Changes to Data Protection Regulations (GDPR)
New General Data Protection Regulation (GDPR) started on 25 May 2018. Data can seem a complex subject, but its part of everything we do. The GDPR puts customers' rights at the centre of data protection. It will change how businesses and local authorities handle the information held on you.
There are quite a few differences between the way things work now and the way they will work in the future. The GDPR will make it much easier for you to get hold of the information organisations hold on you, and will give you the right to withdraw consent for your personal data to be used, when consent is used as the lawful basis for processing your data. You can request information held on you free-of-charge.
- you will be able to get hold of the information organisations hold on you much more freely
- it will be simpler for you to withdraw consent for your personal data to be used
- you will be able to ask for data to be deleted
- councils and all organisations will need to obtain "explicit" consent when they process sensitive personal data
- personal data will include things such as IP addresses, DNA and small text files known as cookies
- it will be a criminal offence to re-identify anyone from anonymised or pseudonymised data
Both personal data and sensitive personal data are covered by GDPR.
What is personal data?
Personal data is information about a living individual from which that person can be identified. That information can be in a variety of formats. For example it might be on computer, in a paper filing system or in more unusual formats such as CCTV footage.
Why does Erewash Borough Council collect data about people?
We need to collect personal data to fulfil our functions in relation to the provision of services such as planning, environmental health, enforcement, licensing, collection of council tax and business rates, and payment of Housing Benefits.
What principles apply to the collection of personal data?
There are six governing principles that must be followed in relation to the processing of data about individuals:
- Personal data should be processed fairly, lawfully and in a transparent manner.
- Data should be obtained for specified and lawful purposes and not further processed in a manner that is incompatible with those purposes.
- The data should be adequate, relevant and not excessive.
- The data should be accurate and where necessary kept up to date.
- Data should not be kept for longer than necessary.
- Data should be kept secure.
For more information, see our Data Protection Policy.
Subject Access Requests
As a data subject you have the right:
- to be told whether we are processing information about you,
- to be provided with a description of the data, why we are processing it and the sorts of people or organisations we might disclose the information to,
- to be provided with a copy of the data in an intelligible and permanent form, and
- to be told, if we know, where the information was obtained from.
How do I make a Subject Access Request?
You must make a Subject Access Request (SAR) in writing with a verifiable signature. You can do this by using our Subject Access Request Form.
When making a Subject Access Request you will be asked to provide some means of identification. This is to safeguard all Data Subjects by making sure that we only supply information to those who are entitled to receive it. Acceptable forms of identification are a birth certificate or driving license or a photocopy of either. Original documents, if provided, will be returned to you as soon as possible.
If I am unable to make a Subject Access Request myself can I ask somebody to do it for me?
Yes, but you will need to give them authority to do so. If there is no-one who can help you then let the Data Protection Officer at the Council know and they will make arrangements for somebody to assist you if necessary.
Is there a fee to make a Subject Access Request?
There is no fee for the provision of a subject access request following the introduction of GDPR on the 25 May 2018.
How long will a Subject Access Request take?
We will endeavour to provide you with the requested information as soon as possible and no later than 1 (one) month from receipt of a valid request.
Can I always obtain information about myself?
Not always. The Regulation has a number of exemptions. If you make a Subject Access Request and we consider that the information concerned is exempt from any provision of the Act then we will explain why. If you disagree with our view, you can ask us to reconsider or you can take the matter up with the Information Commissioner who oversees compliance with this legislation whose details are given at the end of this page.
What can I do if I think that information you hold about me is incorrect?
Write to us explaining what you think is wrong and ask for the data to be corrected. We must tell you what we have done or intend to do within 21 days. If you do not agree with our decision, you can ask us to record that disagreement for future reference - or you can take the matter up with the Information Commissioner.
Can I claim any compensation if I think that information about me has been wrongly used?
If we have broken any of the rules or conditions established by the Regulation and you have suffered damage or distress as a result of this, then you may be able to claim compensation through the Courts. Any such claim will need to show that we had not taken reasonable care to comply with the GDPR.
To get in touch about data protection contact the Data Protection Officer at firstname.lastname@example.org
Or write to
The Performance and Community Manager
Erewash Borough Council
Ilkeston Town Hall
The ICO is the UK's independent body set up to uphold information rights. The ICO has a duty to promote public access to official information and protecting your personal information and provides extensive guidance on how people can exercise their rights. For more information visit the ICO website or call 0303 123 1113