Data protection: Protecting your personal details
Asking for information held about yourself: How to make a Subject Access Request
You have a right under the Data Protection Act to request any information the Council holds about you.
To make a request, you must do the following:
Complete the relevant form below:
- Asking for your own information
- For Parents and Guardians of children
- For Legal and Other representatives
Attach a proof of your identity, such as a copy of driving licence or passport. If you are acting on behalf of your child or another person, please also attach proof of their identity.
Provide the fee of £10 by cheque or postal order made payable to "London Borough of Waltham Forest."
Return the completed form, proof of identity and fee to:
Waltham Forest Town Hall
Walthamstow E17 4JA
Tel 020 8496 3000 or
Upon receipt of your request, the Council has 40 calendar days to respond to you. The Council will provide you with copies of the information unless otherwise indicated by you.
Please also note that the DPA contains exemptions, which permit the Council to withhold your personal information from you in certain circumstances. If this is the case, the Council will tell you which exemption it is relying upon and give you its reasons.
Asking for Social Services records
Social services records are covered by the DPA which means you have a right to access them.
However, the Council can refuse you access to your social services records if access would be likely to prejudice the carrying out of social work by causing serious mental or physical harm to anyone.
The Council can also refuse access by a representative where the data subject provided the information in the expectation that it would not be disclosed to the representative or has expressly indicated that he or she does not want the information to be disclosed.
Asking for a child's information: Parental and guardian rights
Everyone has a right of access to their personal information, including children.
However, as young children may not understand this right or are not capable of exercising this right, in some cases their parents may do so on their behalf.
There is no particular age when a child becomes capable of exercising his or her own data protection rights. Rather, the Council must assess the child's maturity and level of understanding when determining whether a parent should be making a request on the child's behalf. To do this, the Council may have to contact you to obtain further information.
As a general guide, a child of 12 and above is likely to have sufficient maturity but as stated, this will depend on the individual circumstances.
The Council needs to be very careful about the disclosure of children's personal information. If the Council is in any doubt as to whether the parent or guardian is entitled to make a request on their child or ward's behalf, then the Council may refuse to grant access.
Asking for information on someone's behalf
You may designate a third party representative to act on your behalf when making a subject access request, such as, a solicitor, financial advisor, doctor, carer or family member.
In this case, the Council must be satisfied that you have consented to this arrangement so we ask your representative (and, in some cases, you) to demonstrate this by providing proof of your identity and your signature.
What is data protection?
Data protection aims to protect people’s personal information from misuse by placing controls on organisations and people who handle personal information. The principal piece of legislation is the Data Protection Act 1998 (DPA).
The Council must comply with the DPA in respect of all the personal information that it holds about individuals whether they are an employee, elected member or a member of the public.
The DPA places a number of obligations on the Council when it processes personal data.
For example, the Council must notify the Information Commissioner about the information it holds and the purpose for holding such information and it must also comply with 8 data protection principles.
Personal data must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to countries without adequate protection
Definitions of data
Personal data: Information about a living individual who can be identified from that data alone or from that data and any other data which the Council holds or is likely to hold in the future.
Also, personal data must be held in a record and must be:
- Processed or held for the purpose of being processed, by means of automatically operated equipment, or be part of a ‘relevant filing system' which means information structured according to some reference name or number so that it is accessible or
- Forms part of an accessible record, which means a health record, educational record or public record such as housing records
- Manual data or data which is not held in any structured way is not covered by the DPA in most cases
- Sensitive personal data: This is personal data which is about a person's:
- Racial or ethnic origins
- Political opinions
- Religious or similar beliefs
- Trade union membership
- Physical or mental health
- Sexual life
- Commission or alleged commission of an offence
- Legal proceedings or sentencing for any offence
Definitions of data protection roles:
- Data controller: A person or organisation which holds personal data or sensitive personal data and controls how it is used. The Council is a data controller
- Data processor: A person or organisation which processes personal data on behalf of the data controller but does not decide how the data is used. The Council's contractors are data processors
- Data subject: The individual who is the subject of the personal data
- Processing: Processing is very broad and includes all activities relating to personal data such as collecting, using, disclosing, storing, altering, erasing, destroying, disseminating, blocking and recording personal data
What is Notification?
Notification is the process by which the Council informs the Information Commissioner of how we process the personal data we hold.
The purpose of notification is to ensure the transparency and openness of the Council's information handling practices by keeping people informed about how their personal data is handled.
Can I see the Council's Notification?
The Council's notification is on the Information Commissioner's Public Register at which can be viewed by entering Z7599838 into the Registration Numberfield.
Councillors also have individual notifications in relation to the work they carry out as data controllers. These notifications can also be viewed on the Public Register by entering the name of the Councillor into the data controller field.
Fair processing of information
The Council is required by law to protect the public funds it administers. It may share information provided to it to other organisations in order to prevent and detect fraud.
More information on fair processing.
Complaints about Data Protection
Complaints under the DPA are dealt with under the Council's Corporate Complaints Procedure
If we are unable to resolve your complaint to your satisfaction you may make a complaint to the Information Commissioner's Office about a breach of the DPA. The Information Commissioner may serve an enforcement notice upon the Council if he is satisfied that there has been a breach.
The ICO can be contacted on:
The Information Commissioner's Office
Cheshire SK9 5AF
Please contact us:
Learning from Complaints
Waltham Forest Town Hall
Walthamstow E17 4JA
Tel 020 8496 3000
Frequently asked questions (FAQs)
- Does the Council disclose Personal Data held on the Council Tax Database to third parties for other purposes?
- Does the Council operate CCTVs and for what purpose?
- Does the Council observe the Information Commissioner’s CCTV Code of Practice on CCTV usage?
- Does the DPA apply to children?
- Do parents have to give their consent before the Council can process information about a child?