The council's responsibilities
The new Data Protection Act 2018 protects information that identifies you. The act ensures the UK’s national data protection arrangements meet the new EU General Data Protection Regulation (GDPR).
We have to comply with the new act which strengthens data protection for all UK citizens in the following ways:
- stronger information security, data privacy and governance
- standardised data protection rules across Europe
- more citizen say over what organisations can do with their personal data
- bigger fines for non-compliance.
We have to ensure that we have a valid lawful basis in order to process personal data.
Personal data is all information that can identify you directly, or indirectly when used with other information, eg your name, job title, age, postal/email/IP address (online identifier), vehicle registration number, bank details, plus any other information that relates to you.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever we process personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Special categories of personal data – information revealing race or ethnicity, religious or philosophical beliefs, trade union membership, your health, sex life or sexual orientation and processing of genetic or biometric data. These “special categories” need to meet higher standards when processing. It used to be known as “Sensitive Personal Data”.
Data controllers must comply with the seven data protection principles. These state that we:
- only collect the personal data we need
- only use it for a specific purpose
- process it lawfully and fairly
- keep it accurate and up to date
- get rid of it when we no longer need it
- keep it safe and protect it from wrongful use
- be transparent and document how we use it.
GDPR and the Data Protection Act 2018 gives an individual the following rights:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision-making and profiling.
There are some exemptions to disclosure of information to data subjects under the terms of the Act. For example, if disclosing the information would adversely affect the detection of crime or assessing taxes or duty. Some health and social work records may also be limited.
Data Protection Officer
The council has a data protection officer and has notified the Information Commissioner’s Office (ICO).
Our data protection officer:
- advises us on how to comply with our data protection obligations and your data rights
- helps us monitor how we comply with our obligations and your rights
- is our contact for the ICO.
You can contact them about your concerns at firstname.lastname@example.org by writing to:
Data Protection Officer, Ealing Council, Perceval House,14-16 Uxbridge Road, Ealing W5 2HL