Decision details

Data Protection Policy

Decision Maker: Director of Law & Governance and Monitoring Officer

Decision status: Recommendations Approved

Is Key decision?: No

Is subject to call in?: No


Oxfordshire County Council collects, processes, stores and disposes of personal data in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and any other relevant legislation that governs the use of personal data e.g. the EU General Data Protection Regulation (EU GDPR).


Adoption of the Data Protection Policy following its annual review and approval by the Information Governance Board.

Reasons for the decision:

Council staff, contractors, Councillors and other specified third parties are required to have access to personal data held by the council in the performance of their duties.

This policy describes the Council’s position on meeting its statutory requirements for collecting, processing, storing and disposing of personal data.

Alternative options considered:

No other alternatives were considered.


Breaching data protection law can see the Council prosecuted, resulting in harsh financial penalties. These can include significant fines in some cases amounting to £500,000 or more relating to the size of the Council’s budget. Adopting and adhering to a Data Protection Policy is crucial as the effects of non-compliance with the Council’s statutory data protection responsibilities can be significant for both residents and the Council.

Publication date: 22/06/2022

Date of decision: 23/03/2022

Accompanying Documents: