Privacy Policy

Who we are

Our website address is: http://lydneytownhall.org.

What personal data we collect and why we collect it

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Contact forms

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

Who we share your data with:

We do not share your data.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.

Your contact information

You may contact us by leaving a comment on the comment form. Your comment will be read by the site administrator only, messages to us will not be subsequently published on the website.

Additional information

How we protect your data

We’re serious about guarding the security of your personal information. We take appropriate organisational and technical security measures to protect your data against unauthorised disclosure or processing. We use a secure server to store the information you give us when you register or make a comment.

Your account information and credentials – like passwords – are confidential. Make sure you keep this information safe, and don’t share it with anyone else.

What data breach procedures we have in place

Introduction

Lydney Town Hall Trust (the ‘Town Hall’) collects, holds and processes limited personal
data (email address and username), a valuable asset that needs to be suitably protected.
Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security.
Compromise of information, confidentiality, integrity, or availability may result in harm to
individual(s), reputational damage, detrimental effect on service provision, legislative noncompliance, and/or financial costs.

Purpose and Scope

The Town Hall is obliged under Data Protection legislation1 to have in place an institutional
framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility.
This policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across the Town Hall.
This policy relates to all personal data held by the Town Hall on its website, regardless of format.
This policy applies to all Trustees, Committe members and Staff at the Town Hall. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of the Town Hall.
The objective of this policy is to contain any breaches, to minimise the risk associated with the
breach and consider what action is necessary to secure personal data and prevent further breaches.

Definitions / Types of breach
For the purpose of this policy, data security breaches include both confirmed and suspected
incidents.
An incident in the context of this policy is an event or action which may compromise the
confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to the Town Hall information assets and / or reputation.

An incident includes but is not restricted to, the following:
Loss or theft of confidential or sensitive data or equipment on which such data is stored
(e.g. loss of laptop, USB stick, iPad / tablet device, or paper record);
Equipment theft or failure;
System failure;
Unauthorised use of, access to or modification of data or information systems;
Attempts (failed or successful) to gain unauthorised access to information or IT system(s);
Unauthorised disclosure of sensitive / confidential data;
Website defacement;
Hacking attack;
Unforseen circumstances such as a fire or flood;
Human error;
Offences where information is obtained by deceiving the organisation who holds it.

Reporting an incident

Any individual who accesses, uses or manages the Town Halls information is responsible for
reporting data breach and information security incidents immediately to the Data Protection
Officer (via the website contact form).
If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.
The report must include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved.
All Town Hall staff (trustees, volunteers and paid) should be aware that any breach of Data Protection legislation may result in removal of that persons access to the Town Halls data.

Containment and recovery

The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the
appropriate steps will be taken immediately to minimise the effect of the breach.
An initial assessment will be made by the DPO in liaison with the trust and committee to establish the severity of the breach and who will take the lead investigating the breach, as the Lead Investigation Officer (this will depend on the nature of the breach; in some cases it could be the DPO).
The Lead Investigation Officer (LIO) will establish whether there is anything that can be done to
recover any losses and limit the damage the breach could cause.
The LIO will establish who may need to be notified as part of the initial containment and will inform the police, where appropriate.
Advice from experts across the Town Hall may be sought in resolving the incident promptly.
The LIO, in liaison with the trust will determine the suitable course of action to be
taken to ensure a resolution to the incident.

Investigation and risk assessment

An investigation will be undertaken by the LIO immediately and wherever possible, within 24 hours  of the breach being discovered / reported.
The LIO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
The investigation will need to take into account the following:
The type of data involved;
Its sensitivity;
The protections are in place (e.g. encryptions);
What has happened to the data (e.g. has it been lost or stolen;
Whether the data could be put to any illegal or inappropriate use;
Data subject(s) affected by the breach, number of individuals involved
and the potential effects on those data subject(s);
Whether there are wider consequences to the breach.

Notification

The LIO and / or the DPO, in consultation with relevant colleagues will establish whether the
Information Commissioner’s Office will need to be notified of the breach, and if so, notify them
within 72 hours of becoming aware of the breach, where feasible.
Every incident will be assessed on a case by case basis; however, the following will need to be
considered:

  • Whether the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms under Data Protection legislation;
  • Whether notification would assist the individual(s) affected (e.g. could they act on the
    information to mitigate risks?);
  • Whether notification would help prevent the unauthorised or unlawful use of personal
    data;
  • Whether there are any legal / contractual notification requirements;
  • The dangers of over notifying. Not every incident warrants notification and over
    notification may cause disproportionate enquiries and work.

Individuals whose personal data has been affected by the incident, and where it has been
considered likely to result in a high risk of adversely affecting that individual’s rights and freedoms, will be informed without undue delay. Notification will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks.
Individuals will also be provided with a way in which they can contact the Town Hall for further
information or to ask questions on what has occurred.
The LIO and / or the DPO must consider notifying third parties such as the police, insurers, banks, credit card companies, and trade unions. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
The LIO and or the DPO will consider whether the Communications Team should be informed regarding a press release and to be ready to handle any incoming press enquiries.
A record will be kept of any personal data breach, regardless of whether notification was required.

Evaluation and response

Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
The review will consider:

  • Where and how personal data is held and where and how it is stored;
  • Where the biggest risks lie including identifying potential weak points within existing security measures;
  • Whether methods of transmission are secure; sharing minimum amount of data necessary;
  • staff awareness;
  • Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security.

If deemed necessary, a report recommending any changes to systems, policies and procedures will be considered by the Town Hall Trust.

Policy Review

This policy will be updated as necessary to reflect best practice and to ensure compliance with any changes or amendments to relevant legislation.
This policy was last reviewed in May 2018. The policy is displayed on the Town Hall trust notice board in the main office.

What third parties we receive data from

The Town Hall website receives no data from third parties.

What automated decision making and/or profiling we do with user data

The Town Hall website performs no profiling on user data.