The Council has to process personal data in order to carry out our functions as a borough council, but we can only do this where there is a legal basis. This is known as the ‘lawful basis for processing’.
GDPR extends individuals’ rights in terms of this processing, for example the right of access (also known as Subject Access Requests). It also introduces some new ones, such as the:
- right to erasure
- right to restrict processing
- right to data portability
However, these rights are not absolute and their availability depends on which lawful basis for processing the council is using. This means that, due to the nature of our business, not all of the individuals’ rights listed below are applicable to everyone.
| Lawful basis | Right to erasure | Right to portability | Right to object |
|---|---|---|---|
| Consent | Yes | Yes | No |
| Contract | Yes | Yes | No |
| Legal obligation | No | No | No |
| Vital interests | Yes | No | No |
| Public task | No | No | Yes |
| Legitimate interests | Yes | No | Yes |
Right to be informed
The GDPR sets out the information that we must supply and when individuals must be informed. We do this through a ‘Privacy Notice’. The notice also provides more details on which of the lawful basis for processing we use.
Right to access
The reason for allowing individuals to access their personal data is so that they are aware of what we hold and can verify that we have a valid lawful basis to process it.
We will usually supply this information free of charge unless the request is manifestly unfounded or excessive. It will be provided without delay and at the latest within one month of receipt, although this can be extended by two months where requests are complex or numerous.
As we must verify the identity of the person making the request, individuals will be asked to provide two proofs of identity, including confirmation of their current address. Copies will be accepted if posted but we reserve the right to have sight of original documentation. Please note, a signed letter of authority from the data subject will be required if someone else is acting as their agent.
Normally we will disclose the requested information but on occasion it may not be possible to do so if supplying it would be likely to, for example, compromise the way a crime is detected/prevented.
Requests can be made verbally, by letter and by email to our Data Protection Officer.
Email: foi@cumberland.gov.uk
Right to rectification
Individuals can ask us to rectify any inaccuracies in the personal data we hold about them, including incomplete data.
Personal data is deemed inaccurate if it is incorrect or misleading.
As a matter of good practice, we should restrict the processing of the personal data in question while we are verifying its accuracy, whether or not you have exercised your right to restriction.
We may ask for information from you to confirm your identity and will not need to comply with the request until we have received it.
Where we’ve disclosed the personal information to a third party we must also inform them of the rectification where possible.
We have a month to respond to the request unless it’s complex, in which case we can extend the timescale by two further months. If we do not take any action in response to a request for rectification we will notify you and inform you of your right to complain to the ICO.
You can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.
Email: foi@cumberland.gov.uk
Right to erasure
Formerly known as ‘the Right to be Forgotten’. The right is not absolute and only applies in certain circumstances.
You can ask us to do this where:
- there is a problem with the underlying legality of processing
- consent is withdrawn
- the data is no longer necessary for the purpose for which it was collected or processed
- there is no overriding legitimate interest for continuing the processing
We have one month to comply.
We may ask for information from you to confirm your identity and will not need to comply with the request until we have received it.
The council will also inform any third parties to whom we have already disclosed the personal data, unless it is impossible or involves a disproportionate effort.
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation
- for the performance of a task carried out in the public interest or in the exercise of official authority
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
- for the establishment, exercise or defence of legal claims
You can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.
Email: foi@cumberland.gov.uk
Right to restrict processing
This is where data is held in limbo while challenges to its processing are resolved.
In most cases we will not be required to restrict your personal data indefinitely, but only for a certain period of time.
This is not an absolute right and only applies in certain circumstances, for example:
- where an individual disputes the accuracy of the personal data
- where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests) and we are considering whether our organisation’s legitimate grounds override those of the individual
- where processing is unlawful but the individual objects to erasure
- where we’ve no further use for the data but an individual requires it for legal claims
In these circumstances the council may store the personal data but not process it further. However, we will retain just enough information to ensure that the restriction is respected in the future.
The GDPR suggests a number of different methods that could be used to restrict data, such as:
- temporarily moving the data to another processing system
- making the data unavailable to users
- temporarily removing published data from a website
We will act upon a request without undue delay and at the latest within one month of receipt. If we decide to subsequently lift a restriction we will notify you of this before the restriction is removed.
You can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.
Email: foi@cumberland.gov.uk
Data portability
This right allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. However, it only applies to personal data which you have provided to us, where processing is based on consent or in performance of a contract and when processing is carried out by automated means.
If you request it, and it is technically feasible, we may transfer data directly to another organisation.
We must respond to such a request within one month although this may be extended to two months if the request is complex or we receive a number of requests.
If we are unable to comply we will let the individual know and inform them of their right to complain to the ICO.
Email: foi@cumberland.gov.uk
Right to object
This right only covers specific types of processing, although there is an absolute right to stop direct marketing. Whether it applies depends on our purposes for processing and our lawful basis for processing.
The council processes the majority of personal data based upon its ‘public task’ responsibilities (ie for the performance of a task carried out in the public interest or for the exercise of official authority vested in it). In these circumstances you must give specific reasons why you are objecting to the processing of your data, based upon your particular situation.
We must cease processing unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms or where processing is required for legal claims.
In particular, if you object on the grounds that the processing is causing you substantial damage or distress (eg the processing is causing you financial loss), the grounds for your objection will have more weight.
It is our responsibility to demonstrate that our legitimate grounds override yours.
You can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.
Email: foi@cumberland.gov.uk
Rights related to automated decision making, including profiling
Automated individual decision-making is a decision made by automated means without any human involvement.
Information is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals.
You can make a request for rectification verbally, by letter and by email. We also have a standard form that you can complete and submit to us electronically.
Email: foi@cumberland.gov.uk
Complaints
If you are dissatisfied with the way your request has been handled you should initially contact the Information Governance Officer.
Email: foi@allerdale.gov.uk
Telephone: 0300 373 3730
You can also complain to the Information Commissioner.
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk
Please note, generally the ICO will not make a decision unless you have exhausted the complaints procedure provided by Cumberland Council.