Data Protection: Your Right to Know
The Data Protection Act 1984 provides a legal basis for the privacy and protection of data of UK citizens and businesses. The Data Protection Act 1988 gives those who have data held about them (the data subject) rights of access to the information held. It also requires those holding the data (the data controller) to apply minimum standards of protection to the data and ensure that it is only used for the purposes it was collected for.
What are your rights?
- to ask what the Council uses the information for
- to be provided with a copy of the information
- to be given details of the purposes for which the Council uses the information
- persons/organisations to whom the information is disclosed
- to ask for incorrect data to be corrected
Why do we keep personal information?
The Council keeps personal information about you so that:
- it can provide you with the services you require
- collect council tax
- assess the correct level of benefit for your needs
- provide you with up to date information about these services and the most appropriate service for your needs.
The information about you is also used to maintain a record of any help provided so we can look at it from time to time to see if it is still what you need, or plan for any changes. The personal information you provide may also be shared with other agencies involved in the provision of services to you and between departments of the Council where we are legally required to do so.
Who do we share information with?
Depending on the original purpose for which it was obtained and the use to which it is to be put information may be shared with a variety of services. Examples include Housing sharing with Health, Housing Benefits sharing with the DSS. It may also be shared, where necessary, with other organisations that provide services on our behalf eg contractors working on behalf of the Council.
In all of these examples the information provided is only the minimum necessary to enable them to provide services to you.
Personal information about you may also be provided to Government departments, where we are required to do so by law, or other local Council's. An example would be when you have moved from one Council's area to another and the new Council requires confirmation of the services you were receiving.
Information about you may also be provided for statistical research. This will not include your name and address unless you have given us permission to provide that information.
What sort of information do we hold?
The personal information held will depend on the service being provided. Basic information; that is your name and address, age, date of birth, sex, next of kin; plus a note of the service provided, decisions regarding the provision and any meetings between you and the department of the Council providing the service will appear on all records. Other, more sensitive, data may also be held. Depending on the needs of the service being provided such data may include for example: details of a person's physical or mental health, disabilities and racial or ethnic origin. Data relating to specific services include: the level of payment and the current state of the account - council tax; property details and extent of proposed alterations - planning.
How do we keep the information and who is responsible?
The information is kept on secure computer systems and in secure manual filing systems. Maintaining the record and keeping it secure is the responsibility of the department of the Council providing the services you receive. All employees of the Council are required to comply with the Council's security policy.
Are the records confidential?
The Council's employees have a duty of care when providing services. This includes respecting the right to confidentiality and ensuring that information about you is only used and given to others for the purposes of the service being provided. Care is taken to ensure that third parties cannot access the information without permission and that data about you is not disclosed to third parties or others without your consent.
How long are records about you held?
Normally, your records will be kept only for as long, as the service is provided to you, or as is required by law. If there is no legal requirement to keep the records they will be destroyed as soon as is practicable. Where there is a legal requirement to retain information it is not normally kept for more than six years.
How do you ask to see your information? You must write to the Council, addressing the letter to the Data Protection Officer. When you do so you must provide your name and address; details of the service(s) you are receiving; and any other information such as date of birth, sex, householder status (for example, tenant, owner) you think may help the Council find your information. You may also call in person where you will be provided with a copy of the Council's access application form for your use. If you have difficulty with the form help will be provided.
What information will you receive?
All of the personal information we hold about you on both our computer and manual record systems. You will also be given a description of the purposes for which we process your data, a list of those to whom we disclose the data and information about sources where this is available.
Can you see information about any other person?
You may not see information about other persons, unless they have given their consent. This includes information about members of your family. If you are a parent or a member of an elderly person's family you may be provided with information about your child or the elderly person but only where you have written permission to ask for it or have been granted powers to do so by the court and the Council is satisfied that such permissions are genuine.
How will you be given the information?
You will be provided with a copy for your retention and use. This may be a printout of the information from the computer system or a photocopy of your manually held record. If you have difficulty in understanding any of the contents you may ask a member of staff for assistance.
Will you be charged a fee?
Yes. The Council charges a fee for providing the information requested. This is to cover the costs of searching for and providing a copy of the information. The fee is £10, which is the maximum permitted by law.
How long does it take?
The Council must respond within 40 days of receiving your application. The 40 days begins from the date on which you have sent in the written application, the fee and any additional information required by the Council. What should you do when you get the information? You should check it to ensure that you have received all of the information to which, you are entitled and to make sure it is correct.
What do you do if the information provided is incorrect?
You should tell the Council that the data is incorrect and ask them to correct it. You must do so in writing. The Council must inform you if they have or have not corrected the data within 21 days of you asking them to do so. If the department does not agree that the information is incorrect you can ask it to record your disagreement on the record itself.
If the Council does not correct the information you may also appeal to the Data Protection Commissioner or the courts. These organisations have the power to order the Council to correct data, which is wrong.
When is data inaccurate?
The Act defines inaccurate data as being "data which is incorrect or misleading as to any matter of fact".
How can you have inaccurate data about you corrected?
The Act provides you with a right to apply to the court to have inaccurate data rectified, blocked, erased or destroyed. This right extends to any other personal data, which contain an opinion about you based on the inaccurate data.
What do you do if you think you have not been given all the information you asked for?
You can appeal to the Council, through its complaints procedure or to the Data Protection Commissioner whose staff will look into the matter on your behalf.
Do you have any other rights under the Data Protection Act and what are they?
Yes. In addition to the right of subject access, mentioned above, individuals have the following rights:
- to prevent processing likely to cause damage or distress
- to prevent processing for the purposes of direct marketing
- not to be the subject of decisions based on wholly automated means
- to take action for compensation if he/she has suffered damage by any contravention of the Act, by the Council
- to make a request to the Commissioner for an assessment as to whether any provision of the Act has been contravened by the Council
How do you go about this?
For the first three rights, you should write to the Council informing us that you require us to cease or not to begin the processing of personal data about you. In the case of the first of these you must state the purpose for which the data are being processed and that you consider the processing is already causing or is likely to cause you or another person unwarranted substantial damage or substantial distress. The second requires you to notify the Council, in writing, that we should cease or not begin the processing of personal data about you for the purpose of direct marketing. The third is specific to the use of automated decision-making processes. If you do not wish to be the subject of decisions based wholly on such a process you must write to the Council requiring us to ensure no decisions, which significantly affect you are based solely on such processing.
How will you know if the Council has made any decisions about you base on automated processes?
If we have not received a notice from you we will inform you that a decision, which significantly affects you has been taken by automatic means. If we do so and you object then you can inform us in writing that you require us to reconsider the decision or take a new decision by some other means. The Council has 2l days in which to respond to your letter.
Is there a time limit for you to write to the Council? Yes, you must inform us within 21 days of our telling you that we have taken our decision by automated means.
How can you be sure the Council has complied with your notice(s)?
The Act requires us to respond to your notice within 21 days of receiving it. Our reply will tell you whether or not we have complied with your request; intend to comply with your request or the extent to which we intend to comply. If we do not consider your request is justified our response will list our reasons.
What do you do if the Council does not reply or refuses to comply with your notice?
If you do not receive a reply or if you consider the Council has not complied with any of the above notices you have a right to apply to the court for an order requiring us to comply.
Under what circumstances can you claim compensation?
If you have suffered damage or distress as a result of the contravention of any of the requirements of the Act, by the Council, then you may be entitled to compensation.
The court will only support such a claim if you can show that the Council had not taken reasonable care to ensure it complied with the relevant requirement of the Act.
Are you entitled to compensation as a result of our use of inaccurate data?
As with the example quoted earlier only if the court is satisfied that you have suffered damage as a result of the Council's use of the inaccurate data.
What can you complain to the Commissioner about?
You can complain to the Commissioner if you consider the Council has breached any of the requirements of the Data Protection Act. These include a breach of any of the data protection principles, processing data without having notified the Commissioner, a failure to respond to any of your written notices (see above), processing data without your consent (where consent is necessary) refusing to provide you with the personal information you have requested. This list is not exhaustive.
What will the Commissioner do?
At your request the Commissioner will carry out an assessment of the Council's processing to establish whether or not we are doing so in compliance with the Act.
Should the Commissioner find we are not then the Council will be issued with a notice requiring it to take steps to ensure compliance.
Do we provide you with help in understanding the information?
If you need help in understanding the information provided or the contents please inform the Council and we will provide someone to explain the contents of the information.
Address to which Requests for Access should be sent:
The Data Protection Officer
Eden District Council