- What information and activities does the DPA cover?
- What is the difference between personal data and sensitive personal data?
- Does the Council have to comply with the DPA and what are our obligations?
- Do Councillors have to comply with the DPA?
- What are your individual rights under the DPA?
- Does the Council tell you when it processes your personal data?
- Can the Council process information about you without your consent?
- What are the exemptions under the DPA and when do they apply?
- What is the difference between the DPA and the Freedom of Information Act 2000?
What information and activities does the DPA cover?
The DPA covers the personal data and sensitive personal data of all living individuals. This includes the personal information of Council’s employees, clients, councillors, contractors etc.
For example, letters, file notes, emails, photographs and CCTV footage of people would be covered in most cases.
However, the mere mention of a person’s name in a record does not necessarily constitute personal data. An important court case [External] has held that to be personal data, the information must:
- be biographical in a significant sense; and
- have the data subject as its focus rather than some other person, transaction or event.
The DPA covers the processing of all personal and sensitive personal data. For example, it applies when the council gives this information to schools, other councils, private companies, or other government agencies. It also covers the Council’s policy on storage, retention, destruction and access to this information.
What is the difference between personal data and sensitive personal data?
The DPA gives greater protection to sensitive personal data by placing more stringent obligations on the Council.
For example, the Council may process personal data with a person’s consent, which can be implied or given orally. However, the Council must process sensitive personal data with explicit consent.
Explicit consent means consent which is expressed precisely and clearly and is readily observable. It generally requires a person to do something actively such as tick a box or sign a form. The Council cannot assume to have your consent to process your sensitive personal data because you fail to tell us otherwise.
Does the Council have to comply with the DPA and what are our obligations?
The Council is a Data Controller so it must comply with the DPA.
The Council’s obligations are to:
- Notify the Information Commissioner that it handles information about people, the purposes for which the council handles information, to whom it discloses the information and the Council’s contact details. This information is listed on the Information Commissioner’s Public Register of Data Controllers.
- Comply with the 8 data protection principles
- Comply with your rights as set out in the DPA
Do Councillors have to comply with the DPA?
It depends. A councillor acts in three different roles;
- As a representative of the Council (in this case a Councillor is like an employee of the Council);
- As a member of a political party; and
- In his or her own right.
When a councillor acts as a representative of the Council, he or she is not individually responsible under the Act, rather, the Council is the data controller.
When a councillor acts as a member of a political party, the political party is the data controller.
When a councillor acts in his or her own right, he or she is a data controller is his or her own right and must comply with the DPA and must submit a notification to the Information Commissioner.
What are your individual rights under the DPA?
The Act gives you the following rights:
- To access information held about you. If you want to see the information we hold about you, please complete the relevant Subject Access Request Form.
- To prevent any processing of your personal data likely to cause damage or distress.
- To request that the Council stop processing information about you for the purposes of direct marketing.
- To request that the Council does not make evaluative decisions that significantly affect you, based solely on the processing of information by automatic means.
- To apply to the court to have personal data rectified, blocked, erased or destroyed. The court must be satisfied that the personal data being processed is inaccurate. In some cases, despite being inaccurate, data may accurately reflect information that was passed to the Council, for example, a person may state their opinion on a matter. In these cases, the court can order a court approved statement of the true facts.
Does the Council tell you when it processes your personal data?
Yes.
When the Council processes personal and sensitive personal data we give you a fair collection notice which tells you what the Council does with your personal data and why. This fair collection notice will usually be provided on a form which asks you for your personal data or may be explained to you by a customer services representative.
Can the Council process information about you without your consent?
Yes.
The Council only needs to fulfil one out of a number of conditions before it can process your personal data and consent is only one of those conditions.
Other conditions include processing which is necessary for:
- the performance of a contract;
- compliance with a legal obligation;
- the administration of justice; or
- the purposes of the Council’s legitimate interests.
However, the Council must ensure that in every case it has lawful authority to process your information. This means, the Council processes your personal data under one of its legal powers.
In addition, the Council must give you a fair collection notice which informs you about how your personal data will be processed.
The Council must also comply with the other data protection principles.
What are the exemptions under the DPA and when do they apply?
The DPA contains a number of exemptions which allow the Council to deny you access to information under a subject access request and to disclose personal data about you which would otherwise be forbidden under the data protection principles.
The main exemptions relevant to local authority held information are:
- Personal information about someone else
- Law enforcement and National Security
- Disclosures required by law or made in connection with legal proceedings
- Lawyer-Client Communications
- References
- Negotiations
- Other
Personal information about someone else
Where a record of your personal information contains information about a third party, the Council will not provide you with this information unless the third party’s information can be deleted or that third party consents to the disclosure of his or her personal data.
In some case, third party information can be disclosed to you without that person’s consent if this is reasonable in all the circumstances. In this case, we would consider:
- whether a duty of confidentiality is owed to that person;
- what efforts have been made to obtain that person’s consent;
- whether that person is capable of giving consent; and
- whether that person has expressly refused his or her consent.
This exemption also covers information which identifies the person who provided the Council with your personal data.
Law enforcement and National Security
Personal data may be disclosed for the following purposes:
- the prevention and detection of crime;
- the apprehension or prosecution of offenders;
- or the assessment and collection of any tax or duty
If the application of the certain data protection principles prejudices any of these purposes, they will not apply. This exemption would cover disclosures to the police, Inland Revenue, or even a bank in cases where were fraud is suspected.
Similarly, the Council can refuse you access to your personal data if to do so would prejudice any of these purposes. Personal data can also be withheld from you if it is required for the purpose of safeguarding national security. You can challenge a refusal to provide you with access by going to the Information Commissioner.
Disclosures required by law or made in connection with legal proceedings
The Council can disclose personal information if:
- It is required by law, for example, the Children’s Act 2004 requires us to disclose information onto the Information Sharing Index;
- For the purpose or in connection with legal proceedings;
- For the purpose of obtaining legal advice; or
- It is necessary in order to exercise, establish or defend legal rights.
Lawyer-client communications.
Communications between the Council and its legal advisors which contains legal advice generally or in legal advice in preparation for legal proceedings and is covered by legal professional privilege which means it is confidential and will not be provided to you, even if it contains your personal data.
References
References are exempt from subject access in some cases. For example, you do not have a right to obtain a confidential reference from the person or body that gave it, even if it could be disclosed without identifying the individual concerned.
However, you are entitled to see a reference held by the person to whom it was supplied. For example, unsuccessful job applicants can see a reference supplied and held by the Council as long as it does not identify the individual who gave it.
For more information about asking to see a reference of personnel matters generally, please contact Human resources on recruit@walthamforest.gov.uk, or post to: HRSSC, Room 009, Waltham Forest Town Hall, Forest Road, London, E17 4JF.
Negotiations
Where the Council is in course of negotiations with you, we do not have to provide you with access to any of your personal data which consists of our intentions in relation the negotiations, if to do so would prejudice those negotiations. However, this exemption does not apply to general opinions and intentions towards you generally.
Other
There are many other exemptions such as personal data:
- used solely in connection with an individual’s personal or family affairs;
- kept solely for statistical, historical or research purposes and published anonymously;
- processed for the publication of journalistic, literary or artistic material;
These exemptions are set out in Part IV of the DPA.
What is the difference between the DPA and the Freedom of Information Act 2000?
The DPA applies to the processing of personal data only. It also gives an individual the right to make a subject access request to see his or her personal data. The Council must respond to a subject access request within 40 calendar days.
The FOI Act, on the other hand, provides a general right of access to all types of recorded information held by the Council, subject to a number of exemptions. The Council must respond to an FOI request within 20 working days. For information about the FOI Act and to make a request, see Information on the FOI Act and the Environmental Information Regulations
