The UK General Data Protection Regulation (UK GDPR) is a Europe-wide law that replaced the Data Protection Act 1998 in the UK on 25 May 2018. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Act 2018 The UK GDPR sets out requirements for how organisations will need to handle personal data.
The UK GDPR applies to personal data. Personal data is any information about a person which can be used to directly or indirectly identify them.
What personal data is
Any information including facts and opinions and any indication of intentions, which relates to a living individual who could then be identified from that information. For example, name, address, date of birth, National Insurance number, bank account details.
Some personal data is classed as sensitive. This is information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, criminal offences, proceedings and convictions. We can only collect and hold this information for specific purposes (for example equal opportunities monitoring).
You can ask for access to the information we hold about you
You have the right to ask for all the information we have about you and the services you receive from us. When we receive a request from you in writing, along with proof of your identity and address we must give you access to everything we've recorded about you.
However, we can't let you see any parts of your record which contain:
Confidential information about other people; or
Data a professional thinks will cause serious harm to your or someone else's physical or mental wellbeing; or
Legal advice; or
If we think that giving you the information may stop us from preventing or detecting a crime.
This applies to personal information that is in both paper and electronic records. If you ask us, we'll also let others see your record (except if one of the points above applies).
We will have one month to provide the information, which we can extend in some circumstances.
You can ask to change information you think is inaccurate.
You should let us know if you disagree with something written on your file.
We may not always be able to change or remove that information but we'll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.
You can ask to delete information (right to be forgotten).
In some circumstances you can ask for your personal information to be deleted, for example:
Where your personal information is no longer needed for the reason why it was collected in the first place
Where you have removed your consent for us to use your information (where there is no other legal reason us to use it)
Where there is no legal reason for the use of your information
Where deleting the information is a legal requirement
Where your personal information has been shared with others, we'll do what we can to make sure those using your personal information comply with your request for erasure.
Please note that we can't delete your information where:
we're required to have it by law
it is used for freedom of expression
it is used for public health purposes
it is for, scientific or historical research, or statistical purposes where it would make information unusable
it is necessary for legal claims
You can ask to limit what we use your personal data for
You have the right to ask us to restrict what we use your personal information for where:
You have identified inaccurate information, and have told us of it
Where we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether
When information is restricted it can't be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it's for important public interests of the UK.
Where restriction of use has been granted, we'll inform you before we carry on using your personal information.
This means, for example, if you say the Council has your address wrong, the Council cannot send any more letters to the address it holds on record until it is confirmed what your actual address is.
You have the right to ask us to stop using your personal information for any council service. However, if this request is approved this may cause delays or prevent us delivering that service.
Where possible we'll seek to comply with your request, but we may need to hold or use information because we are required to by law.
You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.
However, this only applies if we're using your personal information with consent (not if we're required to by law) and if decisions were made by a computer and not a human being.
It's likely that data portability won't apply to most of the services you receive from the Council.
You can complain to the Council's Data Protection Officer if you feel that your data rights have been incorrectly handled or breached.
Complaints about data protection should not be sent to the Councils complaints department but should be sent to the Council's Data Protection Officer
You can ask to have any computer made decisions explained to you, and details of how we may have 'risk profiled' you.
You have the right to question decisions made about you by a computer, unless it's required for any contract you have entered into, required by law, or you've consented to it.
You also have the right to object if you are being 'profiled'. Profiling is where decisions are made about you based on certain things in your personal information, e.g. your health conditions.
If and when the Council uses your personal information to profile you, in order to deliver the most appropriate service to you, you will be informed.
If you have concerns regarding automated decision-making, or profiling, you can contact the Council's Data Protection Officer who will advise you about how we use your information.
Exercise your rights under UK General Data Protection Regulation (UK GDPR)
Fill in our online form.
Clock Completing this form takes around 10 minutes.
Apply onlineAfter you've applied
You will receive a response within 1 month of us receiving your request.
If we do not have enough information we will contact you and ask for more details. The response period will then begin from the day we receive sufficient information to enable a search and proof of identity and address.
Policies, obligations and audit
Data Protection Policy
The approach the council takes with regard to the processing of personal data.
CCTV code of practice
How we adhere to the terms of the Data Protection Act in the use of CCTV surveillance
Information Commissioner's Office (ICO) audit
About the Information Commissioners Office audit of our data protection practices in September 2014.
Includes specific findings, areas for improvement and recommendations.
Contact the Data Protection Officer
Phone 01484 221000