Skip to main content

Data protection

Data Protection Legislation means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA18) and all applicable laws and regulations relating to processing of personal data and privacy including, where applicable, the guidance and codes of practice issued by the Information Commissioner.

Cotswold District Council is a data controller for the purposes of the Data Protection Act 2018.

Cotswold District Council holds and uses a considerable amount of information, including personal data, so that it can provide its services to you. Please see the privacy notice section to read how we use your personal data.

Our Data Protection Policy leads and advises on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.

Our Data Breach Policy has details on detecting and responding to personal data breach occurrences.

Our Record of Processing Activities (ROPA) describes how and why we use personal information.

The Information Commissioner's Office look after data protection in the UK. We are registered with the Information Commissioner's Office as a data controller (Registration No. Z6833568). Our certificate is available to download at

Further guidance about the data protection legislation is available from the Information Commissioner’s Office.

Who's responsible for our compliance

The Data Protection Officer is responsible for ensuring our compliance with data protection legislation and with this policy.

If you have any questions about the operation of this policy or any concerns that the policy has not been followed, email

You can also write to:
Data Protection Officer
Cotswold District Council
Trinity Road
Cirencester GL7 1PX


If you're unhappy with the response you've received to an information request, you have the right to complain. You can find out how to make a complaint here:  

It is your right to make a complaint to the ICO:

Data protection principles

The Act contains six data protection principles with an overarching accountability responsibility for data controllers to demonstrate compliance with these principles. This means personal data must be processed:

  • Lawfully, fairly and transparently
  • For specified, explicit and legitimate purposes and not processed in a manner other than the purpose it was collected
  • Adequate, relevant and not excessive
  • Accurate and where necessary kept up to date
  • Not kept longer than necessary
  • With the appropriate security and protection

Personal data shall not be transferred to countries that do not have an adequate level of data protection. 

Reporting personal data breaches

Data breaches are defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a data breach is more than just losing personal data.

You must report data breaches to the council’s Data Protection Officer (DPO) as soon as you become aware of them. There is a strict requirement on us to notify reportable breaches to the Information Commissioner’s Office without undue delay and within 72 hours. The clock starts ticking for our data protection officer to make a report to the Information Commissioner’s Office as soon as we become aware of the data breach.

Delays in reporting breaches or suspected data breaches to the council mean that there is less time to investigate these matters and take appropriate action to mitigate any harms which may be caused to the individuals affected.

Please ensure that any data breaches reported include an accurate summary of the personal data involved and the number of people affected. Remember to respond promptly to any further questions asked by the Data Protection Officer.

Data breaches can have a significant detrimental impact on individuals and organisations, so please do all you can to enable us to respond efficiently and well within the reporting requirements.

Our Data Breach Policy has details on detecting and responding to personal data breach occurrences.

Data protection individual’s rights and subject access request

All processing of personal data must be in accordance with the data subject's rights. These include:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to be forgotten
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The rights in relation to automatic decision making and profiling
  • The right to lodge a complaint with the supervisory authority

Subject access and rights requests

Under data protection legislation an individual has the right to access the information that an organisation holds about them. Accessing personal data in this way is known as making a subject access request.

Subject access requests are different to requests submitted under FOI legislation, which relate to information about the organisation itself. You can find more information here: and here:

You are entitled:

  • to be informed whether your personal data are being processed
  • to be sent a copy of your personal data subject to any applicable exemptions and the removal of other people's personal data as appropriate
  • to be sent certain information about your personal data

Your request to the council may be submitted in whatever format you wish, but we have created a standard subject access and right request form for your convenience, which may be completed and emailed to

Using the form will help us to verify your identity and give a timely and accurate response to your request. There is no charge to make a subject access request.

What is the process?

  • Complete the form and send it to the Data Protection Officer (DPO) with proof of identification as requested on the form.
  • The DPO checks the validity of the request, agrees the scope of the search and sets the 30 day time period when satisfied.
  • You are sent the results of the review.
  • If you are unhappy with the outcome of the review, you can request an assessment of your case by the Office of the Information Commissioner.

Requesting a child's information

Children have the right to ask for their own information.

If the child is too young to understand (which usually means they're under 12) and you have parental responsibility, you can apply for your child’s data. You'll need to show evidence that you have parental responsibility - your child’s birth certificate, for example.

You must be asking for the information because it will help or support your child. Sometimes we may decide not to give information to a parent, or we may ask a child to make the request themselves.

Privacy notices

For more information on how we process your personal data please go to:

Retention schedule

The council's Data Retention Policy sets out a list of records for which pre-determined retention dates have been established. The retention schedule brings together the following information:

  • The name and purpose for processing of the council's data processing activities; 
  • disposal, pseudonymisation or anonymisation of those records which have completed their retention period;
  • storage of records which have to be kept after their retention period insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Personal information requests – police and other agencies

In some circumstances, the police and other authorised agencies can request access to personal information held by the council for specified purposes. These types of requests may be permitted if an exemption under Schedule 2 Part 1 of the Data Protection Act 2018 applies. 

The Data Protection Act does not give an automatic right of access to information, however, it does allow the council to assess the merits of requests and decide whether or not to apply an exemption. 

Please see the Information Commissioner's guidance on the Data Protection Act exemptions. To make a request under an exemption, please complete our Data Sharing Request Form. This form will be sent to the council's Data Protection Officer for consideration.

For more information or assistance, please contact the council's Data Protection Officer by emailing