From 25 May 2018, the General Data Protection Regulation (GDPR) and a new UK Data Protection Act will extend the rights of individuals and require organisations holding personal data to comply with a new stricter set of rules. It also aims to give people more control over their data.
Personal data is anything that can be used to identify a person. For example:
- Email address
- Date of birth
- National insurance number
- Postal address.
It also covers sensitive personal data, which includes information, such as, ethnicity, religious beliefs and medical history.
The GDPR contains six Principles, plus an additional section, regarding personal data. The Principles are that personal data should be:
- Processed lawfully, fairly and in a transparent manner (stored, used, destroyed)
- Obtained for a specified, explicit and legitimate purpose
- Adequate, relevant and limited
- Accurate and, where necessary, kept up to date
- Kept no longer than is necessary
- Have appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction
- The organisation also has to be able to demonstrate accountability and compliance.
Collecting and Processing Personal Data
The GDPR increases individuals’ rights on personal data meaning the Council will need to have consent, or one of five other specific legitimate reasons to hold and process individuals’ data. The Council will collect and process personal data only to the extent that it is needed to fulfil operational needs or to comply with legal requirements.
The GDPR creates new rights for individuals and strengthens existing rights. These are:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right to automated decision-making, including profiling.
In certain circumstances, the Council will have to inform the Information Commissioner’s Office (ICO) about unauthorised disclosures of personal data as soon as they are discovered. If the disclosure has serious implications for any individuals, they will have to be informed as well. Failure to notify a breach can result in a significant fine.
Privacy by Design and Default
To ensure that all Data Protection requirements are identified and addressed at the start of each project or when reviewing existing services, each of them must go through an approval process before continuing. This approval process consists of the completion of a Data Protection Impact Assessment (DPIA). This is a tool which will help the Council identify the most effective way to comply with our data protection obligations and meet individuals’ expectations of privacy. Please see our guidance and DPIA.
Data Protection Officer
Under the GDPR, the Council must have a named Data Protection Officer who is responsible for data protection matters. Within North Kesteven District Council, the Data Protection Officer is the Corporate Information Manager.
If you have any concerns or questions about how your personal information is handled, please contact our Data Protection Officer at firstname.lastname@example.org or by calling 01529 414155.
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Alternatively, visit ico.org.uk or email email@example.com.