General Data Protection Regulation (GDPR)
A new data protection law, the GDPR, came into force on the 25th May 2018. Along with the new Data Protection Act 2018, it provides individuals with greater rights over the use of their personal information, and ensures organisations use the information fairly, transparent and securely. It also sets out the lawful ways in which the Gloucestershire County Council can use this information.
Information is the life blood of the council. Without it, our jobs would be impossible to do. In order to operate efficiently, we have to collect and use information about people with whom we work.
This information may include members of the public, current, past and prospective employees, clients and customers, and suppliers. We may be required by law to collect and use information in order to comply with the requirements of central government or meet our legal obligations. All personal information must be handled and dealt with properly, no matter how it is collected, recorded and used, and whether it is on paper, in computer records or recorded by any other means. The council has a responsibility for its safe handling and we have put in place technical and organisational measures to ensure this.
Below are a few questions that you may have about how the council uses your information, and how you can use the rights that you have. Clicking on the arrow next to the question will make a drop down with further information appear.
What sort of information does GDPR cover?
GDPR applies to information that we collect and use about living individuals. Depending on how you have interacted with the council, this information could include:
- Names and contact details,
- Personal and family details,
- Information about the services we provide to you,
- Sensitive information such as ethnicity, sexual orientation and mental or physical health details,
- Images capture by CCTV on our premises,
- Criminal convictions or offences.
GDPR does not apply to information about deceased individuals. However, we are still bound by a Common Law of Confidentiality to be responsible when we are handling this sort of information.
Where can I find your Privacy Notice?
The council has a responsibility to tell individuals how we are going to use their personal information. We do this through a document called a Privacy Notice. You can find the council's general Privacy Notice by clicking the link below:
We also maintain a number of privacy notices for specific services, such as adult social care or recruitment, which provide you with more information about how and why the data is used. You can find links to these on the same page.
What rights do I have over the use of my information?
GDPR gives you a number of rights over your personal data. Not all of these rights are automatic, and some may not be available to you at all times. For instance, where there is a legal obligation for us to withhold or retain data. If the council refuses to oblige your rights, we will always explain why this is and our reasons for doing so.
You have the following rights:
- Right to access information we hold about you,
- Right to withdraw consent when you have given it to us,
- Right to rectification (correction) of inaccurate information,
- Right to erasure of information we hold about you (this is sometimes called the 'Right to be forgotten'),
- Right to object to the way we have used your information,
- Right to data portability,
- Rights relating to automatic decision making or profiling, where there has been no human involvement.
If you wish to contact the council to use one of these rights, please click the link below:
How does my Councillor use my information?
The council is supporting County Councillors throughout the changes that GDPR brings. You may contact your County Councillor for help with a local issue. They will usually want to get advice from council officers or our providers to be able to help you. If you are contacting your County Councillor, they will usually assume that your request for their help or support implies permission to contact the county council and pass on your personal data, unless you state otherwise.
How does the council look after my information?
Technical and physical security measures
The council protects the privacy and security of all data that we control and process. This protection includes:
- Baseline security recruitment checks
- Controlled staff pass access to buildings and systems
- Servers based within the United Kingdom
- Our network is Cyber Essentials Plus and Public Services Network (PSN) accredited
- Regular patching and updating of systems to maintain the security and integrity of the council network
Policies and procedures
The council also ensures that its policies and procedures reflect good practice for data protection and that staff are aware of these. This includes:
- Review and acceptance of Data Protection, Internet Acceptable Use, Email Acceptable Use and Information Security policies by all staff – completion is monitored and recorded electronically
- Online Data Protection training for all new staff – completion is monitored and recorded electronically
- Automatic locking of PCs when not in use
- A clear procedure for reporting and dealing with suspected breaches of data protection
- Our approach is accredited by the NHS Data Security and Protection Toolkit
How long do you keep my information for?
We keep personal information for different lengths of time depending on the purposes for which it was collected. Sometimes the law will specify how long we have to hold personal data for. You can find detailed information on how long we keep personal data for by viewing the council’s Records Retention and Disposal Schedule, which is available by clicking the link below;
PLEASE NOTE: In July 2015, the Chair of the Independent Inquiry into Child Sexual Abuse issued a moratorium on the destruction of files with content relating “directly or indirectly to the sexual abuse of children or to child protection and care.” Knowingly destroying any such files could constitute a criminal offence under the Inquiries Act 2005. Until further notice, council teams must not destroy any records relating to children; services provided to children; and individuals who work(ed) with children.
Who regulates data protection law?
The Information Commissioner's Office is the supervisory authority who regulates Data Protection law within the UK.
You can visit their website by clicking on the link below: