The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) aim to give you greater control over your personal data.
The law also means that organisations have to apply minimum standards of protection to the personal data they hold and to ensure that they use it only for the purpose for which is was collected.
Every individual has a number of rights in relation to their own personal data and their privacy and these rights cover things such as the right to see what information an organisation holds about you, and to get any incorrect data corrected. These rights are as follows:
- the right to be informed: Everyone has the right to ask what information an organisation holds on them and why.
- the right of access to your personal data (commonly known as a ‘data subject access request’). You can ask for a copy of the personal data we hold about you and can check that we are lawfully processing it.
- the right to request correction of the personal data that we hold about you. You have the right to have any incomplete or inaccurate data we hold about you corrected, though we may need to check the accuracy of the new data you provide to us.
- the right to request erasure of your personal data. You can ask us to delete or remove personal data where there is no good reason for us continuing to process it.
- the right to object to processing of your personal data. This only applies in certain circumstances, and where you want to object to processing as you feel it impacts on your fundamental rights and freedoms. This includes at any time where we are relying on consent to process your personal data.
- the right to request restriction of processing of your personal data. This means that you can ask us to suspend the processing of your personal data under certain circumstances.
- the right to data portability, for example, to obtain your personal data or to ask for it to be passed to another data controller.
- rights related to automated decision making and profiling
This guide has been developed to give you information about your rights and how they apply to data that we hold about you. It also explains how you can make a request about your data, what information you need to provide and how you can complain if you are not happy with the response you receive.
In some cases, we may not have to comply with these requests but if this is the case we have to explain why. You can also appeal against any decision taken not to comply with a request you make.
Personal data is information about an individual which allows them to be identified, either directly, or indirectly with reference to other information. Examples of personal data include name, address, email address or telephone number. Items such as information about your religion, health, fingerprints, genetic data or trade union membership are also personal data. Information about deceased people is not personal data.
We are the data controller. This means that we are responsible for deciding why we use your data and what will be done with it. We also must ensure that your data is kept safe.
Processing data includes collecting, recording, transmitting, or otherwise using it, including storing it.
By law we have to have a reason to process your data. This is known as the lawful basis or lawful purpose. More information about lawful basis for processing can be found on the Information Commissioner’s Office website.
Right to be informed
You have a right to be informed about the data that any organisation collects or holds about you. We will tell you:
- who we are and our contact details, including those of our Data Protection Officer
- why we collect and use the data
- the legal basis for using the data
- who we share the data with, if anyone
- if we are going to transfer the data to
- how long we will keep the data for
The way we tell you about which information we collect is through our Privacy Notices. We have a corporate privacy notice which tells you in plain language who we are, why we collect your personal information, how we use it, who we may share it with and how long we may keep the information for. We have also developed additional privacy notices for our services areas which provide further, more specific information.
All these notices are published on our website, or you can ask for a copy by contacting our data protection officer.
Right of access
You have a right of access to the information that we hold about you. You can ask to see this information by making a Data Subject Access Request (DSAR). This includes access to a range of information including CCTV images of yourself.
You can ask:
- for a copy of the information
- what we use the information for
- which persons/organisations to whom the information is disclosed
Information you will receive
When you make a request, you can ask for all the personal information we hold about you on our computers and manual record systems. You will be given a description of the purposes for which we process your data and a list of organisations we disclose the data to. If you do not want to see all the information we have, for example you only want to see CCTV footage of your car, or information in relation to a noise nuisance complaint, let us know. This will help us to find and send you the information quicker if you can be clear about what information you want.
Information about another person
We are not allowed to give you information about other persons unless they have given their consent. This includes information about members of your family. If you are a parent, or a member of an elderly person's family, you may be provided with information about your child, or the elderly person, but only where you have written permission to ask for it or are granted powers to do so by a court and we are satisfied that such permissions are genuine.
If data about other individuals are included within documents about you then it is likely that this information will be withheld.
If you are making a request on behalf of someone else, you will also be required to provide their details and will need to provide evidence that you are entitled to request the personal information. For example, if you are the subject's parent, we will need a copy of the long-form birth certificate that includes your name and address. On most occasions, as a third party you will also need to provide a written authority from the person concerned that includes their name, address, and signature.
We need the following to be able to disclose records to you:
- child aged under 12 (or child lacking mental capacity) - evidence that you have parental responsibility for that child
- child over the age of 12 - in certain circumstances your child may be asked to consent to disclose data to you
- adult (who lacks mental capacity) - official paperwork listing you as their legal guardian
- solicitor or agent (acting on behalf of an individual) - a form of authority addressed specifically to us and signed by the data subject or their legal representative. In some circumstances we may also request explicit consent from the data subject
Records of someone who has died
We are not allowed to disclose a deceased person’s records to any individual other than the personal representative of the deceased’s estate. That is an individual who has a grant of probate (if the deceased left a will) or letter of administration (if the deceased did not leave a will, otherwise known as intestate).
If you are the personal representative for the deceased’s estate and affairs, you need to provide the legal documentation which validates this so that we can consider disclosing the requested records.
How information is sent
We will provide the information via email if this is possible. Information may be in the form of a printout from a computer system, or a photocopy of your manually held record. If you have difficulty in understanding any of the contents, you may ask a member of staff for assistance.
There is no charge for making a Right of Access Request, unless requests are repeated or manifestly excessive.
We must provide access to the information without undue delay, and within 1 month. The time starts from when we receive a clear request and enough identification to be sure that the request is from the data subject. Once we receive this information, we will contact you to acknowledge that the 1-month period has started.
We can extend the time to provide a response to you by a further 2 months if your request is complex or you have made more than one request. We will tell you within 1 month of receiving your request that we need extra time to consider it and why.
If we are not sure about your identity, we will not process a request for personal data unless you provide evidence – in these cases we require photographic ID that includes your date of birth and signature such as a driving licence, passport or ID card. If you are unable to provide such evidence, please contact us to discuss alternative options.
In some circumstances we are allowed to withhold information, for example, if disclosure could prejudice a criminal investigation, if disclosure could cause mental or physical harm to any individual, or if information originates from the Court. These are known as exemptions. We can also exclude any information which is about another person if they can be identified from it.
In exceptional circumstances we can refuse to provide you with the information, for example if we consider your request to be manifestly unfounded or excessive.
You should tell us that the data is incorrect and ask us to correct it. You must do so in writing. We must inform you if we have, or have not, corrected the data within 1 month of you asking us to do so. If we do not agree that the information is incorrect, you can ask us to record your disagreement on the record itself. If we do not correct the information, you may also appeal to the Information Commissioner’s Office, or the court. These organisations have the power to order us to correct data that is wrong.
You have a right to request to have inaccurate data rectified, blocked, erased, or destroyed. This right extends to any other personal data that contains an opinion about you based on the inaccurate data.
if you think you haven't received all the information you requested, you can appeal to us through our internal procedure, or to the Information Commissioner’s Office.
Missing information case study
Right to rectification
If you feel that the information that we hold about you is inaccurate or incomplete you have the right to ask for it to be rectified. Requests will be considered, and inaccurate information will normally be rectified within 1 month, although for complex rectification requests, this may take a further 2 months. If we feel that the information, we hold is accurate and does not require rectification, we will provide you with a written explanation.
If we have passed this information onto another organisation, we will also make sure that they are also asked to correct their records.
Right to rectification case study
Right to erasure
The right to erasure is also known as the right to be forgotten, you may request that information we hold about you is erased. We will assess your request and in specific circumstances the information may need to be kept.
For example, we may need to keep the information for compliance with a legal obligation, or to retain information relating to safeguarding referrals or council tax liability. We will write to you within 1 month to let you know whether we have complied with your request.
Right to erasure case study
- we undertake parking enforcement on behalf of North Yorkshire County Council. Under the contract with North Yorkshire County Council, we are required to provide and retain information relating to all parking penalty notices issued
- the data is obtained and held by us in exercise of its official authority as a Parking Enforcement Authority
- data is also held as evidence should a claim be made against us for a refund, or some other loss
Right to object
You may object to processing based on the legitimate interests, public interest or exercise of official authority or direct marketing or for the purpose of scientific/historical research and statistics. To object, you must have reasons relating to your own situation. We must stop processing unless we have compelling legitimate grounds which override your interests, rights and freedoms or the processing is for the exercise of legal claims.
Most personal data we process is based upon our ‘public task’ responsibilities (for example, for the performance of a task carried out in the public interest or for the exercise of official authority vested by us). These could include collecting council tax or dealing with planning applications in these circumstances you must give specific reasons why you are objecting to the processing of your data, based upon your situation. You can find more information about why we process your data in our Privacy Notices.
Right to object case study
Right to restrict processing
This allows you to block or suppress the processing of your personal data. This means that we can retain your information, but not process it any further. We will need to keep some information to ensure that we are able to maintain the restriction. For example, an individual may contest the accuracy of the data we hold about them, and we need to stop processing the data until we have checked that the information is correct.
Right to data portability
This allows you to obtain and reuse your own data for your own purposes. This only applies to data that you have provided to us, where the processing has been with your consent or for the performance of a contract and that processing has been carried out by automated means. This does not apply to any data held by us.
Rights related to automated decision-making including profiling
Automated decision making is if a computer has decided about you without human involvement. You have the right not to be the subject of a decision if it is based on automated processing and it produces a legal effect or other significant effect on you.
This right does not apply where processing is necessary for the performance of a contract, authorised by law (including fraud) or there is explicit consent.
We do not use any "Automated Decision Making" and therefore this right does not apply to any information we hold about you.
How to make a request about your rights
You can also make a request about your rights verbally or in writing.
If you wish to make a complaint about the way we have responded to your request, you can have your complaint considered through our Internal Review process. Email or write to:
Regulation and Governance Team
St Nicholas Street
If you remain dissatisfied with our response, you can complain to the ICO:
Information Commissioner’s Office
Tel: 0303 123 1113