As a borough councillor, I am a Data Controller for the purposes of managing personal information received in correspondence with local constituents or from others. This means that I am required to comply with the data protection principles set out in the Data Protection Act 2018 (applying Article 5 of the General Data Protection Regulation (GDPR)). This Data Protection Commitment sets out how I will comply with the data protection principles.

Data Protection Principles


Lawfulness, Fairness and Transparency

Personal information shall be processed lawfully, fairly and in a transparent manner in relation to the information subject

I will regularly receive correspondence containing personal information which might be sent to me in my capacity as a borough councillor by a local constituent or others. In such circumstances, the lawful basis for processing will normally be ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

I understand that in using this basis for processing, no consent will be required from the individual when they first approach me for onward sharing, although I will endeavour to keep the individual informed about other organisations with which I have shared information.

From time to time, correspondence might contain special category1 information. My lawful basis for processing such information will be for reasons of substantial public interest and Schedule 1 Part 2 of the Data Protection Act 2018 ‘elected representatives responding to requests’. Dartford Borough Council’s Data Protection Policy sets out how this information will be handled.

I will comply with the Councillor’s Privacy Notice on the Member index page of Dartford Borough Council’s website which sets out to the public how I will use the personal information which has been supplied to me.

Purpose Limitation

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

I understand that I will only use the personal information provided to me for the purposes for which it has been collected and not for any unrelated purposes.  I will not use the information provided for any other purpose without the consent of the individual.

Information minimisation

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Personal information about any individual provided to me in the course of correspondence which is not required for the purposes of dealing with the individual’s request, complaint etc. will not be shared or copied. Where practicable, I will take steps to remove, redact or delete personal information before sharing. Information provided about other individuals will not be shared without their permission.


Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal information that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

Personal information is inaccurate if it is incorrect or misleading as to any matter of fact. I understand that I have a responsibility to keep an individual’s personal information up to date if circumstances change.
I understand that it is acceptable to keep records of events that happened in error, provided those records are not misleading about the facts. I may need to add a note to a record to clarify that a mistake happened.

Storage limitation

Kept in a form which permits identification of information subjects for no longer than is necessary for the purposes for which the personal information are processed

As a matter of principle, I will not retain information for longer than necessary. I will make a judgement about:

  • the current and future value of the information;
  • the costs, risks and liabilities associated with retaining the information; and
  • the ease or difficulty of making sure it remains accurate and up to date.

I understand that if I have good grounds for keeping personal information for historical, statistical or research purposes, that the personal information can be kept for these purposes indefinitely as long as I do not use it in connection with decisions affecting particular individuals, or in a way that is likely to cause damage or distress. I understand that this does not mean that the information may be kept forever – it should be deleted when it is no longer needed for historical, statistical or research purposes.

As a matter of good practice, I will review all records containing personal information held on email and in paper files every 6 months and delete those that are no longer needed.

Personal information relating to live cases will be reviewed annually and deleted if no longer relevant or where retention is no longer justified.

The information will be scheduled for deletion after 4 years (unless there is justification for retaining it for a longer period) or the information will be deleted 5 days after I cease to be councillor, whichever is the sooner. All information will be held securely and disposed of confidentially.

Integrity and confidentiality

Processed in a manner that ensures appropriate security of the personal information, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

I will apply appropriate security measures on my personal devices to protect my constituents’ personal information. I will take into account the nature of the information and the harm that can result. I will consider what technical and organisational measures, such as use of passwords, computer access privileges, procedures and training are appropriate to keep the information safe.

I will comply with the Dartford Borough Council’s Information Security Policy when I connect my own devices to its IT system.


The controller shall be responsible for, and be able to demonstrate compliance with the principles

In following this Data Protection Commitment, I have set out how I intend to comply with the data protection principles.


I, [COUNCILLOR NAME], understand that I am responsible for knowing and abiding by the data protection principles and that the information set out above is intended to help me in the use of and protection of personal information.

Signed ……………………………………………………….

Printed Name ……………………………………………….

Date ………………………………………………………….

  • 1 personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic information, biometric information for the purpose of uniquely identifying a natural person, information concerning health or information concerning a natural person's sex life or sexual orientation