Privacy and data protection

The Data Protection Act regulates the way in which personal information about individuals, whether held on a computer or in a manual filing system, is obtained, stored, used and disclosed.

It grants rights to individuals to see the data stored about them and to require modification of the data if it is wrong. We are registered with the Information Commissioner for the purposes of the Act.

Data Protection Statement


The Data Protection Act 1998 contains 8 governing Principles relating to the collection, use, processing and disclosure of data, and the rights of data subjects to have access to personal data concerning themselves.

These Principles ensure that all data shall:

  • Be processed fairly and lawfully and, in particular, shall not be processed unless –
    (a) at least one of the conditions in Schedule 2 is met. These can be summarised as consent, required by contract, legal obligation, vital interests, public interest and balance of interest.
    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 must also be met. These can be summarised as explicit consent, legal requirement, employment law, vital interests, non-profit associations, manifestly made public, legal claims, justice/statute Crown, medical purposes, ethnic monitoring.
  • Be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Be accurate and, where necessary, kept up to date.
  • Not be kept for longer than is necessary for its purpose or purposes.
  • Be processed in accordance with the rights of the data subject under this act (this includes the rights of subjects to access the data and to correct it).
  • Be kept secure and appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data against accidental loss or destruction of, or damage to, personal data (this relates to data security).
  • Not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The Council will hold the minimum personal data necessary to enable it to perform its functions. The data will be erased once the need to hold it has passed. Every effort will be made to ensure that data is accurate and up-to-date, and that inaccuracies are corrected quickly. Details of what the Council does with personal data it holds is contained in its Personal Information Policy which is accessible on each page on the Council’s website in paper format

Subject Access

The Council will normally provide any individual who requests it, in a specified manner, a reply stating whether or not the Council holds personal data about that individual for which a fee is payable.

To enable the Council to comply with your request to see your personal information, make a subject access request.


Disclosures of information must be in accordance with the provisions of the Act and the Council’s registration/notification. Where the Council has a duty to disclose certain data to public authorities (such as Inland Revenue, Customs and Excise, Benefits Agency), this will be done in accordance with statutory and other requirements.

Legal and internal rules limit disclosure within the authority either to council officers or elected members. When a request for information is made, the minimum of personal data will be made available on a need to know basis.


The Council intends that personal data must be treated as confidential. All staff must comply with the Council’s Data Protection Policy, Confidentiality & Information Security and all new staff must sign a confidentiality agreement.


It is the aim of the Council that all staff are fully informed of their obligations under the Data Protection Acts and aware of their personal liabilities, and where appropriate training is given.

Disciplinary action

Disciplinary action may be taken against any employee who breaches the Data Protection Act principles.


Day to day responsibility for administration and compliance with the Act is delegated to departmental Information Managers.

All Officers and Members (Councillors) have a duty to observe the Principles of the Act and the procedures referred to in this document.

Councillors are data controllers when they process personal data either manually or by computer, whether on their own equipment or on equipment provided to them by their local authority. Just as any other individual holding and processing personal information about others, Councillors need to comply with the Data Protection Act, and need be individually registered with the Information Commissioner.

However, where holding and processing personal data about individuals in the course of undertaking council business, the elected member will be covered by the authority’s notification and have the same responsibilities in respect of data protection as an employee of the authority.

Information governance

Read more details about how we handle information governance. You can make a complaint if you are not satisfied with how we deal with your enquiry.

Updated: 19 April 2017