Data Protection at Allerdale Borough Council - General Data Protection Regulation (GDPR)
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Act 2018. The GDPR sets out requirements for how organisations will handle personal data from 25 May 2018.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This is a public statement of how our organisation applies data protection principles to processing personal data.
Service Specific Privacy Notices
The Council has to process personal data in order to carry out our functions as a borough council, but we can only do this where there is a legal basis. This is known as the ‘lawful basis for processing’. GDPR extends individuals’ rights in terms of this processing, for example the right of access (also known as Subject Access Requests). It also introduces some new ones, such as the right to erasure, right to restrict processing and the right to data portability. However, these rights are not absolute and their availability depends on which lawful basis for processing the Council is using. This means that, due to the nature of our business, not all of the individuals’ rights listed below are applicable to everyone.
|Lawful basis||Right to erasure||Right to portability||Right to object|
Right to be informed
The GDPR sets out the information that we must supply and when individuals must be informed. We do this through a ‘Privacy Notice’. The notice also provides more details on which of the lawful basis for processing we use.
Right to access
The reason for allowing individuals to access their personal data is so that they are aware of what we hold and can verify that we have a valid lawful basis to process it. We will usually supply this information free of charge unless the request is manifestly unfounded or excessive. It will be provided without delay and at the latest within one month of receipt, although this can be extended by two months where requests are complex or numerous. As we must verify the identity of the person making the request individuals will be asked to provide two proofs of identity, including confirmation of their current address. Copies will be accepted if posted but we reserve the right to have sight of original documentation. Please note, a signed letter of authority from the data subject will be required if someone else is acting as their agent. Normally we will disclose the requested information but on occasion it may not be possible to do so if supplying it would be likely to, for example, compromise the way a crime is detected/prevented. Whilst requests can be made verbally, by letter and by email to our Data Protection Officer, we also have a standard form that you can complete and submit to us electronically.
Right to Rectification
Individuals can ask us to rectify any inaccuracies in the personal data we hold about them, including incomplete data. Personal data is deemed inaccurate if it is incorrect or misleading. As a matter of good practice, we should restrict the processing of the personal data in question whilst we are verifying its accuracy, whether or not you have exercised your right to restriction. We may ask for information from you to confirm your identity and will not need to comply with the request until we have received it. Where we’ve disclosed the personal information to a third party we must also inform them of the rectification where possible. We have a month to respond to the request unless it’s complex, in which case we can extend the timescale by two further months. If we do not take any action in response to a request for rectification we will notify you and inform you of your right to complain to the ICO. As above, you can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.
Right to Erasure
Formerly known as ‘the Right to be Forgotten’.
The right is not absolute and only applies in certain circumstances. You can ask us to do this where there is: a problem with the underlying legality of processing; consent is withdrawn; the data is no longer necessary for the purpose for which it was collected or processed; or there is no overriding legitimate interest for continuing the processing. Again we have one month to comply. We may ask for information from you to confirm your identity and will not need to comply with the request until we have received it. The Council will also inform any third parties to whom we have already disclosed the personal data, unless it is impossible or involves a disproportionate effort. Please note, the right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defense of legal claims.
As above, you can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.
Right to Restrict Processing
This is where data is held in limbo whilst challenges to its processing are resolved. In most cases we will not be required to restrict your personal data indefinitely, but only for a certain period of time. This is not an absolute right and only applies in certain circumstances, i.e. where: an individual disputes the accuracy of the personal data; where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our organisation’s legitimate grounds override those of the individual; where processing is unlawful but the individual objects to erasure; or where we’ve no further use for the data but an individual requires it for legal claims. In these circumstances the Council may store the personal data but not process it further. However, we will retain just enough information to ensure that the restriction is respected in the future. The GDPR suggests a number of different methods that could be used to restrict data, such as:
- temporarily moving the data to another processing system;
- making the data unavailable to users; or
- temporarily removing published data from a website.
We will act upon a request without undue delay and at the latest within one month of receipt. If we decide to subsequently lift a restriction we will notify you of this before the restriction is removed. As above, you can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.
This right allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. However, it only applies to personal data which you have provided to us, where processing is based on consent or in performance of a contract and when processing is carried out by automated means.
If you request it, and it is technically feasible, we may transfer data directly to another organisation.
We must respond to such a request within one month although this may be extended to two months is the request is complex or we receive a number of requests. If we are unable to comply we will let the individual know and inform them of their right to complain to the ICO.
Right to object
This right only covers specific types of processing, although there is an absolute right to stop direct marketing. Whether it applies depends on our purposes for processing and our lawful basis for processing. The Council process the majority of personal data based upon our ‘public task’ responsibilities (i.e. for the performance of a task carried out in the public interest or for the exercise of official authority vested in us). In these circumstances you must give specific reasons why you are objecting to the processing of your data, based upon your particular situation. We must cease processing unless we can demonstrate: compelling legitimate grounds which override your interests, rights and freedoms; or where processing is required for legal claims. In particular, if you object on the grounds that the processing is causing you substantial damage or distress (e.g. the processing is causing you financial loss), the grounds for your objection will have more weight. It is our responsibility to demonstrate that our legitimate grounds override yours. As above, you can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.
Rights related to automated decision making, including profiling
Automated individual decision-making is a decision made by automated means without any human involvement. Information is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviors and characteristics to create profiles for individuals.
At Allerdale Borough Council the only automated decision making carried out relates to risk based verification in our Customer Accounts section (Housing Benefit and Council Tax) where an algorithm is used to group applications by risk level. However, the final decisions are always made by an officer. As above, you can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.
If you are dissatisfied with the way your request has been handled you should initially contact the Information Governance Officer at email@example.com or on 01900 702898. You can also complain to the Information Commissioner at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone: 0303 123 1113; www.ico.gov.uk. Please note, generally the ICO will not make a decision unless you have exhausted the complaints procedure provided by Allerdale Borough Council.
Allerdale Borough Council’s Data Protection Policy
This policy applies to the collection and processing of all personal data. Compliance with the policy ensures that processing is carried out in accordance with the principles of GDPR.Download Allerdale Borough Council's Data Protection policy