What it means to you
Data Protection legislation has changed. The General Data Protection Regulation (GDPR) is the new legal framework in the EU which came into force on 25 May 2018. This provides new rights to individuals about how their personal data is handled and stored. You will have the right to know how your data has been processed and make requests to us, depending on the lawful basis.
- Information Commissioner (ICO) – more information about these rights
There is also the new Data Protection Act 2018 that came into force on 25 May 2018. This replaces the 1998 Act. GDPR is now enshrined in UK law no matter what the outcome of Brexit is.
Personal data and special category data
The definition has been expanded to include an identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. The special categories (personal sensitive data) now specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
Lawful basis
We will apply an appropriate lawful basis for processing your data. For most of our public services this will be because we have a legal obligation or, it’s a task in the public interest or in our official capacity, or a contract with you. Some services will ask for your explicit consent, such as collecting data like cookies when you go on our website or, being able to contact you by email or text for news updates.
Consent
In the case where we are relying on your explicit consent as the lawful basis to process your data, you can request to withdraw consent or restrict/object to some elements of the processing. The ICO have a guide to consent.
Please note that we may also ask for your consent to share sensitive health and care data with partners to provide seamless continuity of service, under the common law duty of confidentiality. This is separate to data protection legislation.
Transparency
To comply with the new law we must provide detailed information on why and how we are processing the data – these are called privacy notices and we have used a layered approach as recommended by the ICO. These may be summarised and a web link provided for more information. Printed versions are available.
See our main customer privacy notice and links to further service specific notices.
Requesting a copy of your information – subject access requests
There is no change to the new law; everyone can make a request to the council for the information it holds about them. We would be grateful that you only ask for the information you actually need, to save time and allow us to be more efficient.
We will not charge for this request, unless we consider it is excessive. Once we have a valid request we will have a month to provide the information requested which we can extend if complex for two further months.
We will provide this in an electronic form unless you request otherwise. See our access to information page for help and the section to request personal information.
Correction
You will have the right to ask for changes to inaccurate personal data. This may be your contact details or in the case of reports or assessments it may be making a note on the record.
Data portability
This allows you to ask for personal data to be given in an electronic form to be used in or transferred to another organisation’s electronic processing system. This only applies if the lawful basis is a contract with you or you gave your consent.
Erasure
Where we rely on your consent as your legal basis to process your personal data, you have the right to withdraw your consent and ask for your data to be deleted. As explained above, we will not rely on consent in many cases to process your information.
Automated decisions and profiling
If we process your personal data based on automated decisions (where no individual was involved in the final decision), and this will have a legal or similarly significant effect on you, you can request a written explanation of the decision made and you can contest the results of the decision.
We will notify you in a privacy notice if we carry out automated decision making or profiling that comes under this definition.
Accountability
All organisations will have to be able to demonstrate how they comply with the new law when collecting and processing your personal data, if asked by the regulator (ICO). Contracts need to be in place between us and an organisation that we ask to process your data on our behalf to provide a service or host a system is a data processing.
Data Protection Impact Assessments
Organisations are obliged to conduct a data protection impact assessment when processing is likely to result in a high risk to individuals. These assessments look at the privacy risk when introducing new technology, profiling, using special category data, matching data and a number of other types of processing.
Data Protection Officer
As a public authority, we have a statutory duty to appoint a Data Protection Officer. Their role is described in the General Data Protection Regulation with guidance given by the ICO. They are independent, provide audit assurance, review Data Protection Impact Assessments and report to the highest authority in their role, the council Corporate Board and Joint Managing Directors.
The Officer can be contacted by emailing: dataprotectionofficer@warwickshire.gov.uk