Devon and Torbay Combined County Authority Data Protection Policy

Version

Version: 1.0
Policy Date: 16 June 2025
Approved by: Sean Anstee
Date: 16 June 2025
Next review date: 16 June 2026

1. Introduction and purpose 

1. This policy sets out the Devon & Torbay Combined County Authority’s (DTCCA’s) commitment to handling personal data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and associated laws governing the processing of personal data in the UK.  

2. The DTCCA is the data controller for the personal data it processes and is registered with the Information Commissioner’s Office (ICO) under registration number ZB894252. Details about this registration can be found at www.ico.org.uk  

3. The purpose of this policy is to explain how the DTCCA handles personal data under data protection legislation and to inform staff and other individuals who process personal data on the DTCCA’s behalf, of its expectations. 

2. Scope 

1. This policy applies to the processing of personal data as defined by Article 4 of the UK GDPR, and to the processing of special categories of personal data defined by Article 9 of the UK GDPR.

2. This policy, and its supporting guidance, shall apply to the processing of all personal data held by the DTCCA. This includes personal data held about employees and any other identifiable data subjects.  

3. DTCCA processes a variety of personal data to enable it to deliver a range of services.  It is, therefore, required to comply with the UK GDPR as well as other supporting legislation which governs the processing of personal data in the UK. 

4. When handling and managing information, the DTCCA and its staff shall comply with other legislation in addition to the UK GDPR, to include, but not limited to: 

• Computer Misuse Act 1990 
• Copyright Designs and Patents Act 1988 
• Equality Act 2010 
• Freedom of Information Act 2000 
• Environmental Information Regulations 2004 
• Human Rights Act 1998 
• Local Government Act 1972 
• Local Government Act 2000 
• Regulation of Investigatory Powers Act 2016 
• Re-use of Public Sector Information Regulations 2005 

3. Definitions 

There are several terms used within data protection legislation and within this policy, which must be understood by those who process personal data held by the DTCCA. These are: 

• Personal data  
• Special categories of personal data 
• Processing 
• Data subject 
• Data controller  
• Data processor 
• Personal data breach 

These terms are explained in Appendix 1.

4. Roles and responsibilities 

4.1 Senior Management Team

1. The Senior Management Team has overall responsibility for ensuring that the DTCCA implements this policy and continues to demonstrate compliance with data protection legislation.  

2. This policy shall be reviewed by the Senior Management Team, in conjunction with the Data Protection Officer (DPO) on an annual basis.  

4.2 Data Protection Officer (DPO)

1. The DPO is responsible for carrying out the tasks set out in Article 39 of the UK GDPR. In summary, the DPO is responsible for:  

• Informing and advising the DTCCA of their obligations under UK data protection legislation. 
• Monitoring compliance with data protection legislation and data protection policies including the protection of personal data and assignment of responsibilities. 
• Raising awareness and delivering training to staff. 
• Carrying out audits on the DTCCA’s processing activities. 
• Providing advice regarding Data Protection Impact Assessments (DPIAs) and ensuring these are reviewed annually. 
• Co-operating with and acting as a contact point for the Information Commissioner’s Office (ICO). 
• Acting as the contact point for data subjects exercising their rights. 

2. The DPO shall report directly to the Senior Leadership Team and shall provide regular updates on the DTCCA’s progress and compliance with UK data protection legislation. 

3. The DTCCA’s DPO is Jenny Goodall, who can be contacted by email at DTCCA Data Protection. 

4.3 Staff, temporary staff, contractors, visitors

1. All staff, temporary staff, contractors, visitors, and other individuals processing personal data on behalf of the DTCCA, are responsible for complying with the contents of this policy and supporting standards.  

2. All individuals shall remain subject to the Common Law Duty of Confidentiality when their employment or relationship with the DTCCA ends. This does not affect an individual’s rights in relation to whistleblowing. 

3. Failure to comply with this policy may result in disciplinary action or termination of employment or service contract. 

4. All individuals handling the DTCCA’s data shall be made aware that unauthorised access, use or sharing of data, may constitute a criminal offence under the Data Protection Act 2018 and/or the Computer Misuse Act 1990. 

5. Policy content 

5.1 Data Protection Principles

The UK GDPR provides a set of principles which govern how the DTCCA handles personal data. In summary, these principles state that:

• Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’). 
• Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation). 
• Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). 
• Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay (‘accuracy’). 
• Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 
• Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). 
• A data controller shall be responsible for, and be able to demonstrate compliance with, each of the data protection principles (‘accountability’). 

5.2 Lawful, fair and transparent processing of personal data

1. Personal data will only be processed where there is a lawful basis for doing so. This will be where at least one of the following applies: 

• The data subject has given consent. 
• It is necessary for the performance of a contract or entering into a contract with the data subject. 
• It is necessary for compliance with a legal obligation. 
• It is necessary to protect the vital interests of a person. 
• It is necessary for the performance of a task carried out in the public interest or in the exercise of official duties. 
• It is necessary for our legitimate interests as a DTCCA (where applicable) or third party, except where such interests are overridden by the data subject. 

Any unlawful processing of personal data is a violation of this Policy and will be investigated in accordance with the DTCCA’s processes and procedures. 

2. When special categories of personal data are processed (for example, health or medical data, racial or ethnic origin or biometric data (for example facial images and   fingerprints)), this shall only be done where a lawful basis has been identified from the list above, and one from the following list: 

• The data subject has given explicit consent. 
• The processing is necessary for the purposes of exercising or performing any right or obligation which is imposed on the DTCCA in relation to employment, social security and social protection law (eg safeguarding individuals at risk; protection against unlawful acts; prevention against fraud). 
• It is necessary to protect the vital interests of any person where the data subject is physically or legally incapable of giving consent. 
• The data has been made public by the data subject. 
• The processing is necessary for the establishment, exercise, or defence of legal claims. 
• The processing is necessary in the substantial public interest. 
• The processing is necessary for health or social care purposes. 
• The processing is necessary for public health. 
• The processing is necessary for archiving, research, or statistical purposes. 

3. Consent – Most of the DTCCA’s processing of personal data will not require consent from data subjects, as the DTCCA needs to process this data in order to carry out its official tasks and public duties as a Combined County Authority. 

4. However, where consent is required, we will ensure that the following requirements are met: 

• The consent is freely given. 
• The person giving consent understands fully, what they are consenting to. 
• There must be a positive indication of consent (opt-in as opposed to opt-out), and consent shall not be assumed as being given if no response has been received. 
• The person giving consent will be able to withdraw their consent at any time. 
• Consent shall be documented so that it may be referred to in the future, if necessary. 

5. Children under the age of 13 years, merit specific protection regarding the use of their personal data.  Such specific protection should apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data regarding children when using services offered directly to a child. 

6. If the DTCCA is required to deliver such services to children, it will ensure that the requirements of Article 8 of UK GDPR are met. 

7. The DTCCA shall ensure that where consent is obtained, there is a record of this.  Where possible, consent shall be obtained in writing. All forms requesting consent shall include a statement informing the person of their right to withdraw, and an email address so they may notify the DTCCA of any changes or withdrawal of consent. 

8. Fairness and transparency – The DTCCA shall be fair, open, and transparent in the way it handles personal data, and will publish privacy notices which explain: 

• What personal data is being processed and the reasons why. 
• What our lawful basis is when we process that data. 
• Who we might share that data with. 
• If we intend to transfer the data abroad. 
• How long we intend to retain the data. 
• What rights data subjects have in relation to their data and how to facilitate these. 
• Who our DPO is, and how to contact them. 

9. The DTCCA’s privacy notices shall be clear, concise, easily accessible, and published on their website. All forms collecting personal data shall include reference to the DTCCA’s privacy notices and a link provided to their location. 

10. Staff will be given a privacy notice explaining how the DTCCA handles employee information when they join the DTCCA and directed to this annually thereafter.  

11. The DTCCA shall provide privacy notices to other categories of data subjects, as appropriate. 

5.3 Purpose limitation

The DTCCA shall collect personal data for specified (for example, as described in the DTCCA’s privacy notices), explicit and legitimate purposes and shall not process this data in any way would be considered incompatible with those purposes (for example, using the data for a different and unexpected purpose).

5.4 Data minimisation

The DTCCA shall ensure the personal data it processes is adequate, relevant, and limited to what is necessary for the purpose(s) it was collected for.

5.5 Accuracy of data 

The DTCCA shall take all reasonable efforts to ensure the personal data it holds is accurate and where necessary, kept up to date. Where personal data is found to be inaccurate, this information will be corrected or erased without delay.

5.6 Storage limitation and disposal of data

1. The DTCCA shall keep personal data for no longer than is necessary for the purpose(s) of the processing. The DTCCA shall maintain and follow a Record Retention Schedule, which sets out the timeframes for retaining personal data. This schedule shall be published alongside the DTCCA’s privacy notices on the website. 

2. The DTCCA shall designate responsibility for record disposal/deletion to nominated staff, who shall adhere to the DTCCA’s Record Retention Schedule and ensure the timely and secure disposal of the data. 

5.7 Security of personal data 

The DTCCA shall have appropriate security in place to protect personal data against unauthorised or accidental access, disclosure, loss, destruction, or damage. This will be achieved by implementing appropriate technical and organisational security measures.

5.8 Technical security measures 

1. The DTCCA shall implement proportionate security measures to protect its network and equipment and the data they contain. This includes, but is not limited to: 

• having a Firewall, anti-virus, and anti-malware software in place 
• applying security patches promptly  
• restricting access to systems on a ‘need to know’ basis  
• enforcing strong password policies; passwords shall be a minimum of 8 characters in length; changed at appropriate intervals and not shared or used by others 
• the use of two factor or multi factor authentication (2FA / MFA) where appropriate for example, on accounts containing sensitive personal data. 
• encrypting laptops, USB/memory sticks and other portable devices or removable media containing personal data 
• regularly backing up data  
• regularly testing the DTCCA’s disaster recovery and business continuity plans, to ensure data can be restored in a timely manner in the event of an incident 

5.9 Organisational security measures

1. The DTCCA will ensure the following additional measures are also in place to protect personal data: 

• Staff shall sign confidentiality clauses as part of their employment contract. 
• Data protection awareness training shall be provided to staff during induction and annually thereafter.  
• Cyber security training, guidance or advice shall be provided to staff on a regular basis. 
• Policies and guidance shall be in place relating to the handling of personal data whilst during and outside of DTCCA. These will be communicated to staff and other individuals as necessary, including policy revisions. A policy declaration shall be signed by staff and retained on their personnel file. 
• Data protection compliance shall be a regular agenda item in DTCCA’s Senior Leadership Team meetings. 
• Cross cutting shredders and/or confidential waste containers will be available on the DTCCA’s premises and used to dispose of paperwork containing personal data. 
• Appropriate equipment and guidance will be available for staff to use and follow when carrying paperwork off DTCCA premises. 
• The DTCCA’s buildings, offices and any other locations, shall be locked when not in use.  
• Paper documents and files containing personal data shall be locked in cabinets/cupboards when not in use, and access restricted on a need to know basis. 
• Procedures shall be in place for visitors coming onto the DTCCA’s premises. These will include signing in and out at reception, wearing a visitor’s badge and being escorted by a DTCCA employee, where considered appropriate. 
• The DTCCA shall have procedures in place to identify, report, record, investigate and manage personal data breaches in the event of a security incident. 

5.10 Rights of Data subjects 

1. Chapter 3 of the UK GDPR outlines the rights afforded to individuals in respect of the processing of their personal data. The DTCCA shall comply with all written requests from data subjects exercising their rights without delay, and within one month at the latest. 

2. Data Subject’s Rights are summarised below: – 

• The Right to Transparency – the right to be informed about the use, sharing and storage of their data 
• The Right to Access – the right to request access to the personal data the DTCCA holds about them and receive a copy of this information  
• The Right to Rectification – the right to request that inaccurate or incomplete data be rectified 
• The Right to Erasure – the right to request that personal data held be deleted when it is no longer required. 
• The Right to Data Portability – the right to receive data in a format which enables easy transfer to another organisation or individual if required.   
• The Right to Restriction of Processing – the right to request, in certain circumstances, that the processing of personal data be restricted. 
• The Right to object to processing – the right to object to the DTCCA using personal data for direct marketing purposes. 
• The Right to request human intervention if processing or decision making is carried out by automated means. 

3. Data subjects exercising their rights are recommended to put their request in writing and send it to the DTCCA Data Protection.  Data subjects can also exercise their rights verbally. In such cases, the DTCCA will promptly write to the data subject outlining the verbal discussion/request and will ask the data subject to confirm this is accurate.  

4. Data subjects who request a copy of their personal data (known as making a Subject Access Request) may be asked to provide identification to satisfy the DTCCA of their identity and entitlement to the requested data.  These requests shall be responded to within one calendar month, upon receipt of receiving a valid request and appropriate identification (where requested).  The deadline to respond to requests can be extended by a further two calendar months where a request is complex, any extension required will be communicated to the data subject.  

5. When responding to Subject Access Requests, the DTCCA shall redact any information which the data subject is not entitled to receive, in accordance with the exemptions set out in the Data Protection Act 2018.  

6. When designing, implementing or procuring systems or services, the DTCCA must ensure that those systems or services allow members of the public to exercise any of the rights listed above. 

5.11 UK GDPR and Procurement

The DTCCA is committed to upholding the confidentiality, availability and integrity of personal data that is processed by our contractors on our behalf. Underpinning this commitment, we will ensure that the following measures are followed when procuring goods and services that involve the processing of personal data:

• A Data Protection Impact Assessment (DPIA) is undertaken prior to any procurement which involves the processing of personal data that is likely to result in a high risk to the fundamental rights and freedoms of data subjects. 
• A security questionnaire is completed by the provider and assessed by the DPO to ascertain the technical and organisational measures that prospective contractors will put in place to protect the data that they will processing on behalf of DTCCA. The results of which will inform the final decision as to whether DTCCA contracts with that organisation. 
• When procuring goods and services that require a formal procurement exercise, the DTCCA will ensure that contractual provision is in place which clearly identifies who the data controller is,  what data is being processed; a Record of Processing Activity (RoPA) (in accordance with article 30 of the GDPR); and arrangements for how personal data will be disposed of or returned to the DTCCA at the end of the contract. Appropriate contractual clauses which mandate conformance to UK data protection legislation will also be included. 
• When procuring goods or services that do not require a formal procurement exercise, and which involve the processing of personal data, staff must ensure that the DPO is informed, in order that appropriate due diligence can be undertaken. 

5.12 Record of Processing Activities (RoPA) 

1. The DTCCA shall maintain a record of its processing activities in line with Article 30 of the UK GDPR. This inventory shall contain the following information: 

• Name and contact details of the DTCCA and its Data Protection Officer 
• Description of the personal data being processed  
• Categories of data subjects  
• The legitimate basis for processing and additional basis for processing special category data 
• Purposes of the processing and any recipients of the data 
• Information regarding any overseas data transfers and the safeguards around this 
• Retention period for holding the data 
• General description of the security in place to protect the data 

2. This inventory shall be made available to members of the public, the Information Commissioner’s Office and the DPO on request. 

3. We will insist through contracts with all data processors that these organisations will document and maintain records of processing as required by Article 30 of the UK GDPR. 

5.13 Management of personal data breaches

1. The DTCCA shall have procedures in place to identify, report, record, investigate and manage personal data breaches (i.e. when the confidentiality, availability and or integrity of personal data is put at risk). 

2. Examples of activities considered to constitute a personal data breach might include information being at risk of or being lost, stolen, disclosed to the wrong recipients (accidentally or deliberately), accessed or attempted to be accessed unlawfully and/or without the permission of the DTCCA, sold or used without the permission of the DTCCA or where a system containing personal data or sensitive business data malfunctions and the information is irretrievable indefinitely or for a long period of time. 

3. All personal data breaches and suspected personal data breaches must be reported to the Authority’s DPO immediately, by emailing DTCCA Data Protection or telephone 01392 383445. 

4. All incidents will be recorded in the DTCCA’s data breach log and investigated by the DPO, in conjunction with the Authority’s Data Protection Link Officer. 

Notification to ICO and Data Subjects 

5. The DPO shall determine whether the DTCCA must notify the Information Commissioner’s Office and data subjects.  

6. Where a breach is likely to result in a risk to the data subject, for example if they could suffer harm, financial loss, damage, discrimination, disadvantage or distress as a result of the breach, the DTCCA (or the DPO) shall notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR. 

7. If the breach is likely to result in ‘high risks’ to data subjects, for example if the breach could lead to identity theft, psychological distress, humiliation, reputational damage or physical harm, the DTCCA shall inform the data subject promptly and without delay. 

8. When informing a data subject of a personal data breach involving their personal data, the DTCCA shall provide in clear, plain language the: 

• nature of the incident. 
• name and contact details of the DPO. 
• likely consequences of the breach. 
• actions taken so far to mitigate possible adverse effects. 
• steps they can take to protect themselves and what the Authority is willing to do to help them.  

5.14 Data Protection Impact Assessments (DPIAs) 

1. The DTCCA shall carry out DPIAs on all processing of personal data, where this is likely to result in high risks to the rights and freedoms of data subjects, particularly when using new technologies. This includes, but is not limited to the following activities:

• Installing and using Closed Circuit Television (CCTV) 
• Collecting and using biometric information, such as fingerprints 
• Sharing personal data or special category data with other organisations 
• Using mobile Apps to collect or store personal data, particularly about children 
• Any processing which will involve the use of Artificial Intelligence (AI) 
• Storing special category data in the ‘Cloud’ 
• Using systems that record large volumes of personal data, particularly where data processors are involved  

2. The results from DPIAs shall be recorded and shared with the DPO, who will advise on any privacy risks and mitigations that can be made to reduce the likelihood of these risks materialising. The DPO will monitor the outcome of the DPIA, to ensure the mitigations are put in place and that DPIA’s are reviewed annually. 

3. If, following the completion of a DPIA, the DTCCA identifies processing activities assessed as high risk that cannot be mitigated to an acceptable level, it will consult with the Information Commissioner’s Office prior to implementing the proposed processing activity, system or process. 

5.15 Data sharing 

1. The DTCCA shall adhere to statutory and non-statutory guidance around sharing personal data as set out in the Data Sharing Code of Practice (ICO 2021) and shall only share personal data with individuals who have a legitimate and legal right to view or receive it. A record shall be kept of the data sharing, and the legitimate basis for the sharing identified.  Furthermore, all personal data will be shared via secure means. 

2. Disclosures of personal data shall be proportionate and necessary and made in line with our policies and procedures. All disclosures shall comply with the UK GDPR and associated data protection legislation, Human Rights Act 1998 and Common Law Duty of Confidentiality. 

3. The DTCCA recognises that data protection laws allow organisations to share necessary personal data with third parties to protect the safety or well-being of a child or adult and in urgent or emergency situations to prevent loss of life or serious physical, emotional or mental harm. 

5.16 Disposal of information, media, and equipment 

1. Information is stored on a range of systems, media, equipment and on paper. It is important that all of these are disposed of properly and securely at the appropriate time. 

2. The DTCCA’s Retention Schedule outlines the retention policy that is in place for our various information assets.  

3. Information, media and equipment must be disposed of appropriately and securely. 

5.17 Appointment of a Data Protection Officer

1. The DTCCA shall appoint a DPO to oversee the processing of personal data within the DTCCA, in compliance with Articles 37-38 of the UK GDPR. This person shall be designated based on professional qualities and in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39 of the UK GDPR. 

2. The DTCCA will commit to ensuring that the DPO is sufficiently resourced to undertake the tasks assigned to them under Article 39 of the UK GDPR.  The Authority will also ensure that the DPO is consulted on all matters which concern the processing of personal data. 

3. The DTCCA shall publish the contact details of the DPO and communicate these to the Information Commissioner’s Office. 

4. The DPO shall act as the single point of contact for the Information Commissioner’s Office (ICO) or other relevant supervisory authorities and will ensure that compliance risks are reported to the highest level of management within the DTCCA as required. 

5. The DTCCA’s appointed DPO is Jenny Goodall, who can be contacted by email at DTCCA Data Protection, or Tel: 01392 383445. 

5.18 Transfers of personal data to third-countries

1. The DTCCA shall not transfer personal data to countries outside of the territorial scope of data protection laws (third countries) unless one or more of the following qualifying criteria are met: 

• An adequacy decision has been made in accordance with Article 45 of the UK GDPR. 
• The transfer is the subject of appropriate safeguards in accordance with Article 46 of UK GDPR. 
• The transfer is the subject of binding corporate rules in accordance with Article 47 of the UK GDPR. 
• If one or more of the special circumstances outlined in Article 49 of the UK GDPR are met. 

2. Any transfers of personal data to third countries may be the subject of a Data Protection Impact Assessment prior to the transfer taking place. 

6. Policy history 

This Policy is maintained by the DPO and will be reviewed on an annual basis. 

For help in interpreting this policy, please contact the DPO direct at devontorbaycombinedcountyauthoritydata-mailbox@devon.gov.uk or call 01392 383445.

Policy version	Summary of change	Amended or created by	Implementation date
V1.0	New Data Protection Policy created	DPO	16 June 2025

Appendix 1: Data Protection Policy Definitions

Term used	Summary definition
Personal data	Personal data means any information relating to an identified or identifiable living individual. This includes a name, identification number, location data, an online identifier, information relating to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
Special categories of personal data	Special categories of personal data mean personal data which reveal the racial or ethnic origin, political opinions, religious or philosophical beliefs and the trade union membership of the data subject.  It also includes the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health, and data relating to an individual’s sex life or sexual orientation.
Processing	Processing means any operation or set of operations which is performed on personal data, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data subject	An identifiable, living individual who is the subject of personal data.
Data controller	A data controller is an organisation who determines the purposes and means of the processing of personal data.
Data processor	A data processor is an organisation who processes personal data on behalf of a data controller, on their instruction.
Personal data breach	A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.