As data controller, you have a duty to protect against unauthorised or unlawful processing and against accidental loss and are required to have appropriate technical and organisational measures in place to ensure a level of security, appropriate to the risk.1
You must determine what appropriate security measures are in place to protect personal data. For example ensuring that personal data is encrypted when it is being transferred, thus ensuring that you act as a guardian for that data.
Your council will have corporate standards and processes for data handling and security. Your Data Protection Officer will be able to advise you on the processes you use as part of carrying out your specific duties as RO and/or ERO. They will also be able to help you identify any risks to the security of the data you hold, whether on paper or stored electronically on your systems.
You should ensure that you have processes in place to retrieve data and securely destroy it at the appropriate time, in accordance with your document retention policy.