- Council and democracy
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) both apply in the UK and work together to govern the processing of personal data. The purpose of this data protection legislation is to protect people's personal information from misuse by placing controls on organisations and people who handle personal information.
The legislation has core principles which must be adopted when handling personal data.
Personal data must be:
- a.processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The legislation also has overaching themes of accountability, and Privacy by Design. This means we need to keep adequate records of our actions and consider the privacy of personal information at the beginning of any of our work.
The DPA contains a number of terms. The key ones are defined below.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Special category data
Special category data is more sensitive personal data relating to:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data, biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person’s sex life or sexual orientation
We are required to take extra care with special category data.
Criminal data in not considered special category data under the legislation, but it is to be treated with the same extra care as special category data and only processed where we have a legal right to do so.
An individual who is the subject of the personal data (you and me).
The person or organisation that determines what personal data is used for and how it is processed. The council is a data controller.
A person or organisation which processes personal data on behalf of the data controller but does not decide how the data is used (often contractors and service providers..
Processing includes all actions in relation to personal data such as collecting, recording, holding, organising, adapting, altering, retrieving, consulting, using, disclosing, storing, erasing, destroying, blocking and disseminating.
The legislation gives individuals specific rights over their personal data.
- The right to be informed - we use privacy notices on our forms and our website, to tell you what information we hold about you and what we do with it
- The right of access - You have the right to access the personal data we hold about you. This is called a Subject Access Request (SAR)
- The right to rectification - you can ask us to correct data if you think what we have is incorrect
- Rights in relation to automated decision making and profiling - if a process is entirely automated, you have the right to ask for a human to look at any decision taken automatically.
The following are also rights, but are less relevant to the council because as a local authority we have legal duties for using personal data the way that we do. The ICO is the regulator for data droptection, and has more information on these rights
- The right to erasure - this is sometimes called the 'right to be forgotten'. As a local authority, we won't usually be able to agree to 'forget' you.
- Right to restrict processing
- The right to data portability
- The right to object - individuals have a right to object to processing in certain circumstances
Accessing your personal data or making a Subject Access Request (SAR)
A request for personal information held by the council about that person can often be dealt with as 'business as usual'. So if you're dealing with a council officer over an issue you can usually ask them for your personal information about that issue eg. by email or letter. If you're not currently dealing with the council or want to ask for wider information (eg. "my council tax records", "anything the planning team hold about me"", "the social work files about my youngest child") then we recommend that you apply formally for a SAR.
See our privacy notice if you would like to know more about how and why we use your personal information.
A subject access request (SAR) is a request under from an individual for a copy of the personal information that is held about them.
Personal information can take many forms eg paper, electronic, CCTV footage, a picture or even an audio recording. It can include facts and information about an individual and also include views or opinion of others about the individual.
The act entitles the individual to receive:
- a description of the data
- an explanation of why the data is being held
- an explanation of who the data may be given to
- a copy of the data with any technical terms explained
- an explanation as to the source of the data,
- an explanation as to how (if any) automated decisions taken about them have been made.
We must respond in one month, unless your request is considered complex, when we are allowed to take an extra two months. Sometimes we withhold information because the law requires us to, or allows us to, and these are called exemptions.
Can I make a SAR on someone else’s behalf?
You can make a SAR on someone else's behalf only if you meet one of the criteria below:
- You have their written permission to do so
- They are your child and are too young to make the request themselves, (please bear in mind that a child is, in theory, entitled to a make their own subject access request. Where it is felt that the child is of a sufficient age and maturity to understand the nature of the request, we may need to contact the child to discuss the request and ensure they are happy for the request to proceed)
- You have a power of attorney for the person concerned
- You have a court order authorising you to make the request
If none of the above apply you are unlikely to be able to make a SAR on their behalf.
How to make a subject access request (SAR)
You don't have to mention the Data Protection Act or a subject access request (SAR) for it to be a valid request.
The easiest and often quickest way to make a request is by completing our form, which you can download at the bottom of the page. Whilst you don't have to use our form, it does help us to locate the information you are looking for and verify your details quickly and easily.
A subject access request can be submitted by any means, i.e. by post, by email or even verbally. Whichever method you use, please try to provide us with enough detail to allow us to locate the information you are seeking. If your request is unclear, we may need to contact you again to verify your identity or request further information from you.
You will need to provide proof of your identify.
Proof of ID
It is important that the council is sure of your identity before releasing information.
You will need a photocopy of one of these:
- driving licence
- birth certificate
And a copy of one of these:
- a recent bank statement (with full address) dated within the last 3 months or
- a recent utility statement (with full address) dated within the last 3 months or
- Barnet council tax number (if you provide a council tax number we will check you council tax records as part of our process to verify your identify)
If you're acting on behalf of someone else, you still nedd to provide their identification documentation on their behalf.
Sometimes we can easily verify who you are without ID because we have been dealing with you recently, but it is usually quicker to provide ID when you make your request.
How much does it cost?
There is no charge for making a request.
How is the information sent?
We will send the information in the most appropriate way, depending on how much there is and how sensitive it is. If possible we will send by email (encrypted if necessary). Otherwise we will send by recorded or special delivery. You may be able to arrange to come to the council offices at North London Business Park in New Southgate to collect the information.
What happens if there's no response from a request after 1 calendar month?
Please check your email and post to see if you received a letter from us asking for more information. For example if you did not send the correct ID we will have contacted you to ask for this. The time we have to answer your request does not start until we have received the required proof of ID. We may also have asked for clarification if what you are asking for was not clear.
If you have checked and we are not waiting to hear from you with ID or to clarify then:
- If you have had an acknowledgement email from the council contact the person who sent it to ask them what has happened.
- If you haven't heard back from the council at all, please contact firstname.lastname@example.org with as much information as possible and we will look into it for you.
Will I get everything the council holds on me?
The council will send you the information you have asked for. However the council is allowed to withhold (redact) certain information in some circumstances. This is called an exemption. We have listed the common exemptions below.
Documents containing information about another person (third party)
Where information relates to another individual (a third party) as well as the person making the request, the information about the person requesting will not be released if doing so will mean that information relating to the third party would be disclosed. The exceptions to this are where:
In deciding whether it may be reasonable to disclose the following will be considered:
a) any duty of confidentiality owed to the third party
b) whether the council feels it is necessary to seek consent of the third party
c) whether the third party is capable of giving consent
d) any express refusal of consent by the third party.
The council will also consider whether the information in question is already known to the individual, or whether it is possible to undertake a partial redaction allowing us to disclose the information without identifying the third party.
Documents written by another person (third party)
Where a document is written by another person or organisation these are not automatically exempt.
Whilst the council is allowed to seek a view from the author of the document, it is the council‟s decision whether to disclose or not. Before applying this exemption the council will take the following into account:
Legally privileged information
Personal data is exempt if it consists of information for which legal professional privilege (LPP) could be maintained in legal proceedings. The LPP exemption is fairly narrow and cannot be applied to all legal documentation.
The actual content of the information is important when considering whether LPP applies as just the mere fact that it is a communication with a lawyer / solicitor does not make the document legally privileged.
LPP can be applied to documents created on instructing a lawyer or as a result of advice being given for the use in a legal case or in anticipation of a legal case.
Social work data is exempt where granting a subject access request would be likely to prejudice the carrying out of social work by virtue of resultant serious harm to the physical or mental condition of the data subject or any other person.
Serious harm to physical or mental health or condition
Health data is exempt where granting a subject access request would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person.
This exemption only applies in the most serious cases and can only be used in consultation with an appropriate medical professional.
Personal data processed for the purposes of management forecasting or planning is exempt where disclosure would be likely to prejudice the conduct of that business or other activity of the council.
Certain educational data is exempt where:
Adoption records held by the council are exempt from the subject access provisions.
This exemption means that individuals (including adopted people, birth relatives, adoptive parents and prospective adoptive parents) are not able to use the route of subject access to obtain information of this nature. It would be a breach of the DPA to allow such access under a SAR.
There are special procedures for individuals to gain access to their adoption records. Due to the nature of the information it will involve appropriate counselling of the individual and more considered approach to obtaining the data, ensuring the individual is helped through the process.
My information is held by a service that the council has outsourced. Can I still make a SAR?
Yes you can. Some council services are delivered on our behalf by other organisations (contractors or service providers), like council tax or planning and environmental health. Or by a shared service like our legal services. The council remains in control (the 'data controller') of the personal information though and it is our responsiblity to respond when you make a SAR.
I’m not happy with how my SAR was handled
You can ask us to review of how your SAR was handled. Please email the Data Protection Officer at email@example.com explaining why you are unhappy. We will review the SAR and your concerns and then write to you with our findings.
If you have already had a review and are still unhappy, you can contact the Information Commissioner's Office:
Information Commissioner's Office
Water Lane Wilmslow Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate)
- Information Management Team
- North London Business Park, Oakleigh Road South, LONDON, N11 1NP
- Tel: 020 8359 2000
- Email: firstname.lastname@example.org