Search site

General Data Protection Regulation (GDPR)

Data protection law changed in 2018 with the rights of individuals being significantly enhanced by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Most employees will deal with personal information as part of their job.

What is personal data?

Personal data only includes information relating to natural persons who:

  • Can be identified or who are identifiable, directly from the information in question; or
  • Who can be indirectly identified from that information in combination with other information.

Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.

Information about a deceased person is not personal data and therefore is not subject to data protection law.

Information about companies or public authorities is not personal data.

Rights of individuals

The GDPR provides a number of rights for individuals. When an individual wants to exercise these rights, he will contact the relevant service or the council's data protection officer. The
council should then respond to the request, in most cases within one calendar month.

The right to be informed is a little different. Individuals should be told what will be done with their information at the time the information is collected. You must be open and honest, and tell people why you need their information, what you will do with it, how long you will keep it and who you will share it with. This information is known as a "privacy notice". Guidance on preparing these notices is available from Legal Services

Key principles

Is it lawful?

  • You must have an appropriate reason for processing personal information (known as a lawful basis).
  • You must document that reason.
  • You must not do anything generally unlawful with personal data.

Is it fair?

  • You must consider how the processing may affect the individuals concerned and be able to justify any adverse impact.
  • You must only handle people's data in ways they would reasonably expect, or be able to explain why any unexpected processing is justified.
  • You must not deceive or mislead people when collecting their personal data.
  • You need to stop and think not just about how you can use personal data, but also about whether you should.

Why are you processing personal information and what allows you to do that?

  • You must tell individuals why you are processing their information.
  • You must use clear and plain language.
  • Be clear about when consent is required - it isn't always.

How much information do you need?

  • You must only collect personal data you actually need for your specified purposes.
  • You must have enough personal data to properly fulfil those purposes.
  • You should periodically review the data you hold, and delete anything you don't need.

Is the information accurate? 

  • You must ensure that any personal data you create is accurate.
  • If you need to keep a record of a mistake, you must clearly identify it as a mistake.
  • Your records must clearly identify any matters of opinion, and where appropriate whose opinion it is and any relevant changes to the underlying facts.
  • As a matter of good practice, you should keep a note of any challenges to the accuracy of the personal data.

How long do you keep the information?

  • You should know what personal data you hold and why you need it.
  • You should carefully consider and be able to justify how long you keep it..
  • You should regularly review your information and erase or anonymise personal data when you no longer need it.

Is the information safe?

  • You must ensure that you have appropriate security measures in place to protect the personal data you hold.

Data breaches

If you become aware that a data breach has or may have occurred contact your line manager and IT services in the first instance. The data protection officer should also be advised of the situation. The council's process should then be followed. There will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

More information is available from the Information Commissioner