The UK General Data Protection Regulation (UK GDPR) is a Europe-wide law that replaced the Data Protection Act 1998 in the UK on 25 May 2018. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Act 2018 The UK GDPR sets out requirements for how organisations will need to handle personal data.

The UK GDPR applies to personal data. Personal data is any information about a person which can be used to directly or indirectly identify them.

What personal data is

Any information including facts and opinions and any indication of intentions, which relates to a living individual who could then be identified from that information. For example, name, address, date of birth, National Insurance number, bank account details.

Some personal data is classed as sensitive. This is information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, criminal offences, proceedings and convictions. We can only collect and hold this information for specific purposes (for example equal opportunities monitoring).

Your rights

Right to access your personal information (Article 15)

You can ask for access to the information we hold about you

You have the right to ask for all the information we have about you and the services you receive from us. When we receive a request from you in writing, along with proof of your identity and address we must give you access to everything we've recorded about you.

However, we can't let you see any parts of your record which contain:

  • Confidential information about other people; or
  • Data a professional thinks will cause serious harm to your or someone else's physical or mental wellbeing; or
  • Legal advice; or
  • If we think that giving you the information may stop us from preventing or detecting a crime.

This applies to personal information that is in both paper and electronic records. If you ask us, we'll also let others see your record (except if one of the points above applies).

We will have one month to provide the information, which we can extend in some circumstances.

Right to have incomplete or inaccurate data about you rectified (Article 16)

You can ask to change information you think is inaccurate.

You should let us know if you disagree with something written on your file.

We may not always be able to change or remove that information but we'll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.

Right to Erasure; also known as the "right to be forgotten" (Article 17)

You can ask to delete information (right to be forgotten).

In some circumstances you can ask for your personal information to be deleted, for example:

  • Where your personal information is no longer needed for the reason why it was collected in the first place
  • Where you have removed your consent for us to use your information (where there is no other legal reason us to use it)
  • Where there is no legal reason for the use of your information
  • Where deleting the information is a legal requirement

Where your personal information has been shared with others, we'll do what we can to make sure those using your personal information comply with your request for erasure.

Please note that we can't delete your information where:

  • we're required to have it by law
  • it is used for freedom of expression
  • it is used for public health purposes
  • it is for, scientific or historical research, or statistical purposes where it would make information unusable
  • it is necessary for legal claims

Right to have your personal data restricted (Article 18)

You can ask to limit what we use your personal data for

You have the right to ask us to restrict what we use your personal information for where:

  • You have identified inaccurate information, and have told us of it
  • Where we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether

When information is restricted it can't be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it's for important public interests of the UK.

Where restriction of use has been granted, we'll inform you before we carry on using your personal information.

This means, for example, if you say the Council has your address wrong, the Council cannot send any more letters to the address it holds on record until it is confirmed what your actual address is.

You have the right to ask us to stop using your personal information for any council service. However, if this request is approved this may cause delays or prevent us delivering that service.

Where possible we'll seek to comply with your request, but we may need to hold or use information because we are required to by law.

Right to data portability (Article 20)

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.

However, this only applies if we're using your personal information with consent (not if we're required to by law) and if decisions were made by a computer and not a human being.

It's likely that data portability won't apply to most of the services you receive from the Council.

Right to object to the processing of your personal data (Article 21)

You can complain to the Council's Data Protection Officer if you feel that your data rights have been incorrectly handled or breached.

Complaints about data protection should not be sent to the Councils complaints department but should be sent to the Council's Data Protection Officer

Right to Not be Subject to Automated Processing or profiling (Article 22)

You can ask to have any computer made decisions explained to you, and details of how we may have 'risk profiled' you.

You have the right to question decisions made about you by a computer, unless it's required for any contract you have entered into, required by law, or you've consented to it.

You also have the right to object if you are being 'profiled'. Profiling is where decisions are made about you based on certain things in your personal information, e.g. your health conditions.

If and when the Council uses your personal information to profile you, in order to deliver the most appropriate service to you, you will be informed.

If you have concerns regarding automated decision-making, or profiling, you can contact the Council's Data Protection Officer who will advise you about how we use your information.

Exercise your rights under UK General Data Protection Regulation (UK GDPR)

Fill in our online form.

Clock Completing this form takes around 10 minutes.

Apply online

After you've applied

You will receive a response within 1 month of us receiving your request.

If we do not have enough information we will contact you and ask for more details. The response period will then begin from the day we receive sufficient information to enable a search and proof of identity and address.

Policies, obligations and audit

Contact the Data Protection Officer

Stay Connected
Sign up to email alerts about getting involved
Was this information helpful?