Test Alert
British Summer is started !
This guide provides you with a basic overview of lots of aspects of Data Protection.
In the course of your work, you may use or have access to personal data about members of staff or the public. The General Data Protection Act (GDPR) and The Data Protection Act 2018 (DPA 2018) places certain obligations upon us and grants individuals certain rights in respect of this data. This guide has been written to give you a basic overview of what Data Protection is and how it affects all of us.
The GDPR replaced the old Data Protection Act 1998 (DPA 1998) as of 25th May 2018. It is the acknowledged legal framework for all organisations operating within the EU and also applies to organisations outside the EU who offer goods or services to individuals in the EU. Whilst the GDPR has direct effect across all of Europe, the DPA 2018 has been passed through parliament and specifically applies to the UK.
Together, these legislations set the rules for how to handle and look after personal data. If the rules are not followed the Council risks breaking the law and in certain circumstances you may be held personally liable for data breaches.
Personal data is any data which 'relates to' an individual and, either on its own or when cross referenced with other data can be used to identify a living individual. This includes all the obvious details we might hold about an individual such as their name, address, National Insurance number and details of services accessed.
Please note that data which 'relates to' an individual does not just identify them but also concerns them in some way. When deciding if information 'relates to' an individual, you need to consider:
Personal data includes any expression of opinion about the individual and any indication of the intentions of the authority or others in respect of the individual. It is therefore very important that you record only factual information in the course of your employment. If you are required to express an opinion, then it must be capable of being substantiated, as it may be requested via an individual's Right of Access and could also be used in court. More information on Right of Access can be found below.
More information on personal data can be found on the Information Commissioner's Office (ICO) website.
Some types of personal data are classified as Special Category Data (sensitive personal data in DPA 1998) and require more careful handling. This is data that relates to:
The DPA 1998 also included criminal offences or alleged offences but this is now covered under a separate Article (10) in GDPR, which provides other conditions you need to adhere to. You can find out more information about criminal offence data on the Information Commissioner's Office website.
Personal data can be recorded in:
Processing means just about everything that you can do with personal data, including:
There are seven principles for processing personal data:
More information on the principles can be found on the Information Commissioner's Office website.
Generally no. To be able to disclose personal data to other people you must be able to answer 'Yes' to the following questions, unless an exemption applies.
Usually we do not need to get consent from the data subject, because the GDPR and DPA 2018 allows us to use other legal bases that we have to process personal data. However, where special category data is involved, extra care needs to be taken and this may justify seeking consent.
If in doubt as to whether consent is required, you must seek advice from your line manager, your Information Asset Register (IAR) (more information below) or the Data Protection Team.
Further information can be found on consent below.
You need to think about the rights to privacy that people have, particularly the Human Rights Act 1998, Article 8 – Respect for your private and family life and the Common Law Duty of Confidentiality. More information on both of these can be found by following the corresponding links above.
If you operate within Social Care you should also consider the seven Caldicott Principles which are below. Please note that 'personal confidential data/information' is the equivalent of 'special category personal data'.
Read more information on the Caldicott Principles.
There are six lawful bases to choose from when processing personal data. It is important that you choose the most appropriate one, which will depend on the purpose and relationship with the individual. They are:
This basis will not be appropriate if another simpler, less intrusive method can be used to achieve the same result.
If you still think this is the most appropriate lawful basis then you will need to complete a Legitimate Interest Assessment (LIA) to help demonstrate compliance. View an ICO sample template.
When choosing which lawful basis to rely on it is important that you document your decisions (e.g. on your IAR) and include information about your purposes and lawful bases in your privacy notice. Read more information on lawful bases.
A lawful basis interactive guidance tool is available.
There are a number of exemptions, but the most common ones are likely to be:
If in doubt as to whether an exemption applies, you must seek advice from your line manager or the Data Protection Team.
Generally yes. Individuals have a Right of Access to personal data that relates to them. This is usually referred to as Subject Access and is requested via a Subject Access Request (SAR).
If an individual shows interest in making a request for their information but they are unsure of the process, they should be encouraged to view our Dorset For You Data Protection webpage. This also includes e-forms which can be completed to submit requests.
All SARs must be passed to our Data Protection team. They should ideally be made in writing but can also be made verbally, as long as enough information is provided to proceed with the request/contact the individual.
A SAR will not be considered to be active until we are sure of what information the individual requires and that the individual has a legal right to access the information. We will need proof of this legal right e.g. proof of identity, proof of parental responsibility, Power of Attorney etc. You do not need to worry about this however, this is something the Data Protection Team will discuss with the requestor.
Once a request has been deemed active we must provide the information within "one month". As the exact length of "one month" can change depending on the day it is received, Dorset Council has adopted ICO guidance and sets the timescale as 28 days. This is the minimum, but does allow for a consistent approach which can be monitored. Under the GDPR and the DPA 2018, we now have the ability to extend a deadline by 2 months, in 1 month intervals, if we deem the request to be complex or if we receive numerous requests from the same person. This is something that will be determined by the Data Protection Team. When a request is passed to the appropriate team, the deadline will be highlighted.
Sometimes, the personal data may contain information about other individuals. This is referred to as third party information. There are generally two categories of third party information; these are:
The individual making the request is only permitted to access data about themselves. They have no Right of Access to information about other people unless the third party has given their consent, or it is obvious from the information itself that the Data Subject already knows it, for example because they were there.
Information that has been provided by another person, about the individual in question, may be subject to a duty of confidentiality. The duty of confidence applies primarily to the identity of the third party and their consent must be sought before any information is disclosed. If consent is not given, we may have to withhold or edit information so that it does not identify them.
Yes, but we need to be absolutely sure that they are authorised by the individual to make the request. Proof must be in writing and a legal right provided e.g. consent form signed by the Data Subject, Power of Attorney, or litigation friend (court appointed individual who can make decisions for another individual who lacks capacity).
Sometimes an individual is unable to exercise their Right of Access because they are too young or they do not have the mental capacity to understand their rights. Parents/carers are able to make an application on behalf of children using their Parental Responsibility. Authority to act on behalf of an adult in these circumstances would normally require a Lasting Power of Attorney, which we will ask to see a copy of before we disclose any information.
Similarly to before, if someone is unsure how to request information on behalf of another, they should be encouraged to view our Data Protection page.
The e-form(s) previously mentioned also caters for agents acting on behalf of an individual.
Under the GDPR and DPA 2018, individuals have eight rights, they are:
It should be noted that all individual rights are subject to the same timescale i.e. 28 days once considered active.
Should an individual wish to enact one of their rights but is unsure as to how to carry this out, please encourage them to visit the Data Protection page. This page includes guidance and e-forms to help them.
In short, a privacy notice is used to inform an individual of how you intend to use their personal data. It outlines:
Privacy notices are linked with an individual's right to be informed and should be made available at specific times, for example: at the time we collect personal data or when first communicating with an individual.
View the Dorset Council privacy policy notice.
Service privacy notices are also available in the Data Protection section. These can then be linked to relevant documents/forms etc. to fully inform individuals of how their personal data is/will be processed. Once this template has been fully tested and is openly available, communications will be published informing all departments.
Previously known as privacy by design, there is now a legal requirement that appropriate technical and organisational measures are taken to ensure that the data protection principles and individual rights are considered throughout the entire lifecycle of business practices. There is also an emphasis on ensuring that new processes at the design stage consider data protection implications from the very start.
If a new or amended process is considered to have data protection risks a Data Protection Impact Assessment (DPIA) should be completed. A DPIA is a tool used to identify and reduce the risk of a business's processing activities, and should be used if there is a potential risk to the rights and freedoms of individuals and having a record of this shows accountability for decisions. Should a DPIA determine a high risk, the ICO can be consulted with to decide on how/whether or not to proceed.
Please note that a DPIA template is currently being drafted and will be corporately communicated when available.
The Council has a Security Policy (a new version is currently being finalised, link to follow), which seeks to prevent misuse, accidental loss or wrongful disclosure. This includes ensuring that:
Generally, personal data should not be kept for longer than is necessary, to meet the purpose for which it was obtained. You should refer to the Council's retention and disposal policies for more information.
Previously called Notification under the DPA 1998, all data controllers have to pay an annual fee to the ICO. This fee is dependent on the corresponding tier, which is dependent on the number of employees and the turnover of the organisation. Although we no longer have to report to the ICO what information we collect and for what purpose, it is important that each business area takes ownership of their corresponding IAR.
The IAR is a tool used by an organisation to help manage information assets and the potential risks. It helps keep track of what information the organisation holds and for what reason i.e. what legal bases are relied upon. This is the new, internal, equivalent of what had to be provided to the ICO via Notification, pre-GDPR.
Hopefully if you follow this advice and all the other guidance that the council has issued, you are unlikely to get it wrong. Always seek advice from your line manager or the Data Protection Team if you are in doubt.
If you knowingly or recklessly fail to follow the council's advice and guidance, disciplinary action may be taken against you. The Council as the data controller and you as an individual could also be prosecuted or sued for compensation.
Yes. There are online learning modules that can be completed for a range of different subjects. Currently, no face-to-face Data Protection Training is being routinely supplied.
If you would like further advice or guidance, please contact us on our below email address: data.protection@dorsetcouncil.co.uk.
If you receive a suspicious email or suspect any other information security incident please contact one of the IT Helpdesks
Remember, if in doubt, seek advice before processing or disclosing personal information.