Data Protection

Page updated: 09/11/2023

We collect and use a wide range of information about different people to deliver our services. These individuals are our customers, clients and employees, and the information we hold about them is their personal data. Nearly everything we do as a Council involves processing personal data, like names, addresses or reference numbers.

Data Protection is about making sure that people can trust the Council to use their personal data fairly and responsibly. It also means that we have comply with specific Data Protection legislation.

 

The UK General Data Protection Regulation  

The UK General Data Protection Regulation (UK GDPR) is designed to protect personal data and provides individuals with a number of rights in relation to their information. As Council employees, we all have to comply with the UK GDPR.

The UK GDPR is based around principles which we have to follow when processing personal data: 

 

We have identified an appropriate lawful basis for processing personal data.

If we are processing special category (sensitive) personal data, or information about criminal offences, we have identified a condition for processing this type of data. 

We don’t do anything unlawful with the personal data.

We have considered how the processing may affect the individuals concerned and can justify any adverse impact.

We only handle people’s personal data in ways they would reasonably expect, or we can explain why any unexpected processing is justified.

We do not deceive or mislead people when we collect their personal data.

We are open and honest and let people how what we do with their information.

We use our Privacy Notices to tell people how our services process their personal data.

We must only process personal data for specified, explicit and legitimate purposes, and other uses must be compatible with these purposes

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is used

Personal information must be kept accurate and where necessary, up to date.

Personal data must not be kept for longer than is actually necessary.

We can refer to our Retention Guidelines to help us do this.

Personal data must be processed in a secure manner, including protection against unauthorised or unlawful use of personal data and against its accidental loss, destruction or damage, using appropriate technical and organisational measures

We have to take responsibility for what we do with personal data and how we comply with the other principles. This means having appropriate measures and records in place to be able to demonstrate compliance.

The Council's Data Protection Policy sets out how we comply with these principles.

 

The Data Protection Act 2018 

The Data Protection Act 2018 (DPA) sits alongside the UK GDPR and we have to comply with both pieces of legislation.

It’s important to note that some misuse of personal data can be classed as criminal offences and that individual members of staff can be prosecuted under the DPA.

The criminal offences relating to Data Protection include:

  • Obtaining or disclosing personal data without the permission of the Council
  • After obtaining the personal data, keeping it without the permission of the Council
  • Selling, or offering to sell, personal data which has been unlawfully obtained

It’s also important for all staff to be aware that misuse of personal data is a breach of Council policy, the Code of Conduct and could therefore lead to disciplinary action, including dismissal. 

Handling Personal Data 
We have produced a specific policy which is designed to ensure that personal data is handled securely. In particular, the policy looks at the way personal data is stored and transferred to help us comply with our legal obligations under Data Protection legislation.

The Right of Access
The UK GDPR provides individuals with a number of rights, including the right to obtain a copy of the personal data that’s processed about them, by making what is known as a ‘Subject Access Request’. Please read our Subject Access Procedure for more information on how we deal with these requests.