Data Protection Act
- Council and democracy
Barnet Council abides by the Data Protection Act 2018 (DPA).The purpose of this data protection legislation is to protect people's personal information from misuse by placing controls on organisations and people who handle personal information.
The legislation has core principles which must be adopted when handling personal data.
Personal data must be:
- a.processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Terms and definitions
The DPA contains a number of terms. The key ones are defined below.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Special category data
Special category data is personal data relating to:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data, biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person’s sex life or sexual orientation
We are required to take extra care with special category data.
Criminal data in not considered special category data under the legislation, but it is to be treated with the same extra care as special category data and only processed where we have a legal right to do so.
An individual who is the subject of the personal data.
The person or organisation that determines what personal data is used for and how it is processed. The council is a data controller.
A person or organisation which processes personal data on behalf of the data controller but does not decide how the data is used.
Processing includes all actions in relation to personal data such as collecting, recording, holding, organising, adapting, altering, retrieving, consulting, using, disclosing, storing, erasing, destroying, blocking and disseminating.
Your personal data
Subject Access Request (SAR)
A subject access request (SAR) is a request under the Data Protection Act 2018 (DPA) from a person for a copy of the personal information that is held about them.
Personal information can take a number of forms eg paper, electronic, CCTV footage, a picture or even an audio recording. It can include facts and information about an individual and also include views or opinion of others about the individual.
The act entitles the individual to receive:
- a description of the data
- an explanation of why the data is being held
- an explanation of who the data may be given to
- a copy of the data with any technical terms explained
- an explanation as to the source of the data,
- an explanation as to how (if any) automated decisions taken about them have been made.
Can I make a SAR on someone else’s behalf?
You can make a subject access request (SAR) on someone else's behalf only if:
- You have their written permission to do so, or
- They are your child and are too young to make the request themselves, (please bear in mind that a child is, in theory, entitled to a make their own subject access request. Where it is felt that the child is of a sufficient age and maturity to understand the nature of the request, we may need to contact the child to discuss the request and ensure they are happy for the request to proceed) or
- You have a power of attorney for the person concerned, or
- You have a court order authorising you to make the request
If none of the above apply you are unlikely to be able to make a SAR on their behalf.
How to make a subject access request (SAR)
You don't have to mention the Data Protection Act or a subject access request (SAR) for it to be a valid request.
Any request for personal information held by the council about that person is a SAR and we will deal with straightforward requests as business as usual as long as we are sure of your identity.
So if you're dealing with a council officer over an issue you can usually ask them for your personal information about that issue eg by email or letter.
If you're not currently dealing with the council or want to ask for wider information (eg all my council tax records, anything the planning team hold about me, the social work files about my youngest son) then we recommend that you apply formally for a SAR.
You will need to
- provide proof of your identify. Acceptable types of identification are detailed in the Request Form
Proof of ID
It is important that the council is sure of your identity before releasing information. The ID that you will need to provide is set out in the SAR request form.
You will need a photocopy of one of these:
- driving licence
- birth certificate
And a copy of one of these:
- a recent bank statement (with full address) dated within the last 3 months or
- a recent utility statement (with full address) dated within the last 3 months or
- Barnet council tax number
If you're acting on behalf of the Data Subject you are still required to provide the above documentation on their behalf.
How much does it cost?
There is no charge for making a request.
How is the information sent?
We will send the information in the most appropriate way, depending on how much there is and how sensitive it is. If possible we will send by email (encrypted if necessary). Otherwise we will send by recorded or special delivery. You may be able to arrange to come to the council offices at North London Business Park in New Southgate to collect the information.
What happens if there's no response from a request after 1 calendar month?
Please check your email and post to see if you received a letter from us asking for more information. For example if you did not send the correct ID we will have contacted you to ask for this. The time to comply does not start running until we have received the required proof of ID fee. Please check and see if we have asked you for clarification, for example if what you are asking for was not clear.
If you have checked and we are not waiting to hear from you with ID or to clarify then:
- If you have had an acknowledgement email from the council contact the person who sent it to ask them for a progress update.
- If you haven't heard back from the council at all, please contact firstname.lastname@example.org with as much information as possible and we will look into it for you.
Will I get everything the council holds on me?
The council will send you information within the scope of your request. However the council is allowed under the Data Protection Act 2018 to withhold (redact) certain information in some circumstances. The council will only do this where an exemption applies. We have summarised the common exemptions below.
Documents containing information about another person (third party)
Where information relates to another individual (a third party) as well as the person making the request, the information about the person requesting will not be released if doing so will mean that information relating to the third party would be disclosed. The exceptions to this are where:
In deciding whether it may be reasonable to disclose the following will be considered:
a) any duty of confidentiality owed to the third party
b) whether the council feels it is necessary to seek consent of the third party
c) whether the third party is capable of giving consent
d) any express refusal of consent by the third party.
The council will also consider whether the information in question is already known to the individual, or whether it is possible to undertake a partial redaction allowing us to disclose the information without identifying the third party.
Documents written by another person (third party)
Where a document is written by another person or organisation these are not automatically exempt.
Whilst the council is allowed to seek a view from the author of the document, it is the council‟s decision whether to disclose or not. Before applying this exemption the council will take the following into account:
Legally privileged information
Personal data is exempt if it consists of information for which legal professional privilege (LPP) could be maintained in legal proceedings. The LPP exemption is fairly narrow and cannot be applied to all legal documentation.
The actual content of the information is important when considering whether LPP applies as just the mere fact that it is a communication with a lawyer / solicitor does not make the document legally privileged.
LPP can be applied to documents created on instructing a lawyer or as a result of advice being given for the use in a legal case or in anticipation of a legal case.
Social work data is exempt where granting a subject access request would be likely to prejudice the carrying out of social work by virtue of resultant serious harm to the physical or mental condition of the data subject or any other person.
Serious harm to physical or mental health or condition
Health data is exempt where granting a subject access request would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person.
This exemption only applies in the most serious cases and can only be used in consultation with an appropriate medical professional.
Personal data processed for the purposes of management forecasting or planning is exempt where disclosure would be likely to prejudice the conduct of that business or other activity of the council.
Certain educational data is exempt where:
Adoption records held by the council are exempt from the subject access provisions.
This exemption means that individuals (including adopted people, birth relatives, adoptive parents and prospective adoptive parents) are not able to use the route of subject access to obtain information of this nature. It would be a breach of the DPA to allow such access under a SAR.
There are special procedures for individuals to gain access to their adoption records. Due to the nature of the information it will involve appropriate counselling of the individual and more considered approach to obtaining the data, ensuring the individual is helped through the process.
My information is held by a service that the council has outsourced. Can I still make a SAR?
Yes you can. Although some services are being delivered in other ways such as by a commercial partner eg council tax or in a joint venture eg planning and environmental health, or by a shared service (eg legal services) the council remains the 'data controller' for the personal information. The council has ensured that this is covered fully in the contracts we have with the delivery units.
You can make the SAR to the outsourced or partner organisation (eg council tax or planning) and they will pass it to the council to be logged and processed. However, it is better to make the SAR directly to the council.
I’m not happy with how my SAR was handled
If you'd like to ask for a review of how your SAR was handled please email the Data Protection Officer at email@example.com explaining clearly and concisely why you are unhappy. We will review the SAR and your concerns and then write to you with our findings.
If you have already had a review and are still dissatisfied, you can complain to the Information Commissioner‟s Office:
Information Commissioner's Office
Water Lane Wilmslow Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate)
- Data Protection Officer
- Information Management Team, North London Business Park, Oakleigh Road South, London N11 1NP
- Tel: 020 8359 2000
- Email: firstname.lastname@example.org