West Lindsey District Council will comply with the General Data Protection Regulation (GDPR) principles and the Data Protection Act.
Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime.
Article 5(1) requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Article 5(2) adds that: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
The council’s Privacy Notice sets out how we collect, process and store personal data.
The Data Protection legislation also gives data subjects additional rights about the information we hold about them and how we use it, including the following:
- Right of access - this right provides the data subject with the ability to ask for information about what personal data (about him or her) is being processed and the rationale for such processing. The data subject can request access to see and view their own personal data, and can request copies of the personal data.
- Right to rectification - provides the data subject with the ability to ask for modifications to their personal data in case the data subject believes that this personal data is not up to date or accurate.
- Right to withdraw consent - provides the data subject with the ability to withdraw a previously given consent for processing of their personal data for a specified purpose. This is only applicable where the lawful basis for processing the personal data is because the data subject has given consent to the processing of their personal data for one or more specific purposes.
- Right to object - provides the data subject with the ability to object to the processing of their personal data. Normally, this would be the same as the right to withdraw consent, if consent was appropriately requested and no processing other than legitimate purposes is being conducted.
- Right to object to automated processing - provides the data subject with the ability to object to a decision based on automated processing. Using this right, a data subject may ask for their request for a service to be reviewed manually, because they believe that automated processing of their request may not consider their unique situation.
- Right to erasure (also known as the right to be forgotten) - allows the data subject to ask for the deletion of their data. This will generally apply to situations where a customer relationship has ended. It is important to note that this is not an absolute right, and depends on the retention schedule and retention period in line with other applicable laws. It is not available, for instance, where the legal basis for processing the data was “Legal Obligation” or “Public Task”.
- Right for data portability – allows the data subject to ask for transfer of their personal data. As part of such request, the data subject may ask for their personal data to be provided back to them or transferred to another controller. When doing so, the personal data must be provided or transferred in a machine-readable electronic format.
Data Protection Officer: Steve Anderson
West Lindsey District Council
Guildhall, Marshall's Yard