Data Protection and the General Data Protection Regulation

The General Data Protection Regulation and the Data Protection Act 2018 have been introduced in order to protect information relating to living individuals and bring the legislation up to date to take in to consideration the new technologies introduced since the 1998 Act. This information can be held either electronically or manually, for example, on a computer or in a filing cabinet.

As an individual you have many rights under the Regulation, these are:

  • the right to be informed how your information is being collected and processed
  • the right to request a copy of your own personal information
  • the right to request the Council to rectify inaccurate information
  • the right to request the Council erase information we are not require to process or keep
  • the right to restrict the processing of your information
  • the right to request your information is passed to another organisation (data portability)
  • the right to object to automated decision making and profiling regarding yourself     

For more information please refer to the Data Protection Policy and the procedure for your individual rights

Processing Special Category Data

The Safeguarding Special Category Data Policy to the right explains what measures the Council will take to handle Special Category Personal Data securely and with respect for the rights of those the data concerns.

Law Enforcement Processing

The Law Enforcement (Data Protection) Policy to the right explains what measures the Council will take to handle Personal Data processed for law enforcement purposes securely and with respect for the rights of those the data concerns.

Data Protection Impact Assessment (DPIA)

Since the introduction of the General Data Protection Regulation it has become mandatory for organisations to carry out DPIAs in certain circumstances.  The Council will always carry out a DPIA if we plan to:

  • Use systematic and extensive profiling or automated decision-making to make significant decisions about people.
  • Process special category data or criminal offence data on a large scale.
  • Systematically monitor a publicly accessible place on a large scale.
  • Use new technologies.
  • Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit.
  • Carry out profiling on a large scale.
  • Process biometric or genetic data.
  • Combine, compare or match data from multiple sources.
  • Process personal data without providing a privacy notice directly to the individual.
  • Process personal data in a way which involves tracking individuals’ online or offline location or behaviour.
  • Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them.
  • Process personal data which could result in a risk of physical harm in the event of a security breach.

We consider whether to do a DPIA if we plan to carry out any other:

  • Evaluation or scoring.
  • Automated decision-making with significant effects.
  • Systematic processing of sensitive data or data of a highly personal nature.
  • Processing on a large scale.
  • Processing of data concerning vulnerable data subjects.
  • Innovative technological or organisational solutions.
  • Processing involving preventing data subjects from exercising a right or using a service or contract.

We consider carrying out a DPIA in any major project involving the use of personal data.

If we decide not to carry out a DPIA, we document our reasons.

We carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing.

DPIA process checklist

The Council will:
  • describe the nature, scope, context and purposes of the processing.
  • ask our data processors to help us understand and document their processing activities and identify any associated risks.
  • consider how best to consult individuals (or their representatives) and other relevant stakeholders.
  • ask for the advice of our data protection officer.
  • check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure data protection compliance.
  • do an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests.
  • identify measures we can put in place to eliminate or reduce high risks.
  • record our decision-making in the outcome of the DPIA, including any difference of opinion with our DPO or individuals consulted.
  • implement the measures we identified, and integrate them into our project plan.
  • consult the ICO before processing, if we cannot mitigate high risks.
  • keep our DPIAs under review and revisit them when necessary.
  • will publish on this page DPIAs that are identified as high risk processing or require consultation with the ICO.
Last updated: 11 December 2018 12:13:35