Skip to Content

Data Protection Policy

Policy summary

The Data Protection Policy provides the framework for ensuring that JNCC meets the necessary legislative obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 18).

The policy applies to all processing of personal data carried out by JNCC including processing carried out by joint controllers, contractors, and processors.

The policy ensures that JNCC complies with data protection legislation guided by the six data protection principles, which require that personal data is:

  • processed fairly, lawfully and in a transparent manner;
  • used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes;
  • adequate, relevant, and limited to what is necessary;
  • accurate and, where necessary, up to date;
  • not kept for longer than necessary; and
  • kept safe and secure.

The accountability principle requires that JNCC must be able to show evidence of compliance with the above six principles, and to make sure that we do not put individuals at risk because of processing their personal data.

To meet all these obligations, JNCC has put in place appropriate and effective measures to ensure compliance with data protection law. JNCC staff have access to a number of policies, operational procedures and guidance to give them appropriate direction on the application of the data protection legislation.

JNCC acknowledges that some personal data is more sensitive and is afforded more protection. This is personal data related to: race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric ID data; health data; sexual life and/or sexual orientation; and criminal data (convections and offences).

Information Asset Owners (IAOs) are assigned to each information asset in JNCC. The IAO works within the data and information governance structures in JNCC to manage the use and processing of personal data and to manage and mitigate all associated risks.

Privacy Notices will be published on the website, and changes will be tracked and available when they are made.

All JNCC staff are required each year to undertake training on data protection and security. Additional training is available and can be offered to any other interested staff on request. Regular training and information sharing will in place to embed a culture of data protection by design and default, to ensure privacy and to increase risk awareness.

JNCC has dedicated staff and clear processes to handle subject access requests and other information rights requests.

JNCC has a procedure to assess processing of personal data that is considered to be high risk and which accordingly needs a Data Protection Impact Assessment (DPIA) carried out before any further use is made of the data. Processes and tools are in place to assist staff in ensuring compliance and privacy by design is integral part to any product, project or service offered by JNCC.

The Record of Processing Activities (ROPA) will record personal data processing activities.

JNCC will ensure as necessary that contracts are compliant with UK GDPR.

JNCC as a public body will have a Data Protection Officer (DPO), to advise on and monitor compliance with UK Data Protection legislation. JNCC has opted-in to the Department for Environment, Food and Rural Affairs (DEFRA) Group DPO mechanism and has appointed a Data Protection Manager (DPM) to act as a local point of contact for staff and to liaise with the Group DPO.


1. Introduction

UK data protection legislation covers how personal data is procured, stored, managed, used, and disposed of. Personal data represents characteristics of individuals and can be used to make decisions that will affect people’s lives. Personal data is protected because:

  • there is a potential for misuse which could negatively affect individual people and organisations;
  • data has an economic value and legislation controls how that value can be accessed, by whom and for what purposes.

JNCC complies with data protection legislation, guided by the data protection principles which require that personal data is:

  • processed fairly, lawfully and in a transparent manner;
  • used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes;
  • adequate, relevant, and limited to what is necessary;
  • accurate and, where necessary, up to date;
  • not kept for longer than necessary; and
  • kept safe and secure.

In addition, the accountability principle requires JNCC to be able to evidence compliance with the other principles.

JNCC will take every reasonable step to ensure that personal information is collected, held and otherwise processed appropriately and that subject rights are upheld.

As part of JNCC’s statutory and corporate functions special category data and criminal offence data is processed in accordance with the requirements of Article 9 and 10 of the UK General Data Protection Regulation (UK GDPR) and Schedule 1 of the Data Protection Act 2018 (DPA 2018). There is a separate policy for special category data.


2. Purpose and coverage

This policy provides a framework for how JNCC will meet its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The policy covers JNCC’s collation, management, use and disposal of ‘personal data’. It is part of JNCC’s suite of information management policies which set out the organisation’s approach to good information management practice.

This policy applies to all staff, including staff seconded to JNCC and Committee members.


3. JNCC’s commitment to the data protection principles

3.1. All personal data will be processed lawfully, fairly and in a transparent manner

Personal data, including 'special category data', will only be collected and processed under one or more of the given processing conditions. This applies to personal data in all formats, including photographs/images.

JNCC will provide a privacy notice at the point of data capture, where obtaining data directly from the subject, or within one month where obtaining data via a third party. The privacy notice will specify and make explicit the purpose of data collection and details of processing.

JNCC will consider all processing in relation to the rights, interests and expectations of the data subject and will make all intentions open and transparent through the provision of a transparency information.

Where processing data relating to children and vulnerable adults, as a matter of good practice, JNCC will:

  • run a Data Protection Impact Assessment (DPIA);
  • make available a separate privacy notice which is understandable to a child, setting out what we do with their data and their rights;
  • where we offer Information Society Services (ISS) to children we will seek parent/guardian consent for the processing and make reasonable effort (taking into account the available technology and the risks inherent in the processing) to ensure the individual giving consent has legal responsibility for the child;
  • where we decide not to offer ISS to children, we will make reasonable efforts to ensure that anyone who provides their own consent is at least 13 years old;
  • when targeting wider European markets we comply with the age limits applicable in each Member state; and
  • adhere to all other instructions and principles under the UK GDPR.

3.2. Personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

JNCC will only seek to process personal data in pursuit of its mission and commercial services, in line with the corporate strategy.

The purpose of data collection and use will be specified within the privacy notice provided and a copy will be saved alongside the data for future reference by staff.

JNCC’s collections of personal data and purpose for processing will be captured within JNCC’s Register of Processing Activity (ROPA) for reference by staff.

3.3. Personal data held will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

A culture of awareness of, and care for, personal data will be generated through staff training, guidance and continuous support and assessment. Staff will be trained to identify the personal data required for the task at hand and ensure they are collecting adequate and relevant information.

JNCC will adopt the concept of 'data protection by design' and 'data protection by default' wherever possible and ensure personal data collection is kept to a minimum and managed appropriately.

3.4. Personal data held will be accurate as provided and, where necessary, kept up to date

Every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.

Personal data collections will be logged in the ROPA with the retention period and review process specified for reference by staff.

JNCC will hold an annual 'greening' day where staff review their files, in accordance with JNCC’s Retention and Disposal Policy. Information Asset Owners will need to use JNCC's ROPA to identify the data collections which require review and action disposal (or anonymisation) as needed.

3.5. Personal data will be stored and processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Personal data will be held in secure IT systems in accordance with the JNCC IT Usage Policy and JNCC Information Management Policy. JNCC will continually monitor, assess and improve security features of its network and organisational processes.

JNCC will run a DPIA where adopting new technologies or where processing personal data is likely to result in a high risk to the rights and freedoms of individuals, for example profiling or legal consequences, or large-scale processing of special categories of personal data. Where the DPIA indicates high risk post-mitigation, JNCC will consult the Information Commissioner's Office (ICO).

Data will be pseudonymised (elements exchanged for codes) where possible and appropriate.

Biological records will be anonymised before publishing and sharing as a default.

In every case, restricted access to the personal data will be considered in line with the Government Security Classification.

Special categories of data will be identified and treated appropriately and the Data Protection Officer notified in every case.

3.6. Accountability – JNCC is required to take responsibility for how personal data is processed and how the other principles are complied with

JNCC will maintain records of processing activities of special categories of personal data and processing activities which carry risks to the rights and freedoms of the data subjects.

Further detail on JNCC’s accountability measures can be found below in section 5.


4. Individuals' rights

Data protection legislation empowers individuals and gives them greater control over their personal data through the creation of several rights. JNCC will facilitate the exercise of these rights. Active compliance with individuals' privacy rights minimises the risks to individuals as well as to JNCC and protects and improves our reputation.

4.1. Subject Access Requests

Under data protection legislation people have a 'data subject access right' to find out what information is held about them. If someone contacts JNCC to find out what information is held by JNCC about them, the term used is a Subject Access Request (SAR).

All staff are made aware of the data subject access right in the mandatory annual Security and Data Protection Training module and there is supporting guidance for staff available through JNCC's internal communications' channels.

JNCC provides desk instructions for specialist staff on how to handle SARs, including standard templates for acknowledgement of the SAR and for other correspondence. These instructions are updated on a regular basis.

The Data Protection Manager will maintain a log of all SARs and regularly review SARs to address any issues arising and escalate any cases that risk being delayed.

Some types of information do not have to be released if covered by one or more of the exemptions set out in data protection legislation. Generally whether an exemption will apply will usually depend on why personal data is being processed. The Data Protection Manager will advise if an exemption applies and how it should be handled.

4.2. Disputes and rectification of inaccurate data or information

Anyone working with personal data and/or information in any area of JNCC is expected to have taken reasonable steps to make sure the information or data held about an individual is accurate. If, after an SAR has been responded to, the person tells us that they disagree with the information held about them, advice on handling must be sought from the Data Protection Manager.

A record will be kept of the fact that the individual disputes the accuracy of the information held about them and where possible it will be held with the original information.

4.3. Erasing records

JNCC will maintain processes to delete, suppress or otherwise stop processing personal data or information if requested. These will cover live systems and, where reasonable, back-up systems. In all cases this would be handled by the Data Protection Manager.

If personal data has been made public in an online environment, reasonable steps must be taken to tell other controllers that if they are processing the data they must stop, and erase links to copies or replication of that data.

4.4. Rights and considerations relating to automated decision making and profiling

JNCC does not use any automated decision making at present. If this changes the use will be carefully considered, particularly in relation to ensuring:

  • additional checks for vulnerable groups, such as children, are necessary for all automated decision making and profiling;
  • only the minimum data needed for a decision is collected;
  • a clear retention policy will be set out for any profiles created for automated decision making.

4.5. Individual complaints

JNCC has procedures to handle individuals' complaints about data protection. These procedures can be found in the Data Protection section of JNCC's internal communications channels.


5 Governance and responsibilities

The data protection governance structure within JNCC is shown in Figure 1.

Figure 1. Data Protection governance Structure within JNCC. 


Specific roles are described as follows:

5.1. Audit and Risk Assurance Committee 

The Audit and Risk Assurance Committee (ARAC) is responsible for advising the Joint Committee and Accounting Officer on strategic process for risk, control and governance, which includes data protection risk and compliance. Regular reporting to the ARAC will include an annual report on information risk and cyber security, to include any reports of breaches.

5.2. Executive Leadership Team and Management Board

The Executive Leadership Team (ELT) and Management Board support the Chief Executive in leading the JNCC Support Company deliver JNCC’s strategy and business plan within a framework of effective controls. The ELT is responsible for determining the inclusion of data protection into strategic priorities and developing a culture of privacy by design. Regular engagement with the ELT will include learning and training, and reporting on compliance progress including breaches. The ELT will undertake oversight functions and responsibilities regarding data protection.

5.3. Senior Information Risk Owner

The Senior Information Risk Owner (SIRO) is accountable and responsible for information risk and security across the organisation, supported by the Data Protection Manager (DPM) and Information Asset Owners (IAOs). The SIRO will assess compliance with this policy and with data protection legislation, ensuring everyone is aware of their personal responsibility to exercise good judgement and to safeguard and share information appropriately. The SIRO, with the Data Protection Officer (DPO) and Data Protection Manager (DPM), will provide for operational delivery and some oversight functions regarding data protection.

5.4. Data Protection Officer and Data Protection Manager

JNCC as a public body will have a Data Protection Officer (DPO), to advise on, and monitor compliance with, UK Data Protection Legislation. JNCC has opted-in to Defra’s Group DPO mechanism and has appointed a Data Protection Manager (DPM) to act as a local point of contact for staff and to liaise with the Group DPO. This appointment and any further changes to this appointment will be formally communicated to staff.

5.5. Information Asset Owners

Information Asset Owners (IAOs) are responsible for the day-to-day protective security of information held and handled within their business unit. They work with their staff to ensure information is processed with due care and diligence and that staff are familiar with the organisation’s data protection policies and processes.

5.6. All staff

All JNCC staff will actively involve the DPM in a proper and timely manner in all issues which relate to the protection of personal data. All staff are expected to:

  • understand and follow this policy and the wider policy suite;
  • attend training as required to be fully informed of their obligations and JNCC’s liabilities;
  • know how to recognise a ‘data breach’ and unauthorised processing;
  • ask questions about data protection when in doubt and raise any concerns with the relevant IAO, or DPM; and
  • report any breaches without delay.


6. Training and awareness

6.1. Annual Security and Data Protection Training for all staff

All staff in JNCC are required each year to complete the Security and Data Protection Training module at Civil Service Learning (CSL) website. The module is approved by both the Information Commissioner and the Defra group DPO. The training module:

  • will ensure that all staff can recognise a security incident and a personal data breach and know what steps to take in response;
  • make use of a variety of technologies and delivery methods;
  • has content to reflect current issues and ways of working;
  • is designed for a general audience so that it has relevance to everyone in JNCC whether they work in an office developing policy or in the field delivering services;
  • will be promoted through internal communications mechanisms.

As part of the training module staff are assessed at the end of the training so they can demonstrate and record a minimum level understanding achieved of the mandated course outcomes before completion is confirmed.

6.2. Training for specialist functions

The JNCC Data Protection Manager will provide staff working in specialist functions which use a lot of personal data with additional training specific to the function.

Staff who will be working with personal data must have completed at least the basic level of training before accessing personal data.

Anyone in JNCC in a role required to give advice on data protection must have completed the Practitioner Certificate in Data Protection or similar before giving advice.

Additional bespoke training on the requirements of data protection legislation will be provided for staff working in teams or on projects in which the amount of personal data being handled or operational demands increase the risks associated with personal data.

Team Leaders or Directors will be required to assess the level of training and awareness required.

6.3. Further training and awareness for senior roles

The Data Protection Manager and/or Defra DPO will provide training and awareness sessions for people in senior roles In JNCC. This training will also be available to any staff who wish to take it.


7. Accountability

JNCC is accountable to the data subjects whose data it processes and to the Information Commissioner's Office (ICO) as the UK’s Supervisory Authority. JNCC will demonstrate its commitment to good data protection practice through the steps outlined below.

JNCC will:

  • Maintain a record of staff training.
  • maintain a Register of Processing Activity (ROPA), particularly where the data is a special category of personal data, or carries a risk to the rights and freedoms of an individual. The ROPA will include, as a minimum, the requirements set out in Article 30 of the UK GDPR.
  • Run an annual audit of UK GDPR compliance (processing activities and technical and organisational measures) and maintain a log of outcomes and subsequent changes to process.
  • Review and update this policy annually, along with the wider information management policy suite.


8. Monitoring

Compliance with this policy will be monitored via the Data Protection Manager (DPM) and Senior Information Risk Owner (SIRO), reporting to the Executive Leadership Team (ELT) and Audit and Risk Assurance Committee (ARAC) as required.

Published: .

Back to top