The guide explains what data protection is, what a subject access request is, and how to request them.
What is data protection?
The Data Protection Act regulates the way we handle and process your personal data that we hold.
New rules on how we collect and process your personal data were introduced on 25 May 2018.
Personal data is information which relates to a living person who can be identified from the information itself, or by linking it with other information. For example, it could be your name and address, a school pupil's record or your own health information.
Processing personal data
Processing personal data is the name given to anything that we do with your personal data that we hold. For example, entering your details into our computer systems or storing a completed form in a filing cabinet.
We have a legal requirement to comply with all elements of the Data Protection Act.
The reform to the old Data Protection Act (1998) was brought about by the General Data Protection Regulation (GDPR).
GDPR is a European regulation that set out the changes that the UK needed to implement in a new Data Protection Act.
It gives you more rights and control over how your personal data is handled.
The new data protection law has created one set of rules for everyone in the European Union. This established a unified approach to protecting personal data for all EU individuals.
When the previous Data Protection Act (1998) was introduced, the internet was still very new. People didn't fully understand its impact, especially relating to personal information.
As technology continues to develop, new definitions of personal data are being introduced. These include your IP address or your location information from your mobile phone. Your IP address is a label which is used to identify one or more devices on a computer network such as the internet. It is similar to your postal address and is a series of long numbers.
The new Data Protection Act (2018) introduces more safety measures about how your personal data is used by organisations. It takes into account new mobile technology which captures personal data to help you trust how it is processed and shared.
As a service we have:
introduced new documenting and processing procedures
strengthened our rules for deleting and removing personal data
changed how we communicate with you to be open about what we do with your data
made sure that we perform privacy impact assessments for certain customers
only use the minimum amount of personal data that we need to deliver a service to you
responded to personal data enquiries within the appropriate timeframe
notified you, where required, if we lose your personal data and breach the Act.
Under the new rules, as a public body we were also required to appoint a Data Protection Officer. This is a dedicated senior officer who enforces how we collect and process your personal data in line with the new data protection law.
What is a Subject Access Request?
The UK General Data Protection Regulation gives individuals (data subjects) a number of rights including the right to access personal data that an organisation holds about them. The right of access extends to all information held on an individual and includes personnel files, data-bases, interview notes and emails referring to the individual. If an individual makes a request to view their information, it is known as a "Subject Access Request".
How do I submit a Subject Access Request?
supply information to prove who you are (to eliminate risk of unauthorised disclosure)
supply appropriate information to help locate the information they require.
The request should include details and provide evidence of who you are (e.g. driving licence, passport, birth certificate, utility bills). You should also provide as much detail as possible regarding the information you wish to access (e.g. where and by whom information is believed to be held, specific details of information required).
You are not required to state WHY you wish to access the information: the details we require are merely those that will aid the efficient location and retrieval of information.
Once the Officer receives a Subject Access Request, all efforts will be made to fully comply within one month. In any event, you will receive all the information that has been located and can be released within one month and an explanation for any information that cannot be provided at that time.
Submit a request for information
You can contact us about your personal data queries by using the following methods: