This guide provides you with a basic overview of lots of aspects of Data Protection.
In the course of your work, you may use or have access to personal data about members of staff or the public. The General Data Protection Act (GDPR) and The Data Protection Act 2018 (DPA 2018) places certain obligations upon us and grants individuals certain rights in respect of this data. This guide has been written to give you a basic overview of what Data Protection is and how it affects all of us.
What is the GDPR and DPA 2018?
The GDPR replaced the old Data Protection Act 1998 (DPA 1998) as of 25th May 2018. It is the acknowledged legal framework for all organisations operating within the EU and also applies to organisations outside the EU who offer goods or services to individuals in the EU. Whilst the GDPR has direct effect across all of Europe, the DPA 2018 has been passed through parliament and specifically applies to the UK.
Together, these legislations set the rules for how to handle and look after personal data. If the rules are not followed the Council risks breaking the law and in certain circumstances you may be held personally liable for data breaches.
So, what is personal data?
Personal data is any data which 'relates to' an individual and, either on its own or when cross referenced with other data can be used to identify a living individual. This includes all the obvious details we might hold about an individual such as their name, address, National Insurance number and details of services accessed.
Please note that data which 'relates to' an individual does not just identify them but also concerns them in some way. When deciding if information 'relates to' an individual, you need to consider:
- the content – is it directly about the individual
- the purpose – what are we processing this data for
- the result of processing – will the processing of this data affect the individual
Personal data includes any expression of opinion about the individual and any indication of the intentions of the authority or others in respect of the individual. It is therefore very important that you record only factual information in the course of your employment. If you are required to express an opinion, then it must be capable of being substantiated, as it may be requested via an individual's Right of Access and could also be used in court. More information on Right of Access can be found below.
More information on personal data can be found on the Information Commissioner's Office (ICO) website.
Some types of personal data are classified as Special Category Data (sensitive personal data in DPA 1998) and require more careful handling. This is data that relates to:
- racial origin
- ethnic origin
- political opinions
- religious beliefs or beliefs of a similar nature
- trade union membership
- biometrics (e.g. for identification)
- physical, mental health or conditions
- sex life
- Sexual Orientation
The DPA 1998 also included criminal offences or alleged offences but this is now covered under a separate Article (10) in GDPR, which provides other conditions you need to adhere to. You can find out more information about criminal offence data on the Information Commissioner's Office website.
How do we hold personal data?
Personal data can be recorded in:
- paper records
- electronically in databases, spreadsheets, word documents etc.
- portable hardware (e.g. memory sticks/discs)
- CCTV images
- video and audio tapes
- microfilm or microfiche
What is processing?
Processing means just about everything that you can do with personal data, including:
- collecting, obtaining
- holding, storing, retrieving
- using, amending, adapting
- disclosing, sharing, matching
- erasing, deleting, destroying
What are the rules for processing?
There are seven principles for processing personal data:
- Lawfulness, fairness and transparency – data is processed lawfully, fairly and you are open and honest about it. This includes letting people know what information we collect, who will collect it, how we use it and who we may share it with etc. This is often achieved via a privacy notice.
- Purpose limitation – data is processed for specific and legitimate purposes.
- Data minimisation – only adequate, relevant and limited data is processed for the chosen purpose.
- Accuracy – data processed is accurate and where necessary, kept up to date. If data is inaccurate (and is not kept for a specific purpose) it should be erased or rectified without delay.
- Storage limitation – data is kept for no longer than is necessary for the purposes for which it was processed.
- Integrity and confidentiality (security) – data is processed in a manner that ensures appropriate security e.g. protection against unauthorised access, accidental loss, destruction or damage etc.
- Accountability – the data controller (the owner who determines how the data is processed e.g. Dorset Council) shall be responsible for and be able to demonstrate compliance.
More information on the principles can be found on the Information Commissioner's Office website.
Can I disclose personal data to anyone other than the data subject?
Generally no. To be able to disclose personal data to other people you must be able to answer 'Yes' to the following questions, unless an exemption applies.
- Have you told the individual that you are going to share their data?
- Have you told them with whom?
- If you need it, have you got consent?
When might I need consent?
Usually we do not need to get consent from the data subject, because the GDPR and DPA 2018 allows us to use other legal bases that we have to process personal data. However, where special category data is involved, extra care needs to be taken and this may justify seeking consent.
If in doubt as to whether consent is required, you must seek advice from your line manager, your Information Asset Register (IAR) (more information below) or the Data Protection Team.
Further information can be found on consent below.
What other things should I think about before disclosing/sharing personal data?
You need to think about the rights to privacy that people have, particularly the Human Rights Act 1998, Article 8 – Respect for your private and family life and the Common Law Duty of Confidentiality. More information on both of these can be found by following the corresponding links above.
If you operate within Social Care you should also consider the seven Caldicott Principles which are below. Please note that 'personal confidential data/information' is the equivalent of 'special category personal data'.
- Justify the purpose(s) for using confidential information – All uses of special category personal data should be clearly defined, scrutinised and documented. Its use should be regularly reviewed by an appropriate individual.
- Don't use personal confidential data unless it is absolutely necessary – Special category personal data should not be included unless it is essential for the specified purpose(s). The need for patients to be identified should be considered at each stage.
- Use the minimum necessary personal confidential data – Where use of special category personal data is essential, each individual item of data should be considered and justified so that the minimum amount of data is processed.
- Access to personal confidential data should be on a strict need-to-know basis – Individuals should only have access to special category personal data if there is a direct need and they should only have access to the individual items required.
- Everyone with access to personal confidential data should be aware of their responsibilities – Action should be taken to ensure that those handling special category personal data are made fully aware of their responsibilities and obligations to respect patient confidentiality.
- Comply with the law – Every use of special category personal data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.
- The duty to share information can be as important as the duty to protect patient confidentiality – Health and social care professionals should have the confidence to share information in the best interests of their patients.
Read more information on the Caldicott Principles.
What are the lawful bases for processing data?
There are six lawful bases to choose from when processing personal data. It is important that you choose the most appropriate one, which will depend on the purpose and relationship with the individual. They are:
- Consent – the individual has given clear consent for the processing of their specific personal data mentioned. For more information on consent and how it has changed please see our corresponding page on SharePoint.
- Contract – the processing is necessary for a contract Dorset Council has with the individual or is required during the pre-contractual relationship.
- Legal Obligation – the processing is necessary for Dorset Council to comply with the law (not including contractual obligations). Examples include complying with a court order, or if employee information (such as salary) is required by a regulatory or government body.
- Vital Interests – the processing is necessary to protect someone's life (this should only be used if no other basis is appropriate).
- Public Task – the processing is necessary for Dorset Council to perform a task in the public interest or an official function. When using this basis, you should be able to identify a clear basis in either statute or common law for the task or power that means we need/can process the personal data. Examples include work involving roads and transport, waste management, education, social care etc.
- Legitimate Interests – the processing is necessary for our legitimate interest or legitimate interest of a third party. This should not be used if there is a good reason to protect the individuals' personal data which overrides this. This basis is likely to be most appropriate when processing the personal data of someone in ways they would reasonably expect and have minimal impact on their privacy. Public authorities should not be using this basis to perform official tasks (see public task above). There are three aspects that you will need to consider before using this basis. You will need to:
- identify the legitimate interest
- show that the processing is necessary to achieve it
- balance it against the individual's interests and rights
This basis will not be appropriate if another simpler, less intrusive method can be used to achieve the same result.
If you still think this is the most appropriate lawful basis then you will need to complete a Legitimate Interest Assessment (LIA) to help demonstrate compliance. View an ICO sample template.
When choosing which lawful basis to rely on it is important that you document your decisions (e.g. on your IAR) and include information about your purposes and lawful bases in your privacy notice. Read more information on lawful bases.
A lawful basis interactive guidance tool is available.
What are the exemptions?
There are a number of exemptions, but the most common ones are likely to be:
- for the purposes of the prevention or detection of crime
- the assessment or collection of any tax or duty
- by order of a court
- where we are obliged by law to provide the information to another person
- in connection with legal proceedings
- to prevent serious harm to either the individual to whom the information relates, or any other person
If in doubt as to whether an exemption applies, you must seek advice from your line manager or the Data Protection Team.
Can individuals see personal data about themselves?
Generally yes. Individuals have a Right of Access to personal data that relates to them. This is usually referred to as Subject Access and is requested via a Subject Access Request (SAR).
If an individual shows interest in making a request for their information but they are unsure of the process, they should be encouraged to view our Dorset For You Data Protection webpage. This also includes e-forms which can be completed to submit requests.
All SARs must be passed to our Data Protection team. They should ideally be made in writing but can also be made verbally, as long as enough information is provided to proceed with the request/contact the individual.
A SAR will not be considered to be active until we are sure of what information the individual requires and that the individual has a legal right to access the information. We will need proof of this legal right e.g. proof of identity, proof of parental responsibility, Power of Attorney etc. You do not need to worry about this however, this is something the Data Protection Team will discuss with the requestor.
Once a request has been deemed active we must provide the information within "one month". As the exact length of "one month" can change depending on the day it is received, Dorset Council has adopted ICO guidance and sets the timescale as 28 days. This is the minimum, but does allow for a consistent approach which can be monitored. Under the GDPR and the DPA 2018, we now have the ability to extend a deadline by 2 months, in 1 month intervals, if we deem the request to be complex or if we receive numerous requests from the same person. This is something that will be determined by the Data Protection Team. When a request is passed to the appropriate team, the deadline will be highlighted.
Sometimes, the personal data may contain information about other individuals. This is referred to as third party information. There are generally two categories of third party information; these are:
- information about other people such as relatives, carers, friends
- information that has been provided by another person such as doctors, complainants and witnesses
The individual making the request is only permitted to access data about themselves. They have no Right of Access to information about other people unless the third party has given their consent, or it is obvious from the information itself that the Data Subject already knows it, for example because they were there.
Information that has been provided by another person, about the individual in question, may be subject to a duty of confidentiality. The duty of confidence applies primarily to the identity of the third party and their consent must be sought before any information is disclosed. If consent is not given, we may have to withhold or edit information so that it does not identify them.
Can someone else request information on behalf of an individual?
Yes, but we need to be absolutely sure that they are authorised by the individual to make the request. Proof must be in writing and a legal right provided e.g. consent form signed by the Data Subject, Power of Attorney, or litigation friend (court appointed individual who can make decisions for another individual who lacks capacity).
Sometimes an individual is unable to exercise their Right of Access because they are too young or they do not have the mental capacity to understand their rights. Parents/carers are able to make an application on behalf of children using their Parental Responsibility. Authority to act on behalf of an adult in these circumstances would normally require a Lasting Power of Attorney, which we will ask to see a copy of before we disclose any information.
Similarly to before, if someone is unsure how to request information on behalf of another, they should be encouraged to view our Data Protection page.
The e-form(s) previously mentioned also caters for agents acting on behalf of an individual.
What other rights do individuals have?
Under the GDPR and DPA 2018, individuals have eight rights, they are:
- The right to be informed – they have the right to be given information about how their data is being processed, who it is/will be shared with, for what purpose and how long it will be retained for. This is often achieved via a privacy notice.
- The right of access – explained above, they have the right to see or have a copy of their personal data.
- The right to rectification – they have the right to request that their personal data is rectified, if it is inaccurate or incomplete. If the Council disagrees or the incorrect data is required for proof of decision making, notes should be added on records to make people aware of this. Any third parties the information is shared with should also be informed.
- The right to erasure - also known as the right to be forgotten, they have the right to request that their personal data is removed to prevent processing in certain circumstances. If data is held for a specific purpose and we have a legitimate legal basis for processing it then we do not have to adhere to their request.
- The right to restrict processing – they have the right to block or stop processing of their personal data.
- The right to data portability – they have the right, when requested, to be provided with their personal data in a structured, commonly used and machine readable format. This right tends to be used more for when individuals want to re-use their personal data. This allows them to move, copy or ask us to transfer their personal data from one IT environment to another, in a safe and secure way. This could involve transferring data internally or externally (to another organisation).
- The right to object – they have the right to object to processing of their personal data in relation to legitimate interests, direct marketing (e.g. profiling) or for scientific/historical research and statistics.
- Rights in relation to automated decision making and profiling – they have the right to not be subject to a decision based solely on automated processing, including profiling, which significantly affects them.
It should be noted that all individual rights are subject to the same timescale i.e. 28 days once considered active.
Should an individual wish to enact one of their rights but is unsure as to how to carry this out, please encourage them to visit the Data Protection page. This page includes guidance and e-forms to help them.
What is a privacy notice?
In short, a privacy notice is used to inform an individual of how you intend to use their personal data. It outlines:
- who the personal data will be processed by
- what personal data will be processed
- why the data is being processed and what legal basis is being relayed upon
- how long it will be retained for
- who the information could be shared with (and for what purpose)
- the fact that the individual has a right to complain to the ICO if they think their personal data is being mishandled
Privacy notices are linked with an individual's right to be informed and should be made available at specific times, for example: at the time we collect personal data or when first communicating with an individual.
Service privacy notices are also available in the Data Protection section. These can then be linked to relevant documents/forms etc. to fully inform individuals of how their personal data is/will be processed. Once this template has been fully tested and is openly available, communications will be published informing all departments.
Data protection by design and by default
Previously known as privacy by design, there is now a legal requirement that appropriate technical and organisational measures are taken to ensure that the data protection principles and individual rights are considered throughout the entire lifecycle of business practices. There is also an emphasis on ensuring that new processes at the design stage consider data protection implications from the very start.
If a new or amended process is considered to have data protection risks a Data Protection Impact Assessment (DPIA) should be completed. A DPIA is a tool used to identify and reduce the risk of a business's processing activities, and should be used if there is a potential risk to the rights and freedoms of individuals and having a record of this shows accountability for decisions. Should a DPIA determine a high risk, the ICO can be consulted with to decide on how/whether or not to proceed.
Please note that a DPIA template is currently being drafted and will be corporately communicated when available.
Security of personal information
The Council has a Security Policy (a new version is currently being finalised, link to follow), which seeks to prevent misuse, accidental loss or wrongful disclosure. This includes ensuring that:
- casual passers-by cannot read information on computer screens or records left visible on desks
- passwords are known only to authorised people and changed regularly
- personal data is disposed of securely
- you authenticate the identity of a person to whom personal data is to be disclosed, prior to disclosure
- the secure transmission and receipt of personal data is carried out, especially with faxes
- you do not discuss personal data in public places where you may be overheard
How long do I keep personal data for?
Generally, personal data should not be kept for longer than is necessary, to meet the purpose for which it was obtained. You should refer to the Council's retention and disposal policies for more information.
What is the annual ICO Fee?
Previously called Notification under the DPA 1998, all data controllers have to pay an annual fee to the ICO. This fee is dependent on the corresponding tier, which is dependent on the number of employees and the turnover of the organisation. Although we no longer have to report to the ICO what information we collect and for what purpose, it is important that each business area takes ownership of their corresponding IAR.
The IAR is a tool used by an organisation to help manage information assets and the potential risks. It helps keep track of what information the organisation holds and for what reason i.e. what legal bases are relied upon. This is the new, internal, equivalent of what had to be provided to the ICO via Notification, pre-GDPR.
What happens if I get it wrong?
Hopefully if you follow this advice and all the other guidance that the council has issued, you are unlikely to get it wrong. Always seek advice from your line manager or the Data Protection Team if you are in doubt.
If you knowingly or recklessly fail to follow the council's advice and guidance, disciplinary action may be taken against you. The Council as the data controller and you as an individual could also be prosecuted or sued for compensation.
Is there training available?
Yes. There are online learning modules that can be completed for a range of different subjects. Currently, no face-to-face Data Protection Training is being routinely supplied.
Where can I find out more?
If you would like further advice or guidance, please contact us on our below email address: email@example.com.
If you receive a suspicious email or suspect any other information security incident please contact one of the IT Helpdesks
Remember, if in doubt, seek advice before processing or disclosing personal information.