Privacy and Data Protection

Under the Data Protection Act 1998 an individual is entitled to ask the London Borough of Richmond upon Thames (“Council”) for copies of the personal information which the Council holds about him/her. Subject to certain exemptions under the Act, the Council is required to provide the individual access to his/her personal information as requested.

To enable the Council to comply with your request to see your personal information, could you please print and complete the Subject Access Request form (MS Word, 865KB).

Data Protection Statement

1. Introduction

The Data Protection Act regulates the way in which personal information about individuals, whether held on a computer or in a manual filing system, is obtained, stored, used and disclosed. The legislation grants rights to individuals, to see the data stored about them and to require modification of the data if it is wrong. The Council is registered with the Information Commission for the purposes of the Act.

2. Principles

The Data Protection Act 1998 contains 8 governing Principles relating to the collection, use, processing and disclosure of data, and the rights of data subjects to have access to personal data concerning themselves. These Principles are:

  • Personal data shall be processed fairly and lawfully and, in particular shall not be processed unless one of the conditions in Schedule 2 is met. These can summarised a consent, contract, legal obligation, vital interests, public interest and balance of interest. In the case of a sensitive personal data at least one of the conditions in Schedule 3 must also be met, which can be summarised as explicit consent, employment law, vital interests, non-profit associations, manifestly made public, legal claims, justice/statute Crown, medical purposes, ethnic monitoring.
  • Personal data shall be obtained only for one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Personal data shall be accurate and, where necessary, kept up do date.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.
  • Personal data shall be processed in accordance with the rights of the data subject under this act (this includes the rights of subjects to access the data and to correct it).
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data against accidental loss or destruction of, or damage to, personal data (this relates to data security).
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The Council will hold a minimum personal data necessary to enable it to perform its functions. The data will be erased once the need to hold it has passed. Every effort will be made to ensure that data is accurate and up-to-date, and that inaccuracies are corrected quickly.  Details of what the Council does with personal data it holds is contained in its Personal Information Policy which is accessible on each page on the Council’s website in paper format.

Subject Access

The Council will normally provide any individual who requests it, in a specified manner, a reply stating whether or not the Council holds personal data about that individual for which a fee is payable.

Disclosures

Disclosures of information must be in accordance with the provisions of the Act and the Council’s registration/notification. Where the Council has a duty to disclose certain data to public authorities (such as Inland Revenue, Customs and Excise, Benefits Agency), this will be done in accordance with statutory and other requirements.

Legal and internal rules limit disclosure within the authority either to council officers or elected members. When a request for information is made, the minimum of personal data will be made available on a need to know basis.

Confidentiality

The Council intends that personal data must be treated as confidential. All staff must comply with the Council’s Data Protection Policy, Confidentiality & Information Security and all new staff must sign a confidentiality agreement.

Training

It is the aim of the Council’s that all staff are fully informed of their obligations under the Data Protection Acts and aware of their personal liabilities, and where appropriate training is given.

Disciplinary Action

Disciplinary action may be taken against any employee who breaches the Data Protection Act principles.

3. Responsibilities

Overall responsibility for the efficient administration of the Data Protection legislation lies with the Information Lawyer assisted by the Data Protection and Freedom of Information Officer.

Day to day responsibility for administration and compliance with the Act is delegated to departmental Information Managers.

All Officers and Members (Councillors) have a duty to observe the Principles of the Act and the procedures referred to in this document.

Councillors are data controllers when they process personal data either manually or by computer, whether on their own equipment or on equipment provided to them by their local authority. Just as any other individual holding and processing personal information about others, Councillors need to comply with the Data Protection Act, and need be individually registered with the Information Commissioner.

However, where holding and processing personal data about individuals in the course of undertaking council business, the elected member will be covered by the authority’s notification and have the same responsibilities in respect of data protection as an employee of the authority.