Data Protection Act

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 will extend the rights of individuals and require organisations holding personal data to comply with a new stricter set of rules. It also aims to give people more control over their data'.

accordion | Data Protection Act

Personal Data

Personal data is anything that can be used to identify a person. For example:

  • Name
  • Email address
  • Date of birth
  • National insurance number

The GDPR also cover special category data, which includes information such as:

  • racial or ethnic origin
  • political opinions
  • religious beliefs or other beliefs of a similar nature
  • physical or mental health, or condition


The GDPR contains six Principles, plus an additional section, regarding personal data. The Principles are that personal data should be:

  • Processed lawfully, fairly and in a transparent manner (stored, used, destroyed)
  • Obtained for a specified, explicit and legitimate purpose
  • Adequate, relevant and limited
  • Accurate and, where necessary, kept up to date
  • Kept no longer than is necessary
  • Have appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction
  • The organisation also has to be able to demonstrate accountability and compliance.

Collecting and Processing Personal Data

The GDPR increases individuals’ rights on personal data meaning the Council will need to have consent, or one of five other specific legitimate reasons to hold and process individuals’ data. The Council will collect and process personal data only to the extent that it is needed to fulfil operational needs or to comply with legal requirements.

Your Rights

The GDPR creates new rights for individuals and strengthens existing rights. These are:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right to automated decision-making, including profiling.

Breach Notification

In certain circumstances, the Council will have to inform the Information Commissioner’s Office (ICO) about unauthorised disclosures of personal data as soon as they are discovered. If the disclosure has serious implications for any individuals, they will have to be informed as well.

Privacy by Design and Default

To ensure that all Data Protection requirements are identified and addressed at the start of each project or when reviewing existing services, each of them must go through an approval process before continuing. This approval process consists of the completion of a Data Protection Impact Assessment (DPIA). This is a tool which will help the Council identify the most effective way to comply with our data protection obligations and meet individuals’ expectations of privacy. Please see our guidance and DPIA.

Data Protection Officer

Under the GDPR, the Council must have a named Data Protection Officer who is responsible for data protection matters. Within North Kesteven District Council, the Data Protection Officer is the Corporate Information Manager.

If you have any concerns or questions about how your personal information is handled, please contact our Data Protection Officer at or by calling 01529 414155.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner's Office

Wycliffe House

Water Lane




Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

Alternatively, visit or email

Subject Access Request

What is a subject access request (SAR)?

Under the GDPR, an individual has a right of access to information held about them by any organisation and to receive a response within one month, which is known as the Right of Subject Access.

North Kesteven District Council will ensure that the right of subject access to information held by the Council can be fully exercised by everyone. However, a Subject Access Request (SAR) only relates to personal data, and not to information relating to other people.

A SAR must be made in writing and enough information must be provided to judge whether the person making the request is the individual to whom the personal data relates. This is to avoid personal data about one individual being sent to another, accidentally or as a result of deception.

However, until the identification has been received, the Council will not process a request. The Council has one month (which we can extend in some circumstances) to respond to the request. A person will be required to confirm their identity and will usually be asked to provide the following:

  • Full Name
  • Address
  • Date of Birth
  • One Photographic piece of Evidence, such as, Passport, Driving Licence with photograph, Travel Pass with photograph and;
  • One Other piece of Evidence, such as, Council Tax Bill, Utility Bill, Bank/Building Society Statement, Birth Certificate.

If a request is submitted to the Council, the individual is entitled to be told free of charge whether the Council holds any data about the person. If the Council does, the individual has the right:

  • To be given a description of the data, the purposes for which the data are being processed, and those to whom the data may have been disclosed;
  • To be given a copy of the data in an intelligible form enabling them to port the data to another provider, with any unintelligible terms explained;
  • If there is a specific request, to be given an explanation as to how any decisions taken about an individual solely by automated means have been made;
  • To have more power to withdraw their consent and have their data amended or deleted, known as the ‘right to be forgotten’.

However, it must be noted that some records cannot be deleted, even if the data subject has asked to ‘be forgotten’. This might be for reasons of financial regulatory compliance, or because the Council can show it has ‘legitimate’ reason for retaining and processing the data. In this instance, the Council may need to pseudonymise or anonymise the data the Council cannot legitimately delete to be compliant, but these will be reviewed on a case by case basis.

These rights apply to electronic data and to data in ‘manual’ (i.e. non-electronic) formats. If a request is for information other than information about themselves, such as information about decisions or actions by the Council, these cannot be submitted as a Subject Access Request. This would be a request under Freedom of Information legislation or Environmental Information Regulations.

The Council has a duty to protect the Data Protection rights and other legal rights of other individuals when we respond to SARs. Information which does not relate to the individual who submitted the request may be redacted, particularly if it relates to other individuals. Sometimes the Council may not be able to release data relating to the individual who submitted the request because doing so would also reveal information about other persons who have not consented to their data being released, and it would not be reasonable in the circumstances to release the data without their consent. In such cases, the individual who submitted the request will be informed that data about them has been withheld and the reasons for doing so.

Making a Request

SARs should be submitted to the Corporate Information Team via: