Data protection

Skip to:

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 apply in the UK and work together to govern the processing of personal data. 

They place duties on organisations on how they collect, process, store and disclose information about people.

It also gives individuals (data subjects) the right of access to information held about themselves.

Principles

The legislation has core principles adopted when handling personal data.

  1. Lawful, fair and transparent. This means we must process information lawfully, fairly and in a transparent manner.
  2. Purpose limitation. This means we must only collect data for specified, explicit and legitimate purposes. We will not use data for anything beyond the appropriate purposes.
  3. Data Minimisation. We will only collect the minimum amount of data required for the purpose. We will not collect more data than is necessary. 
  4. Accuracy. Personal data will be accurate and regularly updated where necessary. Every reasonable step must be taken to correct inaccurate data as soon as possible.
  5. Storage Limitation. We will not keep identifiable data for a period longer than needed, according to the purpose for which the data is processed.
  6. Integrity and Confidentiality. We will ensure that data is processed securely, depending on the type of data. We will safeguard against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Terms and definitions

The DPA contains a few terms. The key ones are below.

Personal data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’.)

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

  • a name
  • an identification number
  • location data
  • an online identifier

or to one or more factors specific to the:

  • physical
  • physiological
  • genetic
  • mental
  • economic
  • cultural
  • social identity of that natural person

Special category data

Special category data is personal data relating to:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data; biometric data for identifying a natural person
  • data about health
  • data about a natural person’s sex life or sexual orientation

We take extra care with special category data as required.

Criminal data

Criminal data is not considered special category data under the legislation. It still gets the same care as special category data and only processed where we have a legal right to do so.

Data subject

An individual who is the subject of the personal data.

Data controller

The person or organisation that determines personal data usage and processing. The council is a data controller.

Data processor

A person or organisation which processes personal data for the data controller. Does not decide on data usage.

Processing

Processing includes all actions in relation to personal data such as:

  • collecting
  • recording
  • holding
  • organising
  • adapting
  • altering
  • retrieving
  • consulting
  • using
  • disclosing
  • storing
  • erasing
  • destroying
  • blocking
  • disseminating