Information Security Policy

2. Data Protection

2.1. Data protection principles

The LGSCO is committed to all aspects of data protection and takes seriously its duties, and the duties of its employees, under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (“DPA18”).

The UK GDPR requires that six data protection principles be followed when handling personal data. These principles require that personal data must be:

processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes;… (‘purpose limitation’)
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; … (‘storage limitation’)
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss or destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

2.2. ‘Personal data’

The UK GDPR only applies to information that constitutes ‘personal data’. For the purposes of the Regulation, Article 4 states that:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’

In short this means personal data will be any information LGSCO has, and which is about someone who is alive and who can be recognised or identified from the information.

Article 2 states that:

This Regulation applies to the processing of personal data wholly or partly by automated means and to processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2.3. The use of personal information

The UK GDPR applies to personal information that is ‘processed’. ‘Processing’ means:

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

In short this means anything LGSCO does with information about people, whether on a computer, on the phone, or in printed material. This includes recording, amending, storing, destroying – the day to day work of the LGSCO.

Data protection and how we manage personal data is covered in our Privacy Notices, which are available in ECHO and on our website.

2.4. ‘Special categories’ of personal data

Article 9 of the UK GDPR sets out special categories of personal data (previously ‘sensitive personal data’) as:

personal data revealing racial or ethnic origin
personal data revealing political opinions
personal data revealing religious or philosophical beliefs
personal data revealing trade union membership
genetic data
biometric data used for the purpose of uniquely identifying a natural person
data concerning health
data concerning a natural person’s sex life or sexual orientation

Article 10 of the UK GDPR covers the processing of personal data about criminal convictions and offences or related security measures. It needs to be read with the DPA18 which includes

the alleged commission of any criminal offence, and
proceedings for any offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

The DPA18 also allows processing of this data where it is necessary for the purposes of the exercise of a function conferred on a person by an enactment (i.e. conferred on the LGSCO).

The LGSCO will process special categories of personal data, in accordance with the six data protection principles. Some HR information is likely to be special categories of personal data. Sensitive casework information may also be special category personal data, for example where HIV/Aids is a central issue.

Cookie name	Description	Action
ASPSESSIONID	This helps the site to function smoothly during your visit. For example, remembering your display settings and online complaint form preferences.
CookieNotice.Analytics	Used to remember your choice for analytical cookies.
TH_TOOLBAR_SETTINGS	Stores an object containing user specific settings for the Browsealoud toolbar such as dialog positions and button states. No personally identifiable data is stored.
API_SETTINGS	Stores an object containing user specific API settings for the Browsealoud toolbar such as voice and language selection, user preferences set in the toolbar settings panel and selected styles for word highlighting. No personally identifiable data is stored.
audioalert	Stores a value ‘audioalert = true’ after the first Browsealoud audio alert.
__utma	Used to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
__utmt	Used to throttle request rate.	BrowseAloud v.3 documentation Privacy policy
__utmb	Used to determine new sessions/visits. The cookie is created when the javascript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
__utmc	Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the__utmbcookie to determine whether the user was in a new session/visit.	BrowseAloud v.3 documentation Privacy policy
__utmz	Stores the traffic source or campaign that explains how the user reached your site. The cookie is created when the javascript library executes and is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
_ga	Used to distinguish users. The ID is used only to identify the session for the statistics and is completely anonymous.	BrowseAloud v.3 documentation Privacy policy
_gat_UA-4669579-11	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_.	BrowseAloud v.3 documentation Privacy policy
_gid	Used to distinguish users.	BrowseAloud v.3 documentation Privacy policy

Company	Description	Action
Google Inc = _ga	Google Analytics tracking cookie. Helps us to know how many people visit our site by tracking if you've visited before.	Terms and conditions Privacy policy
Google Inc = _gid	Google Analytics tracking cookie. Helps us to know how many people visit our site by tracking if you've visited before.	Terms and conditions Privacy policy
Google Inc = _gat	Google Analytics tracking cookie. Used to manage the rate at which page view requests are made.	Terms and conditions Privacy policy

2.1. Data protection principles

2.2. ‘Personal data’

2.3. The use of personal information

2.4. ‘Special categories’ of personal data

Review your privacy settings