The General Data Protection Regulations (GDPR) and the Data Protection Act 2018 came into effect on 25 May 2018. Together they form the New Data Protection Legislation and replace the Data Protection Act 1998.
We collect, hold and use data about people and organisations with whom we work and in order to conduct our business. This may include members of the public, current, past and prospective employees, clients, customers, contractors, partners and suppliers. In addition, we may be required to collect and use personal data in order to comply with our statutory obligations.
We must abide by the 6 principles of the Data Protection Legislation which make sure that personal information is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and where necessary kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed - Refer to our Corporate Data Retention Policy
- Processed in a manner that ensures appropriate security of the personal data
Accountability is central to the Data Protection Act Legislation. Data controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the Information Commissioners Office.
The Council has a GDPR Policy in place. This Policy describes the Council’s requirements to comply with the GDPR.
Accessing information we hold about you
You can access the information or the images we hold about you by making a Subject Access Request. You are entitled to see your personal data (with some specific exceptions). For example, you will not be allowed to see personal information that contains details about someone else - even a member of your own family - unless that person has given permission.
You can make the request in writing or by email, using the Subject Access Request form or the CCTV Subject Access Request form. Your request should be sent by email to firstname.lastname@example.org or by post to The Data Protection Officer, Cotswold District Council, Trinity Road, Cirencester, GL7 1PX.
The Council is obliged to respond within one month of receiving all the information we need to be able to action your request.
Please note that for CCTV Subject Access Requests, they can only be made for images relevant to you and within 30 days of the images being recorded as we only retain our CCTV data for a maximum of 31 days.
What are your rights to accessing your personal records under the GDPR?
Your rights to access your personal record would depend on the legal basis the Council obtained and is processing your data. The Council provides a wide range of services and relies on different legal bases under the GDPR for processing personal data. Bearing these in mind, you have the following rights:
- to access your personal data
- to be provided with information about how your personal data is processed
- to have your personal data corrected
- to have your personal data erased in certain circumstances
- to object to or restrict how your personal data is processed
- to have your personal data transferred to yourself or to another business in certain circumstances
- you have the right to be told if we have made a mistake whilst processing your data and we will self-report breaches to the Commissioner.
Read more about your information rights.
If you wish to exercise your information rights, this request can be made in writing by completing the Information Rights Form. Please provide as much detail as possible about the information you require, mark your request as ‘Information Rights Request’ and send it to the address provided.
Proof of identity
To help establish your identity your application must be accompanied by TWO official documents that between them clearly show your name, date of birth and current address.
Acceptable forms of ID are:
- photocopy of your passport or driving licence
- an electricity bill
- a gas bill
- a council tax bill
- any other bill in your full name
Please do not send original documents, good quality photocopies are acceptable. Any bill you send must be less than 6 months old.
Correcting data we hold
If you believe the data we hold about you is incorrect or that there is information that we have not supplied, you must contact us within 21 days of receiving our response to your request. If we don't agree that the information is incorrect, you can appeal using the Council's normal complaints procedure. You can also appeal to the Information Commissioner's Office if we do not correct the data you ask us to.
Where personal data breaches do occur, Cotswold District Council will, without undue delay, investigate the breach, and where required, report the breach to the Information Commissioner’s Office within 72 hours. Reporting procedures can be found in our Reporting of Personal Data Breaches Policy.
Sometimes we need to share information with other public bodies such as other councils, the health service or the Police. We have signed up to the Gloucestershire Information Sharing Partnership Agreement which outlines the principles and responsibilities which govern the way in which we share data with others. For more details see the Gloucestershire Information Sharing Partnership Agreement.
Personal Data Retention Schedule
Under the Data Protection Legislation (UK General Data Protection Regulation and Data Protection Act 2018), data controllers of personal data must ensure that the personal data of individuals is only retained for as long as is necessary and for the purposes for which they were collected. Section 71 (7) (b) of the Data Protection Act 2018 requires controllers of personal data to carry out periodic reviews of the need for the retention of that data. Retention periods are governed by a variety of factors, including but not limited to legislation, contract and best practice. Some records may be initially retained for a set period after which they may be either archived or destroyed. Records retention schedules provide a framework within which retention periods can be set and reviewed for individual classes of data.
In order to comply with its legislative obligations, the Councils and Publica have devised a records retention schedule which comprehend both personal and non-personal data. These are provided for the benefit of both the owners and managers of records and individual data subjects.
Monitoring the Council's compliance with the law
All organisations that handle personal information need to be registered with the Information Commissioner based at Wilmslow in Cheshire. The Commissioner is responsible for enforcing the Data Protection Legislation and providing guidance. The Register of Data Controllers is a public document and provides information about the classes of data held, the classes of data subjects and whom the data is disclosed to or shared with. Registrations are renewed each year and updated during the year as required and the Register of Data Controllers can be inspected at any time on the Information Commissioner's Office website. View our entry in the Data Protection Public Register. (Enter Z6833568, which is the Council's Data Protection Registration number).
Summary of the Council's data processing procedures
The Council is committed to complying not only with the letter but also the spirit of Data Protection Legislation. The accuracy and security of your personal information is a key responsibility of the Council and is recognised as an overriding factor in securing your trust and confidence. The Council will only use the information it holds about you for the purpose you provided it or as permitted by law. It will also only collect the minimum information necessary to fulfil that purpose.
By law we must maintain a record of the data processing activities we are responsible for: