Glasgow City Council statement on GDPR compliance

This page sets out the position of Glasgow City Council on implementing the General Data Protection Regulation (GDPR) and associated Data Protection Bill.  The steps and measures set out below have also been adopted by the council's arms' length external organisations ("ALEOs").

1:  Lawfulness, fairness and transparency

All data flows into and out of the council are being assessed to determine the legal basis under which that data is processed and the results of the assessment are being documented.  We are satisfied that we will have a legal basis for holding the personal data we hold, and that we will also have a valid legal basis for disclosing this personal data to third parties where this happens.  Privacy notices are presently being drafted to comply with GDPR requirements (and to reflect the legal basis of processing) and will be in place by 25 May 2018.  Please see www.glasgow.gov.uk/privacy for further details.  We are presently updating our data processor agreements and data sharing agreements to reflect the new legal requirements.

2:  Purpose limitation

The purposes for which data are collected are clearly set out in the relevant privacy statements.  This includes reference to further use of data for internal management information purposes.  A limited set of data is required for research and archiving purposes; the council has put in place appropriate safeguards for these activities as required by Article 89 of the GDPR.

3:  Data minimisation

In assessing the data flows, the council has also taken the opportunity to critically assess the need for each of the data fields in question and where superfluous data was being captured, we have now stopped capturing this.

4:  Accuracy

The council is continually checking data for accuracy and, where any inaccuracies are discovered, these are promptly corrected and any third party recipients of the inaccurate data notified of the correction.

5:  Storage limitation

The council only keeps personal information for the minimum period amount of time necessary.  Sometimes this time period is set out in the law, but in most cases it is based on business need.  We maintain a records retention and disposal schedule which sets out how long we hold different types of information for.   You can view this on our website at www.glasgow.gov.uk/rrds.  The City Archives are held subject to appropriate safeguards in terms of Article 89.

6:  Integrity and confidentiality:

The council has an approved Information Security Policy which sets out roles and responsibilities within the organisation in relation to information security.  All staff are required to take information security training and this is refreshed annually.  Our ICT systems have appropriate protective measures in place incorporating defence in depth and the systems are subject to external assessment and validation.  We have policies and procedures in place to reduce the information security risks arising from use of hard copy documentation.

Overall, the council has established a major GDPR implementation programme which is well underway, including an ongoing series of activities designed to raise awareness of staff to the changes in data protection.  The programme reports to our top management and we are confident that we will be compliant with the new legislation on 25 May 2018.

Dr Kenneth Meechan
Head of Information and Data Protection Officer,
Glasgow City Council and ALEOs
20 April 2018