General Data Protection Regulations
What is the General Data Protection Regulation?
General Data Protection Regulation (GDPR) is the new legal framework in the EU which will come into force on 25 May 2018. There will also be a new Data Protection Act, which is currently going through Parliament. This new Act will add to the GDPR and provide new rights to individuals concerning their personal data. They are not in force yet so this page is to provide information in advance of the law changing.
Data Protection Officer
Under the new law, the council must have a named Data Protection Officer who is responsible for data protection matters and available to contact by members of the public. Redbridge's Data Protection Officer is Fiona Alderman, the Assistant Director of Assurance. She has been appointed to lead on the council’s preparation for the new law. She can be contacted by email at firstname.lastname@example.org
What will this new law mean for me?
The rights that individuals have about how their personal data is handled and stored are being changed and enhanced. You can find out about the GDPR rights on the Information Commissioners Office (ICO) ICO website. You will have the right to know how the data has been processed and make requests, in certain circumstances. These are outlined below.
To request information we hold about you - subject access requests
Under the new law, like now, everyone can make a written request to the council for the information it holds about them. Please only ask for the information you actually need, to save time and allow us to be more efficient. When the new law comes into force, there will be no fee. You will need to provide proof of your identity and address. Once we have a valid request we will have a month to provide the information requested which we can extend in some circumstances. We will be allowed (as we are now) to remove (redact) information, for example, legal advice or information about other people. We will have a web form for you to make a subject access request under the new law. Find out how to make a subject access requests
If we are relying on consent to process your data, you can request to withdraw consent or restrict/object to some elements of the processing. The council does not rely on consent in most cases because it has legal duties to do certain tasks. For example, processing planning applications, collecting council tax payments and social work tasks are based on legal duties, not on consent.
We will need to consider appropriate lawful grounds for processing your data if you have consented to the processing and decide later to withdraw your consent.
To comply with the new law we must provide detailed information on why and how we are processing the data. This is done through our Privacy Notices.
To transfer personal data from our electronic processing system to and into another organisation's electronic processing system.
Where we rely on your consent as your legal basis to process your personal data, you have the right to withdraw your consent and ask for your data to be deleted. As explained above we will not rely on consent in many cases.
You have the right to make changes to inaccurate data.
Automated decisions and profiling
After 25 May 2018, if we process your personal data based on automated decisions, and this will have a legal or similarly significant effect on you, then you can request a written explanation of the decision made and you can contest the results of the decision.
As a Data Controller we have to be able to demonstrate how we comply with the new law when collecting and processing your personal data.
We appreciate that these new rights might seem complicated. You can find more information on the ICO website. If you need help in exercising your new rights when the new law comes into force in May 2018 we will have a web form so you will be able to contact us.
Personal data and ‘special categories of personal data’
The new law will apply only to ‘personal data’. You can find out more about personal data and the new GDPR regulations on the ICO website. Special category personal data will be personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or is about their health, sex life or sexual orientation and includes genetic and biometric data. The council will need to comply with more safeguards when processing special personal data.
Redbridge's commitments under GDPR
Redbridge's commitment will be to ensure that the data is:
- processed lawfully, fairly and in a transparent manner
- collected is for a specific and legitimate purpose - it will not be used for anything other than this stated purpose
- relevant and limited to whatever the requirements are for which they are processed
- accurate, and where necessary, kept up to date. Any inaccuracies will be amended or removed without undue delay.
- stored for as long as required, as specified in our records retention policy
- secured with appropriate solutions, which protect the data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The council will demonstrate its compliance with these principles.
Redbridge's commitments to processing personal data lawfully
The council will ensure that it meets the conditions necessary for processing personal data lawfully and will ensure this is adequately recorded. There are a number of ways that processing can be lawful. Consent is one method, but it is important to know that consent is not always required and the council can lawfully process personal data as long as a condition is met. For example, the council would be unlikely to collect council tax arrears if residents could withdraw their consent for processing their data for this. You can find out more about the conditions on the ICO website GDPR guide.
The lawful basis for your processing can also affect which rights are available to individuals. For example:
|Lawful basis||Rights of individuals|
|Consent||✓||✓||✓||✓||✓||X but can withdraw consent|
Note that not all of these rights are absolute, and there are other rights which may be affected in other ways. For example, your lawful basis may affect how provisions relating to automated decisions and profiling apply, and if you are relying on legitimate interests you need more detail in your privacy notice.