Skip to main content

Data Protection at Allerdale Borough Council - General Data Protection Regulation (GDPR)

What is the GDPR?

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Act 2018. The GDPR sets out requirements for how organisations will handle personal data from 25 May 2018.

What information does the GDPR apply to?

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. 

Privacy notice

This is a public statement of how our organisation applies data protection principles to processing personal data.

Service specific privacy notices

Individual's Rights

The Council has to process personal data in order to carry out our functions as a borough council, but we can only do this where there is a legal basis. This is known as the ‘lawful basis for processing’. GDPR extends individuals’ rights in terms of this processing, for example the right of access (also known as Subject Access Requests). It also introduces some new ones, such as the right to erasure, right to restrict processing and the right to data portability.  However, these rights are not absolute and their availability depends on which lawful basis for processing the Council is using. This means that, due to the nature of our business, not all of the individuals’ rights listed below are applicable to everyone. 
 

Individual's rights
Lawful basisRight to erasureRight to portabilityRight to object
ConsentYesYesNo
ContractYesYesNo
Legal obligationNoNoNo
Vital interestsYesNoNo
Public taskNoNoYes
Legitimate interestsYesNoYes

Right to be informed 

The GDPR sets out the information that we must supply and when individuals must be informed.  We do this through a ‘Privacy Notice’. The notice also provides more details on which of the lawful basis for processing we use.

Right to access 

The reason for allowing individuals to access their personal data is so that they are aware of what we hold and can verify that we have a valid lawful basis to process it.

We will usually supply this information free of charge unless the request is manifestly unfounded or excessive. It will be provided without delay and at the latest within one month of receipt, although this can be extended by two months where requests are complex or numerous.

As we must verify the identity of the person making the request, individuals will be asked to provide two proofs of identity, including confirmation of their current address. Copies will be accepted if posted but we reserve the right to have sight of original documentation. Please note, a signed letter of authority from the data subject will be required if someone else is acting as their agent.

Normally we will disclose the requested information but on occasion it may not be possible to do so if supplying it would be likely to, for example, compromise the way a crime is detected/prevented.

Requests can be made verbally, by letter and by email to our Data Protection Officer. You can email requests to foi@cumberland.gov.uk

Right to Rectification 

Individuals can ask us to rectify any inaccuracies in the personal data we hold about them, including incomplete data.

Personal data is deemed inaccurate if it is incorrect or misleading.

As a matter of good practice, we should restrict the processing of the personal data in question while we are verifying its accuracy, whether or not you have exercised your right to restriction.

We may ask for information from you to confirm your identity and will not need to comply with the request until we have received it.

Where we’ve disclosed the personal information to a third party we must also inform them of the rectification where possible.

We have a month to respond to the request unless it’s complex, in which case we can extend the timescale by two further months. If we do not take any action in response to a request for rectification we will notify you and inform you of your right to complain to the ICO.

You can make a request for rectification verbally, by letter and by email.  We also have a standard form that you can complete and submit to us electronically.

  Make a request

Right to Erasure 

Formerly known as ‘the Right to be Forgotten’.
The right is not absolute and only applies in certain circumstances.

You can ask us to do this where there is: a problem with the underlying legality of processing; consent is withdrawn; the data is no longer necessary for the purpose for which it was collected or processed; there is no overriding legitimate interest for continuing the processing.

We have one month to comply.  

We may ask for information from you to confirm your identity and will not need to comply with the request until we have received it.

The council will also inform any third parties to whom we have already disclosed the personal data, unless it is impossible or involves a disproportionate effort.

The right to erasure does not apply if processing is necessary for one of the following reasons:

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation
  • for the performance of a task carried out in the public interest or in the exercise of official authority
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processingr
  • for the establishment, exercise or defence of legal claims.

You can make a request for rectification verbally, by letter and by email.  We also have a standard form that you can complete and submit to us electronically.

Apply online here

Right to Restrict Processing 

This is where data is held in limbo while challenges to its processing are resolved.

In most cases we will not be required to restrict your personal data indefinitely, but only for a certain period of time.

This is not an absolute right and only applies in certain circumstances, ie where an individual disputes the accuracy of the personal data; where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests) and we are considering whether our organisation’s legitimate grounds override those of the individual; where processing is unlawful but the individual objects to erasure; where we’ve no further use for the data but an individual requires it for legal claims.

In these circumstances the council may store the personal data but not process it further. However, we will retain just enough information to ensure that the restriction is respected in the future.

The GDPR suggests a number of different methods that could be used to restrict data, such as:

  • temporarily moving the data to another processing system
  • making the data unavailable to users
  • temporarily removing published data from a website.

We will act upon a request without undue delay and at the latest within one month of receipt. If we decide to subsequently lift a restriction we will notify you of this before the restriction is removed.

You can make a request for rectification verbally, by letter and by email.  We also have a standard form that you can complete and submit to us electronically.

Make your request here

Data Portability 

This right allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way.  However, it only applies to personal data which you have provided to us, where processing is based on consent or in performance of a contract and when processing is carried out by automated means.

If you request it, and it is technically feasible, we may transfer data directly to another organisation. 

We must respond to such a request within one month although this may be extended to two months if the request is complex or we receive a number of requests.

If we are unable to comply we will let the individual know and inform them of their right to complain to the ICO.

Make an application here

Right to object 

This right only covers specific types of processing, although there is an absolute right to stop direct marketing. Whether it applies depends on our purposes for processing and our lawful basis for processing.

The council processes the majority of personal data based upon its ‘public task’ responsibilities (ie for the performance of a task carried out in the public interest or for the exercise of official authority vested in it). In these circumstances you must give specific reasons why you are objecting to the processing of your data, based upon your particular situation.

We must cease processing unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms or where processing is required for legal claims.

In particular, if you object on the grounds that the processing is causing you substantial damage or distress (eg the processing is causing you financial loss), the grounds for your objection will have more weight.

It is our responsibility to demonstrate that our legitimate grounds override yours.

You can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.

Make a request here

Rights related to automated decision making, including profiling

Automated individual decision-making is a decision made by automated means without any human involvement.

Information is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals. 

You can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.

Complete the form here

Complaints

If you are dissatisfied with the way your request has been handled you should initially contact the Information Governance Officer at foi@allerdale.gov.uk or  by telephone . You can also complain to the Information Commissioner at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone: 0303 123 1113 ; www.ico.org.uk . Please note, generally the ICO will not make a decision unless you have exhausted the complaints procedure provided by Cumberland Council.

Download Allerdale Borough Council's Data Protection policy
Council Strategy design

Cumberland Council

On 1 April 2023 local government in Cumbria changed, with Cumberland Council providing all your council services.  

Don't worry though, your bins will be emptied as normal, and you'll still be able to speak to the same team about any enquiries to do with things like council tax, benefits, planning or any other service.

Find out more about the changes.

Keep up to date by finding and following the new council on Facebook, Twitter and LinkedIn. 

Sign-up to receive updates straight to your email inbox.

Accessibility and language tool

Use the ReciteMe toolbar for accessibility and language options