General Data Protection Regulations
What is the General Data Protection Regulation?
General Data Protection Regulation (GDPR) is the new legal framework in the EU that came into force on 25 May 2018. Since leaving the EU the UK has brought into law the UK GDPR. There is also a new Data Protection Act 2018. This new Act adds to the UK GDPR and provides new rights to individuals concerning their personal data.
Data Protection Officer
The council has a Data Protection Officer who is responsible for data protection matters and can be contacted by email at data.protection@redbridge.gov.uk
What does this law mean for me?
The rights that individuals have about how their personal data is handled and stored have been changed and enhanced. You can find out about the UK GDPR rights on the Information Commissioners Office (ICO) ICO website. You have the right to know how your data has been processed and make requests, in certain circumstances. These are outlined below.
To request information we hold about you - subject access requests
Anyone can make a request to the council for the information it holds about them. Please only ask for the information you actually need, to save time and allow us to be more efficient. There is no fee. You will need to provide proof of your identity and address. Once we have a valid request we will have a month to provide the information requested which we can extend in some circumstances. We are allowed to remove (redact) information, for example, legal advice or information about other people. We have a web form for you to make a subject access request. Find out how to make a subject access requests
Consent
If we are relying on consent to process your data, you can request to withdraw consent or restrict/object to some elements of the processing. The council does not rely on consent in most cases because it has legal duties to do certain tasks. For example, processing planning applications, collecting council tax payments and social work tasks are based on legal duties, not on consent.
Legal basis
We will need to consider appropriate lawful grounds for processing your data if you have consented to the processing and decide later to withdraw your consent.
Transparency
To comply with the law we must provide detailed information on why and how we are processing the data. This is done through our Privacy Notices.
Data portability
To transfer personal data you have given to us, from our electronic processing system to and into another organisation's electronic processing system.
Erased
Where we rely on your consent as your legal basis to process your personal data, you have the right to withdraw your consent and ask for your data to be deleted. As explained above we will not rely on consent in many cases.
Correction
You have the right to make changes to inaccurate data.
Automated decisions and profiling
If we process your personal data based on automated decisions, and this will have a legal or similarly significant effect on you, then you can request a written explanation of the decision made and you can contest the results of the decision.
Accountability
As a Data Controller we have to be able to demonstrate how we comply with the law when collecting and processing your personal data.
Personal data and ‘special categories of personal data’
The law applies only to ‘personal data’. You can find out more about personal data and the UK GDPR regulations on the ICO website. Special category personal data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or is about their health, sex life or sexual orientation and includes genetic and biometric data. The council has to comply with more safeguards when processing special personal data.
Redbridge's commitments under GDPR
Redbridge's commitment will be to ensure that the data is:
- processed lawfully, fairly and in a transparent manner
- collected is for a specific and legitimate purpose - it will not be used for anything other than this stated purpose
- relevant and limited to whatever the requirements are for which they are processed
- accurate, and where necessary, kept up to date. Any inaccuracies will be amended or removed without undue delay.
- stored for as long as required, as specified in our records retention policy
- secured with appropriate solutions, which protect the data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The council will demonstrate its compliance with these principles.
Redbridge's commitments to processing personal data lawfully
The council will make sure that it meets the conditions necessary for processing personal data lawfully and will make sure this is adequately recorded. There are a number of ways that processing can be lawful. Consent is one method, but it is important to know that consent is not always required and the council can lawfully process personal data as long as a condition is met. For example, the council would be unlikely to be able to collect council tax arrears if residents could withdraw their consent for processing their data for this. You can find out more about the conditions on the ICO website GDPR guide.
The lawful basis for your processing can also affect which rights are available to individuals. For example:
| Lawful basis | Rights of individuals | |||||
| Access | Rectification | Erasure | Restrict | Portability | Object | |
| Consent | ✓ | ✓ | ✓ | ✓ | ✓ | X but can withdraw consent |
| Contract | ✓ | ✓ | ✓ | ✓ | ✓ | X |
| Legal obligation | ✓ | ✓ | X | Limited | X | X |
| Vital interests | ✓ | ✓ | ✓ | Limited | X | X |
| Public task | ✓ | ✓ | X | ✓ | X | ✓ |
| Legitimate interests | ✓ | ✓ | ✓ | ✓ | X | ✓ |
Note that not all of these rights are absolute, and there are other rights which may be affected in other ways. For example, your lawful basis may affect how provisions relating to automated decisions and profiling apply, and if you are relying on legitimate interests you need more detail in your privacy notice.
