Data Protection Act Overview

Data Protection Legislation

The new General Data Protection Regulations (GDPR) and the Data Protection Act 2018 came into effect on 25 May 2018. Together they form the New Data Protection Legislation and replace the Data Protection Act 1998.

We collect, hold and use data about people and organisations with whom we work and in order to conduct our business. This may include members of the public, current, past and prospective employees, clients, customers, contractors, partners and suppliers. In addition, we may be required to collect and use personal data in order to comply with our statutory obligations.

We must abide by the 6 principles of the Data Protection Legislation which make sure that personal information is:

Accountability is central to the Data Protection Act Legislation.  Data controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the Information Commissioners Office.

The Council has a General Data Protection Regulation (GDPR) Policy in place. This Policy describes the Council’s requirements to comply with the Data Protection Legislation.

Our Privacy Notice tells you what we do with your personal information when you make contact with us or use one of our services. 

Accessing information we hold about you

You can access the information we hold about you by making a Subject Access Request.  This request can be made in writing, by email or using the Subject Access Request application form. Please provide as much detail as possible about the information you require, mark your request Subject Access Requests, and send it to the address provided.

Proof of Identity

To help establish your identity your application must be accompanied by TWO official documents that between them clearly show your name, date of birth and current address.

Acceptable forms of ID are:

Please do not send original documents, good quality photocopies are acceptable.

Any bill you send must be less than 6 months old.

Correcting data we hold

If you believe the data we hold about you is incorrect or that there is information that we have not supplied, you must contact us within 21 days of receiving our response to your request.

If we don't agree that the information is incorrect, you can appeal using the Council's normal complaints procedure.

You can also appeal to the Information Commissioner's Office if we do not correct the data you ask us to.

Breach reporting

Where personal data breaches do occur, Publica will, without undue delay, investigate the breach, and where required, report the breach to the Information Commissioner’s Office (ICO) within 72 hours. Reporting procedures can be found in our Reporting of Personal Data Breaches Policy.

Monitoring the Council's compliance with the law

All organisations that handle personal information need to be registered with the Information Commissioner based at Wilmslow in Cheshire. The Commissioner is responsible for enforcing the Data Protection Legislation and providing guidance. The Register of Data Controllers is a public document and provides information about the classes of data held, the classes of data subjects and whom the data is disclosed to or shared with. Registrations are renewed each year and updated during the year as required and the Register of Data Controllers can be inspected at any time on the Information Commissioner's Office website. Our entry in the Data Protection Public Register is available via this link

The Data Protection Public Register. Enter Z6172644, which is the Council's Data Protection Registration number.

Summary of the Council's data processing procedures

The Council is committed to complying not only with the letter but also the spirit of Data Protection Legislation. The accuracy and security of your personal information is a key responsibility of the Council and is recognised as an overriding factor in securing your trust and confidence. The Council will only use the information it holds about you for the purpose you provided it or as permitted by law. It will also only collect the minimum information necessary to fulfil that purpose.

By law we must maintain a record of the data processing activities we are responsible for. This is contained in our Record of Processing Activities.