Exercising your data protection rights

The GDPR provides the following rights regarding the personal data the council, as a data controller, processes about you:

The right to be informed

The right of access

The right to be forgotten

The right to rectification

The right to restrict processing

The right to data portability

The right to object

Rights in relation to automated decision making and profiling

If you wish to ask us anything about data protection, want to ask for a copy of your data, or you have a complaint about how we have used or looked after your data, you may contact our Data Protection Officer at:

Data Protection Officer
Spelthorne Borough Council
Council Offices
Knowle Green
Staines-upon-Thames
TW18 1XB
Email: data.protection@spelthorne.gov.uk

If you are ever unhappy with how the council has answered your complaint, you can then contact the Information Commissioner's Office, at:

The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AX
Website: www.ico.org.uk
Email: casework@ico.org.uk

Further information about exercising each of these rights

Right to be informed

A privacy notice will be provided to you explaining how and why we intend to process your data. This 'Privacy Notice' will be based on the general statement on our website but with details specific to the service you are involved with.

This information will be on the website, on the form you complete or you will be told verbally over the phone.

When does this apply?

When we first gather information from you we will confirm that:

  • we are the data controller
  • let you know who our Data Protection Officer is and how to make contact
  • the legal basis for processing your data and the purpose(s) we will use it for
  • any consequences of you not providing all the data requested
  • who we share this with and how long we keep them for
  • we will let you know your rights to have data rectified, to be forgotten, to portability, to object to processing and to complain
  • we will let you know if the data will be subject to any automated decision making
  • transfers outside European Economic Area and
  • if the data was not provided by you, the identity of the source and the categories of data we hold

If we intend to use your data for a purpose other than that which we initially intended we will also issue you a further privacy notice prior to processing.

When does this not apply?

If you already have this information.

Right of access

You can ask for a copy of the data we hold on you. This is also known as a Subject Access Request.

When does this apply?

This applies to any personal data that we hold and we can tell you what data and what categories of data we hold.

To help us do this we will ask you to tell us which services are likely to hold your data, for example there may be a Housing Benefit file, employment records, housing file or a topic or area of correspondence you have had.

You will need to provide proof of your identify, including a utilities bill or bank statement with your current address and something confirming your identity such as a driving licence or birth certificate so that we can ensure that the correct data is provided to you and that your data and the data of others is adequately protected.

Data will, where ever possible, be sent to you electronically, and there is no charge. However if you request further copies, we may charge or consider if we can meet the request.

We will let you know the purpose(s) the data is processed for, and any other organisations we share the data with, also if any data we hold is collected from other sources.

For example

We may be given data from the Department of Work and Pensions regarding benefit applications.

In order to provide you with services such applications for Housing we will share your data with our Housing partners.

We have set periods (or retention schedules) that we hold data for, which vary depending on the service and we will tell you how long we will hold data for each relevant service. We will also tell you the legal basis we have for processing the data.

The data we hold is safely stored and processed. If any of your data is transferred outside the European Economic Area and to a territory without adequate security we would let you know but we do not believe we hold any data that falls into this category.

If your data is processed and automated decisions made or we conduct any profiling, we will also let you know of this. Further details on your rights regarding automated decisions and examples of when this may occur can be found at section viii. And we will let you know your rights to rectify inaccurate or incomplete data, to object to processing, restrict access to your data and to complain.

When does this not apply?

There are some circumstances in which we cannot provide your data.

The law permits us to reject a request that is manifestly unfounded or excessive. If we believe this to be the case we will let you know why we think this is the case.

If it is necessary to protect the rights and freedoms of others.

For example

If other family members' details are in your social care or housing file, we would need to either obtain their permissions to share this part of the file or redact that data.

Other exemptions are yet to be defined under the GDPR and this booklet will be updated once UK legislation is passed.

Current exemptions under the Data Protection Act 1998 may be reflected and these include:

  • confidential references
  • publically available information
  • crime and taxation (the prevention and detection of crime, prosecution of offenders and the assessment or collection of tax)
  • management information (for forecasting or planning)
  • negotiations with the requestor
  • regulatory activities
  • legal advice and proceedings
  • social work records (if the data would be likely to prejudice the carrying out of social work by causing harm to the health of the requestor
  • other exemptions can apply to health records and education

Right to be forgotten

This allows you to request that we delete our records or some of our records in so far as they identify you. It does not apply in all circumstances.

When does this apply?

If you provided the information with your consent.

For example
You agreed to take part in a consultation or you signed up for a newsletter. You can withdraw your consent.

  • if the data is no longer necessary and the timescale for us to keep records has expired
  • if the data is being unlawfully processed, e.g we have processed data for a purpose we were not entitled to
  • if the data was provided on line when you were a child and you or your parent(s) gave consent at the time. However we do not think that the council holds any data that falls in this category
  • if you successfully object to the data processing under the Right to Object (see section vii)
  • if we are obliged to erase the data to comply with a legal obligation
  • and if we have made the data available on-line or to others, we will need to erase that data or ask the other party to do so

When does this not apply?

If we need the information to provide a service we are authorised to provide by law, for a legal obligation or we believe the data to be necessary for a task in the overriding public interest.

  • if the data is required for a contract to which you are party
  • if records are required to protect public health
  • if we require the data to establish, exercise or defend a legal claim
  • if records are required for archiving in the public interest or for scientific or historical interest

For example
A task carried out in the public interest will include a wide range of the council's functions such as:

  • assessing and collecting Council Tax and Business Rates
  • processing anti-social behaviour complaints
  • refuse collection
  • FOI requests
  • data matching for Troubled Families initiative.

So if you ask for your complaints of noise nuisance or antisocial behaviour to be erased, the council will have to consider whether there are overriding reasons in the public interest to keep those records.

This may be to ensure sufficient evidence is held to rectify the nuisance for the good of the community balanced against any possible detriment to you. 

But if you ask for Council Tax records to be erased the council on balance is likely to say they need to be retained until the end of the statutory retention period to be sure all monies due are appropriately charged and collected.

Right to rectification

This concerns correcting your personal data that is held.

When does this apply?

If you believe the data held is not accurate, you can request that it is corrected without undue delay. Similarly if data is incomplete you can ask that it is completed.

When does this not apply?

We are obliged to correct incorrect data and incomplete data without undue delay.

However if we need to make further checks or dispute that the data we hold is incorrect we may restrict access to the data pending a decision.

Rectification can be achieved by adding to the record or creating a supplementary record. Even if we decide that the information is correct, we will place a statement from you on the record with the data you believe to be correct or stating your dispute.

And if we have made the data available on-line or to others, we will need to correct that data or ask the other party to do so. 

Right to restriction of processing

You can ask that access to your records is limited in certain circumstances.

When does this apply?

If you are contesting the accuracy of the data on record and we are seeking to verify it.

If the processing of your data is unlawful, but you want the record preserved.

  • this could be because you are pursuing a complaint
  • this could also be while you are making an objection to the council processing your data under a lawful authority. This also applies to objections to processing under legitimate interest but the council will not be processing data under this condition
  • in these circumstances the council may only process the data with your consent or to establish exercise or defend a legal claim or to protect the rights of another person or important public interest.

For example

You object to the council processing school attendance data for your children as you believe the records are inaccurate. The council may restrict access to the data while your objection is being considered and the data verified.

An exception to this may be if the matter is being contested in court

And if we have made the data available on-line or to others, we will need to restrict that data or ask the other party to do so. 

While there is a request for restriction of processing, we must inform you before lifting that restriction.

Right to portability

This allows you to be provided with a copy of your data in an accessible electronic format. This does not apply to all data.

When does this apply?

  • if you gave us the data with your consent
  • if the data was provided as required for a contract between you and the council
  • if the processing is electronic

When does this not apply?

  • it does not apply to data collected in any other circumstances
  • the data we provide to you can also include data directly observed from the information you provided to us

For example

If you have used the Idea Store lending service you may ask to have a copy of your registration record and all transactions from the lending services.

At your request we can pass this data to another data controller. 

Eg if you move to another authority you may wish to transfer details, but as this does not apply to data we process for a task carried out in the public interest so many of the Council's services will not be able to comply with such a request.

Right to object

You have the right to object to the Council processing your data if you dispute the authority to processed data.

When does this apply?

The GDPR provides a right to object to data processed under 'lawful authority' and 'legitimate interests'. We will focus primarily on lawful authority.

The GDPR provides for a local authority to process data to perform a task carried out in the public interests or with lawful authority.

This condition will cover almost all services that the council provides and some services will also be covered by a specific legal obligation to process the data.

Some examples were given in Right to be Forgotten, other examples are:

  • complaints records
  • schools admissions and appeals
  • social care records
  • housing applications and medical assessments
  • homeless services
  • parking
  • leisure centres
  • Public Health
  • Special Educational Needs
  • waste collection

If you make an objection, you can ask that we restrict processing while you objection is being considered.

When does this not apply?

When the council has demonstrated overriding grounds to continue processing.

The council will have to demonstrate overriding grounds to continue processing your data under its lawful authority or a task carried out in the public interest, or to establish exercise or defend a legal claim.

You can also object separately to your data being used for direct marketing and for research. You can also object to your data being processed for research purpose unless the council has public interest justification for this.

When conducting research we will in most instances anonymise the data so your personal data cannot be identified. Or there may be projects where we combine data and then remove any personal identifiers. This way the outcomes are not linked to any individuals.

Right to object to automated decision making

Some decisions are made by machine calculation of data held.

When does this apply?

The regulation allows you to object to having decisions made by an automated process.

For example:

We match applicants for housing with suitable properties according to the established policy criteria and data held on their application record

This also includes profiling data which has a legal or other significant effect on you. Profiling could mean analysing and predicting your performance at work, your economic situation, your health, your location or movements, and you preferences or behaviour. The council is unlikely to undertake profiling that has a significant and/or legal impact but will at times use data held to identify populations impacted by policy and legislative changes.

For example

We may wish to notify and assist residents who are likely to be affected by changes in benefit law such as the bedroom tax, and will use the data we hold to decide who we need to contact about the changes.

When does this not apply?

  • if the processing is necessary for a contract between you and the council, for example, your employment contract
  • for tax evasion, fraud or regulatory activities or the council
  • if processing is authorised by law with necessary safeguards to your rights and freedoms
  • if you gave explicit consent
  • if you object, you have the right to have the decision explained to you
  • you also have the right to have manual intervention so the decision is verified

For example

Your lettings bid will be processed and all applicants for the property will be ranked in report according to the range of factors relevant to their application. This will include the overcrowding, medical factors, the application's preference data.

You can ask for this automated decision to be explained to you and to have an officer review the decision / preference ranking for that offer.