Data Protection Legislation
The new General Data Protection Regulations (GDPR) and the Data Protection Act 2018 came into effect on 25 May 2018. Together they form the New Data Protection Legislation and replace the Data Protection Act 1998.
We collect, hold and use data about people and organisations with whom we work and in order to conduct our business. This may include members of the public, current, past and prospective employees, clients, customers, contractors, partners and suppliers. In addition, we may be required to collect and use personal data in order to comply with our statutory obligations.
We must abide by the 6 principles of the Data Protection Legislation which make sure that personal information is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and where necessary kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed. Refer to our Corporate Data Retention Policy
- Processed in a manner that ensures appropriate security of the personal data
Accountability is central to the Data Protection Act Legislation. Data controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the Information Commissioners Office.
The Council has a General Data Protection Regulation (GDPR) Policy in place. This Policy describes the Council’s requirements to comply with the Data Protection Legislation.
Our Privacy Notice tells you what we do with your personal information when you make contact with us or use one of our services.
Accessing information we hold about you
You can access the information we hold about you by making a Subject Access Request. This request can be made in writing, by email or by using the Subject Access Request application form. Please provide as much detail as possible about the information you require, mark your request Subject Access Requests, and send it to the address provided. See here for our Subject Access Request Privacy Notice.
Proof of identity
To help establish your identity your application must be accompanied by TWO official documents that between them clearly show your name, date of birth and current address.
Acceptable forms of ID are:
- photocopy of your passport or driving licence
- an electricity bill
- a gas bill
- a council tax bill
- any other bill in your full name
Please do not send original documents, good quality photocopies are acceptable.
Any bill you send must be less than 6 months old.
Correcting data we hold
If you believe the data we hold about you is incorrect or that there is information that we have not supplied, you must contact us within 21 days of receiving our response to your request.
If we don't agree that the information is incorrect, you can appeal using the Council's normal complaints procedure.
You can also appeal to the Information Commissioner's Office if we do not correct the data you ask us to. https://ico.org.uk/for-organisations/guide-to-freedom-of-information/complaints/
Where personal data breaches do occur, Publica will, without undue delay, investigate the breach, and where required, report the breach to the Information Commissioner’s Office (ICO) within 72 hours. Reporting procedures can be found in our Reporting of Personal Data Breaches Policy.
Personal Data Retention Schedule
Under the Data Protection Legislation (UK General Data Protection Regulation and Data Protection Act 2018), data controllers of personal data must ensure that the personal data of individuals is only retained for as long as is necessary and for the purposes for which they were collected. Section 71 (7) (b) of the Data Protection Act 2018 requires controllers of personal data to carry out periodic reviews of the need for the retention of that data. Retention periods are governed by a variety of factors, including but not limited to legislation, contract and best practice. Some records may be initially retained for a set period after which they may be either archived or destroyed. Records retention schedules provide a framework within which retention periods can be set and reviewed for individual classes of data.
In order to comply with its legislative obligations, the Councils and Publica have devised a records retention schedule which comprehend both personal and non-personal data. These are provided for the benefit of both the owners and managers of records and individual data subjects.
Personal Data Retention Schedule
Monitoring the Council's compliance with the law
All organisations that handle personal information need to be registered with the Information Commissioner based at Wilmslow in Cheshire. The Commissioner is responsible for enforcing the Data Protection Legislation and providing guidance. The Register of Data Controllers is a public document and provides information about the classes of data held, the classes of data subjects and whom the data is disclosed to or shared with. Registrations are renewed each year and updated during the year as required and the Register of Data Controllers can be inspected at any time on the Information Commissioner's Office website. Our entry in the Data Protection Public Register is available via this link https://ico.org.uk/esdwebpages/search
The Data Protection Public Register. Enter Z6172644, which is the Council's Data Protection Registration number.
Summary of the Council's data processing procedures
The Council is committed to complying not only with the letter but also the spirit of Data Protection Legislation. The accuracy and security of your personal information is a key responsibility of the Council and is recognised as an overriding factor in securing your trust and confidence. The Council will only use the information it holds about you for the purpose you provided it or as permitted by law. It will also only collect the minimum information necessary to fulfil that purpose.
By law we must maintain a record of the data processing activities we are responsible for. This is contained in our Record of Processing Activities.