Information about Covid19:
Please read our information on how we are supporting residents and businesses, as well as information on affected services.

Data Protection Policy Statement


To ensure the directorates apply appropriate measures to comply with the eight principles of the Data Protection Act 1998, summarised below, and so meet the Council’s statutory requirements and mitigate against penalties applied under the Act.

Continue reading

Personal information (data relating to a living individual) -

  • must be processed data fairly and lawfully
  • must be obtained for one or more specific and lawful purposes and only processed in a manner compatible with them
  • must be adequate, relevant and not excessive for the purposes defined
  • must be accurate and where necessary kept up to date
  • shall not be kept for longer than is necessary
  • must be processed in accordance with the data subject’s rights
  • must be kept secure
  • must not be transferred outside the European Economic Area unless there is adequate protection for the rights of data subjects

All directorates of the Council excluding Schools

Cornwall Council regards the lawful and correct treatment of personal information as very important to successful operations and to maintaining the confidence of those with whom we deal. We will always do our utmost to ensure that our organisation treats personal information lawfully and correctly.

To this end we fully endorse and adhere to the Principles of Data Protection as enumerated in the Data Protection Act 1998.

There is a Data Protection Officer who will:

  • maintain a register of electronic and manual personal records and arrange for the Council’s notification with the Information Commissioner’s Office
  • monitor and report on the processing of Subject Access Requests within the directorates
  • audit the Council’s compliance with this policy and report to the Council Leadership Team on whether the objectives are met

It will be the responsibility of each Corporate Director (or delegated officer) to:

  • ensure their Directorate’s compliance with the Data Protection Act and implement agreed work and training programmes for Data Protection
  • arrange for Subject Access Requests to be carried out within their Directorate
  • arrange with Human Resources to ensure data protection training is included at induction and that training is monitored
  • identify and record information asset owners who keep personal data within their Directorate
  • disseminate guidance to information asset owners within their Directorate
  • ensure that information asset owners are trained in the principles of the Act and the procedures for their implementation within the Council
  • Undertake other Data Protection tasks assigned by the Data Protection Officer 
  • police this policy

It will be the responsibility of each information asset owner to:

  • inform their Directorate’s Data Protection Representative and the Data Protection Officer of existing records and proposals to process personal information for the register
  • ensure that they receive training on the Data Protection Act
  • ensure that the data custodians assigned to their datasets are made aware of the standards applicable to their datasets and monitor their adherence.

As data custodians, it is everyone’s responsibility to:

  • ensure any specific responsibilities for Data Protection are recorded in their role profile
  • understand and implement the eight Data Protection Principles

The Data Protection Officer will record Subject Access Requests and any complaints in respect of the Act, and will report to Council Leadership Team any recommendations for changes to the policy.

The policy must be reviewed 3 months prior to new legislation taking effect.

Cornwall Council is working towards compliance with the new General Data Protection Regulation coming into force on 25 May 2018.  The Corporate and Information Governance Team is overseeing the work across Directorates and Services. 

Individual services are working towards compliance in a number of key areas:

  • Reviewing the lawful bases for processing personal data;
  • Reviewing privacy notices;

The Corporate and Information Governance Team is working towards or has completed the following work:

  • We have appointed a Data Protection Officer (
  • Reviewing policies and procedures;
  • Reviewing our Information Asset Register;
  • Identifying higher risk processing activities and carrying out Privacy Impact Assessments;
  • Reviewing contracts and updating information governance contract clauses;
  • Working with software suppliers to ensure that systems we use are compliant; and
  • Working with our IT service to ensure that in-house systems are compliant.

We will post an updated statement of compliance when further work has been done.

Information Asset Owner - a person within the Council who establishes standards for a set of data. The standards cover the structure of elements of the data, the retention period, the indexing, the access, the security measures etc. Data Custodian-a person (not necessarily in the Council) who adds, amends, disposes, archives, or allows access to data, according to the standards set by the Information Asset Owner.