Data protection

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply in the UK and work together to govern the processing of personal data. 

They place duties on organisations on how they collect, process, store and disclose information about people.

It also gives individuals (data subjects) the right of access to information held about themselves.

Principles

The legislation has core principles adopted when handling personal data.

1. Lawful, fair and transparent. This means we must process information lawfully, fairly and in a transparent manner.
2. Purpose limitation. This means we must only collect data for specified, explicit and legitimate purposes. We will not use data for anything beyond the appropriate purposes.
3. Data Minimisation. We will only collect the minimum amount of data required for the purpose. We will not collect more data than is necessary. 
4. Accuracy. Personal data will be accurate and regularly updated where necessary. Every reasonable step must be taken to correct inaccurate data as soon as possible.
5. Storage Limitation. We will not keep identifiable data for a period longer than needed, according to the purpose for which the data is processed.
6. Integrity and Confidentiality. We will ensure that data is processed securely, depending on the type of data. We will safeguard against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Terms and definitions

The DPA contains a few terms. The key ones are below.

Personal data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’.)

An identifiable natural person is one who can be identified, directly to indirectly, in particular by reference to an identifier such as your name, address, phone number or email address.

Special category data

Special category data is personal data relating to:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data; biometric data for identifying a natural person
• data about health
• data about a natural person’s sex life or sexual orientation

We take extra care with special category data as required.

Criminal data

Criminal data is not considered special category data under the legislation. It still gets the same care as special category data and only processed where we have a legal right to do so.

Data subject

An individual who is the subject of the personal data.

Data controller

The person or organisation that determines personal data usage and processing. The council is a data controller.

Data processor

A person or organisation which processes personal data for the data controller. Does not decide on data usage.

Processing

Processing includes all actions in relation to personal data such as, collecting, recording, storing, organising, altering, using, disclosing, destroying, sharing. 

Data Protection Complaints 

The council processes personal data in line with its Privacy Notices. We rely on several lawful bases to process personal data depending on the context: 

• consent: when you have given clear permission. 
• contract: when processing is necessary for a contract with you. 
• legal obligation: when required by law. 
• vital interests: to protect someone’s life. 
• public task: To perform official functions. 
• legitimate interests: For our or a third party’s legitimate interests, unless overridden by your rights.  
• where we consider using your data for a new purpose, we will assess its compatibility with the original purpose and ensure a lawful basis applies, in line with the DUAA. 

The majority of our functions fall under the category ‘public task’. 

If you have a data protection complaint, and / or you believe your personal data has been mishandled, please submit your concern using the Complaints Form. Your complaint will be acknowledged within 30 days.