General Information

What is Data Protection?

Data protection is a body of law which protects people’s personal information from misuse by placing controls on organisations and people who handle personal information. The principle piece of legislation is the Data Protection Act 1998 (DPA).

The DPA

The DPA covers all processing of personal data which includes the collection, storage, use and disclosure of personal data.

The Council must comply with the DPA in respect of all the personal information that it holds about individuals whether they are an employee, elected member or a member of the public.

The DPA places a number of obligations on the Council when it processes personal data. For example, the Council must notify the Information Commissioner about the information it holds and the purpose for holding such information and it must also comply with 8 data protection principles.

Definitions

The DPA contains a number of terms which must be explained in order to gain a proper understanding of the DPA. The most important terms are defined below.

Personal data - Personal data is data about a living individual who can be identified from that data alone or from that data and any other data which the Council holds or is likely to hold in the future.

Also, personal data must be held in a record and must be:

processed or held for the purpose of being processed, by means of automatically operated equipment, or

be part of a ‘relevant filing system’ which means information structured according to some reference name or number so that it is accessible or

forms part of an accessible record, which means a health record, educational record or public record such as housing records.

Manual data or data which is not held in any structured way is not covered by the DPA in most cases.

Sensitive Personal Data - This is personal data which is about a person’s:

racial or ethnic origin
political opinions
religious or similar beliefs
membership to a trade union
physical or mental health
sexual life
commission or alleged commission of an offence
legal proceedings or sentencing for any offence

Data Controller - A data controller is a person or organisation which holds personal data or sensitive personal data and controls how it is used. The Council is a data controller.

Data Processor - A data processor is a person or organisation which processes personal data on behalf of the data controller but does not decide how the data is used. The Council’s contractors are data processors.

Data Subject - The individual who is the subject of the personal data.

Processing - Processing is very broad and includes all activities relating to personal data such as collecting, using, disclosing, storing, altering, erasing, destroying, disseminating, blocking and recording personal data.

The 8 Data Protection Principles

The Council must comply with 8 Data Protection Principles, which regulate how personal information can be used. Personal data must be:

fairly and lawfully processed
processed for limited purposes
adequate, relevant and not excessive
accurate
not kept for longer than is necessary
processed in line with your rights
secure
not transferred to countries without adequate protection.

This is a summary. The full principles can be found here.

Complaints about Data Protection

Complaints under the DPA are dealt with under the Council’s Corporate Complaints Procedure.

If we are unable to resolve your complaint to your satisfaction you may make a complaint to the Information Commissioner's Office about a breach of the DPA. The Information Commissioner may serve an enforcement notice upon the Council if he is satisfied that there has been a breach.

The ICO can be contacted on:

The Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow, Cheshire
SK9 5AF

Further information

Please contact us:

Corporate Information Officer
Corporate Legal Department Office
Waltham Forest Town Hall
Forest Road
London
E17 4JA

Tel: 020 8496 4710