Our policy statement


The council's responsibilities

The council (known as data controller under the Act) has to notify its automated processing activities to the Office of the Information Commissioner. Manual files are exempt from notification but these still need to comply with the provisions of the Act. Failure to notify is a criminal offence.

The Data Controller must satisfy one of the preconditions for processing personal data set out in the Act (schedule 2) for each system (eg payroll, benefits, student awards).

These include:

The are other preconditions for processing sensitive personal data. Contact your data protection lead officer for further information.

Data controllers must comply with the eight data protection principles. These state that personal data must be:

  1. processed fairly and lawfully
  2. obtained only for specified and lawful purposes
  3. adequate relevant and not excessive for the purpose
  4. accurate and up to date
  5. kept no longer than necessary
  6. processed in accordance with the rights of the data subject
  7. protected against unauthorised or unlawful processing, and against accidental loss or destruction
  8. not transferred outside of the European economic area unless adequate level of protection ensured.

What the Act means to an individual
The Data Protection Act gives an individual (a member of the public or a member of staff) the following rights:

  1. Access to the register of notifications - this is available at the Office of the Information Commissioner: the council's notification will also be available on the Ealing website.
  2. Upon written application, access within 40 days to information held by the council regarding their personal details. Under the 1998 Act the data subject is also entitled to: 
    • a description of the data being processed
    • the purposes for which it is being processed
    • a description of the recipients
    • the source of the data
    • where any decision is taken based solely on an automated process.
  3. Upon written notice require the data controller to cease or not to begin processing their personal data where  processing is causing or likely to cause unwarranted substantial damage or distress to themselves or another. (Data controller must respond within 21 days outlining the action proposed.)
  4. Upon written notice require the data controller to cease or not to begin processing their personal data for the purposes of direct marketing, including disclosure to third parties for that purpose. (The data controller must cease the processing within 28 days.)
  5. Upon written notice require the data controller not to take any decision which significantly affects them that is based on automated decision taking.
  6. Entitlement to compensation where an individual suffers damage and/or distress resulting from any contravention of the Act unless the data controller can prove all reasonable care had been taken in the circumstances.
  7. Right to apply for a court order requiring rectification, blocking, erasure or destruction of inaccurate personal data (including expressions of opinion based on inaccurate data), or of data processed in contravention of any provision of the Act where the subject is entitled to compensation from the controller and the court is satisfied that there is substantial risk of further contravention.
  8. Right to require that third parties to whom inaccurate or contravening data has been disclosed be notified of the fact.
  9. Ask the commissioner to assess whether or not processing of personal data is being carried out by the data controller in compliance with the act if an individual has reason to believe they may have been adversely affected by the process of their data.

Exemptions
There are some exemptions to disclosure of information to data subjects under the terms of the Act. For example, if disclosing the information would adversely affect the detection of crime or assessing taxes or duty. Some health and social work records may also be limited.