and processed fairly and lawfully - Those responsible for processing personal data must make reasonable efforts to ensure that data subjects are informed of the identity of the data controller, the purpose(s) of the processing, any disclosures to third parties that are envisaged and an indication of the period for which the data will be kept.
  • Held and used only for specified purposes - Personal data shall be obtained for specific and lawful purposes and not processed in a manner incompatible with those purposes. Data obtained for specified purposes must not be used for a different purpose.
  • Adequate, relevant and not excessive - Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is held. Information, which is not strictly necessary for the purpose for which it is obtained, should not be collected. If data are given or obtained which are excessive for the purpose, they should be immediately deleted or destroyed.
  • Accurate and kept up to date - Personal data shall be accurate and, where necessary, kept up to date. Data, which are kept for a long time, must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that they are accurate. It is the responsibility of individuals to ensure that data held by the Authority are accurate and up-to-date. Completion of an appropriate registration or application form etc will be taken as an indication that the data contained therein is accurate. Individuals should notify the Authority of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of the Authority to ensure that any notification regarding change of circumstances is noted and acted upon.
  • Kept only for as long as is necessary - Personal data shall be kept only for as long as necessary. See Data Retention Policy.
  • Processed according to the Act - Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act.
  • Held securely - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.
  • Held within the European Economic Area - Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The National Park Authority is registered as a Data Controller under the Act and will adhere to these principles and the guidelines set out by the Information Commissioner

Consent

The Authority seeks to use your personal data only for the purposes of legitimate interests and, where practicable, with your consent.

For officers and directors, it is a condition of employment that you consent to the Authority processing your personal data. By applying you signify your agreement.

For other individuals, the Authority may gather your data during the course of normal National Park Authority activities. It will be used only for legitimate interests.

You have the right to know what personal data the Authority holds about you and for this to be correct. Procedures for the management of personal data are in place and enquiries may be made as set out below.

Sensitive Personal Data

Sensitive personal data is defined under the Act to include such matters as personal beliefs and health.

If the Authority holds Sensitive Personal Data about you then this will only be disclosed with your explicit consent or if required by law.

Data Subject Rights

Data Subjects have the following rights regarding data processing, and the data that are recorded about them:

  • To make subject access requests regarding the nature of information held and to whom it has been disclosed
  • To prevent processing likely to cause damage or distress
  • To prevent processing for purposes of direct marketing
  • To be informed about mechanics of automated decision taking process that will significantly affect them
  • Not to have significant decisions that will affect them taken solely by automated process
  • To sue for compensation if they suffer damage by any contravention of the Act
  • To take action to rectify, block, erase or destroy inaccurate data
  • To request the Commissioner to assess whether any provision of the Act has been contravened.

Accessing Your Personal Data

You have the right to see the personal data that the Authority holds about you and for that data to be corrected if it is incorrect.

Minor requests about your personal data may be dealt with informally in the course of normal administration, at the sole discretion of the National Park Authority.

If you wish to make a formal request for access to your personal data then this should be made in writing to the Authority. There is a fee for this service which must be paid for in advance.

If you wish to exercise your rights of access to your personal data processed by Northumberland National Park Authority then please contact the coordinator in writing at:

Northumberland National Park Authority
Eastburn, South Park
Hexham  Northumberland
NE46 1BS

© Northumberland National Park Authority, Eastburn, South Park, Hexham, Northumberland, NE46 1BS, United Kingdom
Tel: +44 (0)1434 605555 Fax: +44 (0)1434 611675 Email: enquiries@nnpa.org.uk