What is personal data?
Personal data is information that either on its own, or when added to other information, can identify a living individual. This can include names, addresses, phone numbers, email addresses, dates of birth etc.
It can also include letters, emails, photographs, video footage and call recordings.
Some data is classified as Special Category Data. This data is sensitive and is treated with an extra level of confidentiality. This data includes data about ethnic origin, religious and philosophical beliefs, sexual orientation and preference, trade union membership and political views, health data, biometric data (e.g. fingerprints and facial recognition) and genetic data.
What is the UK General Data Protection Regulation (UK GDPR)?
The UK General Data Protection Regulation (UK GDPR) is a UK law which came into effect on 01 January 2021 and sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.
It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it work more effectively in a UK context.
The DPA 2018 sets out the framework for data protection law in the UK. It was amended on 01 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU.
It sits alongside and supplements the UK GDPR - for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers
The UK GDPR tells data controllers (organisations such as the council) how to use, collect and share personal data in a legal and fair way.
The Principles of the UK GDPR tell the council that they must process (use) your personal data in the following ways:
- In a fair and transparent way which keeps you informed about how your data is used
- In a legal way that complies with the UK GDPR and all other laws
- For the specific purposes that we have told you about
- In a way that means we only use the correct amount of data and don’t use data about you that we don’t need
- Kept accurately and up-to-date
- Kept for no longer than is necessary, as advised by law and best practice
- Stored securely and protected from loss and unauthorised access
The Information Commissioner’s Office is the regulator for data protection law in the UK. They have produced a guide to the UK GDPR which provides individuals and organisations with advice regarding the legislation.
What rights do I have under data protection legislation?
The UK General Data Protection Regulation gives individuals a wide range of rights that they can use with any organisation that holds their personal data. Whilst the rights themselves are a crucial part of the legislation, please be aware that they are not absolute and exemptions may be applied by the Council where appropriate.
Subject Access Requests
What is a Subject Access Request (SAR)?
A SAR gives you the right to ask the council for a copy of the personal data that we hold about you. It also allows you to ask the council what personal data it holds about you and the reasons for doing so.
You can request a copy of your personal data at any time and you are entitled to ask for any information that you wish to see.
In order to make a SAR to the council, you will need to provide us with the following information:
- Your name.
- Your address.
- Your date of birth.
- A description of the personal data that you are requesting a copy of. Please be as detailed as possible, listing teams or members of staff that you have interacted with.
The council will require proof of your identity in order to process your request. The council requires one photo ID document and one document proving your address. You can provide us with scanned copies of any of the following documents:
Make a Subject Access Request online
- Driving license.
- Recent utility bill.
- Council Tax Bill.
If you are unable to make your request online, you can email firstname.lastname@example.org, or telephone 0151 443 3231.
When will I receive my information?
The council will respond to your SAR within 30 calendar days of receiving your request. You will receive an acknowledgement email which will state the deadline for the council’s response.
If your request is deemed complex or voluminous, the council has the right to extend this deadline by two calendar months. Where this is necessary, you will be informed as soon as possible.
In order to allow council staff to continue to provide essential council services and support to vulnerable residents during the current Coronavirus pandemic, we will aim to respond to information requests in a timely manner.
We hope you do appreciate that our services and resources are being redirected at this challenging time.
How much will my request cost?
All rights requests under the UK GDPR are free of charge.
If you are requesting information that we have previously provided to you as part of a previous response, or if your request is excessive or unreasonable (as defined in the UK GDPR) we may charge an administration fee. If this is the case, you will be informed of this at the earliest possible opportunity.
What information can I request?
You can request a copy of any personal data that the council holds about us. Please be aware that you are only entitled to information about yourself. If you wish to access information about another person, you will need their consent to do so.
If you wish to make a request on behalf of another person, please provide proof of their identity as well as your own. You will also need to provide proof of authority to act on behalf of the person you are representing.
Will I get all of my data?
There may be occasions where we may redact (remove) information from documents that we disclose to you.
The reasons for this may be:
- The information relates to another person.
- The information is related to a criminal or fraud investigation.
- The information may cause you, or another individual emotional distress.
- The information was supplied in confidence or as part of a confidential reference.
- The information is used in management forecasts or ongoing restructuring documents.
For further detail about Subject Access Request exemptions, please visit the ICO website.
Further rights of the individual
You can request that the council does the following things with your personal data:
- Amend any personal data we hold about you that is inaccurate. (The Right to Rectification).
- Erase information that you no longer want the council to keep about you. Please note: - this right is only applicable in certain situations. (The Right to be Forgotten).
- Restrict how your personal data is used by the council. Please note: - this right is only applicable in certain situations. (The Right to Restriction).
- Object to how the council is using your information and ask us to stop doing so. Please note: - this right is only applicable in certain situations. (The Right to Objection).
- Ask the council to provide you with your personal data so that you can move it to a new provider. Please note: - this right is only applicable in certain situations. (The Right to Data Portability).
- Stop the council making automated decisions about you.
The Information Commissioner’s Office is the regulator for data protection law within the UK. The ICO has provided summaries of all the Rights of the Individual under the UK GDPR on their website. This gives specific information about how rights can be used by an individual and the situations in which they apply.
How do I make a rights request with the council?
You can make a rights request to the council at any time. In order to appropriately respond to your request, we would ask that you contact us using our Information Rights mailbox.
In order to process your request, we will need the following information.
- Your name.
- Contact details.
- Which Right you are requesting us to undertake.
- A description of the personal data you wish to apply your Rights to. We would ask that you be as specific as possible and provide us with team or staff names that will allow us to identify the information you require.
You will be asked to provide proof of identification so that the council can be certain that you are the correct person for us to deal with.
Please send your request to the council’s Data Protection Officer in the first instance, using the following details:
Data Protection Officer
Email – email@example.com.
What is the deadline for a rights request?
The council has a duty to respond to all rights requests made under data protection legislation within 30 calendar days (one month) of receiving them. You will be informed of the deadline for your request in an acknowledgement email or letter, depending on how you made your request to us.
If your request is complex or very time consuming, the council is able to extend this deadline by two calendar months. In these situations, you will be contacted by the council and informed that your deadline has been extended and the reasons why.
How much does a rights request cost?
All rights requests under the UK GDPR are free of charge.
If you wish to complain to the council about your rights request or any issues around how we handle your data, please do so via:
Data Protection Officer
If you wish to complain about how the Council has handled your personal data, please do so via the Have Your Say section of the website.
You also have the right to complain to the Information Commissioner’s Office where you are dissatisfied by the council’s response. Please be aware that they may ask you to contact the council in the first instance if you haven’t done so already.
The Information Commissioner's Office
Cheshire SK9 5AF
Telephone: 08456 30 60 60 or 01625 54 57 45