Home > About Us > Transparency > Data Protection Policy

Data Protection Policy


The Cambridgeshire and Peterborough Combined Authority (CPCA) will take all necessary steps to ensure that the personal data it holds about its customers, suppliers, employees and all other individuals is processed fairly and lawfully.

The CPCA will ensure that all relevant statutory requirements are complied with and that its internal data protection procedures are monitored regularly.

We will implement and comply with the eight Data Protection Principles contained in the Data Protection Act 1998 ("the Act") which promotes good conduct in relation to processing personal information.

These principles are:

  • Personal data shall be processed fairly and lawfully. Individuals will not be misled as to the uses to which the CPCA will put the information given.
  • Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes. We will ensure that individuals whose data is processed will be informed as fully as possible about the purposes for which the information is being processed.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed. The information obtained by the CPCA will be sufficient to ensure accurate processing.
  • Personal data shall be accurate and where necessary, kept up to date. Errors will be corrected as soon as discovered or notified.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Data which is no longer required will be securely destroyed.
  • Personal data shall be processed in accordance with the rights of data subjects outlined in the Act. The CPCA will attempt to reply to subject access requests as quickly as possible and in all cases within the 40 day timeframe allowed by the Act.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage. In particular, unauthorised staff and other individuals will be prevented from gaining access to personal information. Appropriate physical security will be in place with visitors being received and supervised at all times within our premises where information about individuals is stored.
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 

The CPCA will ensure that the Information Commissioner’s Office is informed of all its uses of personal information and will review and update those entries from time to time.

We will take such measures as may be necessary to ensure the proper training, supervision and instruction of all relevant employees in matters concerning data protection and to provide any necessary information.

The CPCA will consult with its employees periodically to ascertain what measures should be taken to increase awareness of data protection issues and to ensure that all necessary measures are in place to make this Policy effective.

Where reasonable and practicable personal data shared with any partner, associate or other organisation shall be the subject either of a protocol or confidentiality agreement which will define the context and limits of the data exchange.

Our Legal Counsel & Monitoring Officer shall have overall responsibility for data protection issues within the organisation.

The CPCA will keep this policy under review taking account of changes in legislation, advice from our Information Commissioner’s Office, decisions of the courts, changes in technology, experience in practice and relevant guidance from other representatives.

View a PDF version of our Data Protection Policy (90kb)