3. Data Protection
When local authorities process personal data, they must ensure that they have a power to process the data and that the processing of data under that power is carried out in accordance with data protection law.
The EU General Data Protection Regulation (GDPR) does not apply to the processing of data by competent authorities for the purposes of the execution of criminal penalties including the safeguarding against, and the prevention of, threats to public security. The processing of data in these circumstances is instead covered by the EU Law Enforcement Directive and Part 3 of the Data Protection Act 2018.
Compliance with data protection law is a matter for the local authority and consideration should be given to guidance on applicable data protection law from the Information Commissioner's Office. Local authorities should take their own independent legal advice on the application of data protection law in these circumstances.
Confidentiality underpins all areas of social work practice and this influences the day to day work undertaken by all social service workers. Certain types of information require to be shared between community justice partners and others in order to effectively deliver Community Payback Orders (CPOs) and prevent the risk of harm to others.
Information sharing should only take place when it is considered to be justified, necessary and lawful to do so. If an individual is to be placed with another organisation to complete an unpaid work requirement, for example, the local authority may require to share limited, relevant information about the individual subject to the CPO with the placement provider. This should only be the information which is necessary to arrange and manage the placement. Appropriate arrangements should be in place for processing and storing the data, including arrangements to ensure personal data is stored securely and not kept longer than is necessary.
Individuals should be made aware of their rights in relation to their data, including their right to ask for a copy of it. They should be aware that in considering a subject access request, the local authority will require to comply with the requirements of all relevant data protection law.
It is good practice to have a clear policy on how long personal information relating to CPOs in a local authority area is retained.