Guide to your rights under GDPR

The General Data Protection Regulations (GDPR) On 25 May 2018, the way in which all organisations in the United Kingdom use personal data will change.

From that day, the General Data Protection Regulations will apply across all the countries of the European Union. People in Kirkintilloch or Bearsden will have the same rights over personal information as people in Krakow or Berlin.

Commonly referred to as the GDPR, the new law aims to empower you as an individual, ensuring that you are able to question and challenge how organisations use information about you 

Personal information is information that allows you to be identified. Often this can your name and another piece of information, such as your date of birth.

Examples of your personal data:

• Your name and address
• Your national insurance number
• Your library membership
• Your bank account details
• Your fingerprints.

Examples of what is not on its own your personal data:

• Your postcode
• Your age
• Your bank
• Your local Council.

The Council will always take the utmost care to make sure all your personal information is looked after safely, securely and lawfully. However, the GDPR recognises that some types of personal data are more sensitive than others. The GDPR classifies this type of personal data as special category personal information. The Council will always treat these types of personal information with special care.

Special category personal information:

• Your race
• Your ethnic origin
• Your politics
• Your religion
• Your sex life
• Your genetic information
• Your biometrical information
• Your trade union membership
• Information about your health
• Your sexual orientation.

In order to provide services to you, the Council has to use information that identifies you. If the Council did not have this information then services could not be provided.

When being used by the Council, your personal information is in the Council’s care. However, the personal information is still yours. The GDPR also places obligations on the Council. It is your right to
expect that the Council honours these obligations to you.

• Your personal data will be used lawfully, fairly and
  transparently
• Your personal data will be collected for a clearly
  explained purpose and not used for different
  purposes without your knowledge
• The personal data used will be enough to provide
  the required service and no more. The Council will
  not obtain personal information from you where
  that information is not needed
• The Council will ensure that the personal data we
  hold about you is accurate and up to date. All
  inaccurate information about you will be
  corrected or deleted without delay
• Your personal data will be kept only for as long as
  required to provide the service you require
  Where information about you is kept for statistical
  or research purposes then the Council will remove
  the features that allow you to be identified
• The Council will ensure that your personal
  information does not fall into the wrong hands
  Your personal information will be kept safely and
  securely so that it can be accessed only by those
  who need to do so to provide the service we keep
  it for
• The Council will show that the use of personal
  data is fair, lawful and transparent.

Personal Data will be:

• Processed lawfully, fairly and in a transparent manner
  in relation to individuals
• Collected for specified, explicit and legitimate purposes

And not further processed in a manner that is
incompatible with those purposes; further processing for
archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes shall
not be considered to be incompatible with the initial
purposes;

• Adequate, relevant and limited to what is necessary in
  relation to the purposes for which they are processed
• Accurate and, where necessary, kept up to date; every
  reasonable step must be taken to ensure that personal
  data that are inaccurate, having regard to the purposes
  for which they are processed, are erased or rectified without delay
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

The GDPR sets out a set of rights that you have over your personal information and how it is held and used. The Council’s Data Protection Officer will offer you advice about these rights. However, requests to exercise your rights can be made to any service and employee of the Council. Requests can be made in writing, by email or post. Some requests can be made verbally, over the phone or in a face-to-face discussion with a Council employee.

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision making including profiling.

The GDPR sets out timescales in which to respond to your requests to use these rights. These are based on periods of one month. The period to respond begins the day after the Council receives the request. The Council has until the corresponding day the next month to respond. Where the due date falls on a weekend or public holiday the response will be sent on the next working day after that.

• Request sent
• Request received
• Timescale begins the next day
• Response issued within one month.

For example a request received on 5 January, time starts on 6 January, response due to be sent on 6 February.

A request received on 30 May, time starts 31 May, response due to be sent on 30 June (as there is no 31 June).

The Council may have to take steps to confirm your identity. This is to ensure that no other individual is attempting to influence the personal information held about you. This will be done as soon as possible and in any event within one month. The timescale to respond to your request starts once the Council is satisfied of your identity.

The Council can extend the timescale to respond to your request to three months if you request is unusually large and/ or complicated or if you have submitted many requests. However, the Council must explain to you why this is the case as soon as possible and, in any event, within one month.

If a request is clearly unreasonable, by being vast in scope or is a repeatedly made request, then the Council can charge you a reasonable fee for providing the response. The Council may also refuse your request on these grounds. Again, the reason for this would be explained to you clearly.

The Council will always treat a request from you to exercise your rights with the importance it deserves. A response to your request will be issued as quickly as is possible within the timescales allowed. Where the request requires a decision to be taken, the response will explain this decision to you. This should give you all the information you need to be able to challenge the Council’s decision and refer the concern to the regulators at the Information Commissioner’s Office, should you not agree with it.

The response to your request will do one of the following.

Accept your request

• The Council will take the requested action over your personal data
• You will be advised that this has taken place
• Where required, the Council will contact any other organisations who your personal information has been shared with so that the action is taken there as well.

Reject your request

• You will receive an explanation from the Council as to why the request regarding your personal information is being refused
• The Council will keep open the right for you to discuss this further
• You will be advised on how to appeal the decision to the Information Commissioner’s Office
• You will be advised that the decision can be challenged through the courts.

The Council aims to ensure that your rights are complied with fully and that you will never need to refer any concerns you have to the regulators at the Information Commissioner’s Office.

However, you have the right to report any concerns you have to the ICO. Details can be found here Information Commissioner's Office website

• The Council will tell you how your personal information will be used at the point you provide it to them. This may be through paper forms, forms on the Council website or any personal information you provide over the phone
• Where the Council obtains personal information about you from another source, you will be advised quickly and, in any event, within one month.

Transparency is an important principle in managing personal information. You should always know what information the Council has about you. It is with this knowledge that you can question and challenge the Council. This knowledge is required to allow you to exercise other rights that you have over your personal data.

When the Council obtains your personal information, you will be told:-

• When not provided directly by you, what personal information about you is held
• What the information will be used for
• What the Council’s justification for using your information is
• Which functions/ services of the Council will need to access it
• If your personal information will be shared with any organisations out with the Council and why doing so is necessary
• If the Council will obtain information about you from any other organisation
• How long your personal information will be kept for
• Who to contact in order to use your rights
• How to contact the Information Commissioner’s Office should you be unhappy with the way the Council is using your personal information.

• If you already have been informed
• Where telling you would require a disproportionate effort

For the use of your personal data to be lawful, the Council must have a justification for using it. The possible valid justifications are listed in the GDPR, please see below.

• You have consented to the use of your personal information
• Your personal information is to be used for a contractual agreement to which you are a party
• There is a legal obligation on the Council that means your personal data can be used to fulfil that legal obligation
• Your personal information is to be used to protect your vital interests, e.g. there is a risk as there is a risk to your life and safety if it were not used.
• Your personal information is to be used in order to meet one of the Council’s official functions
• Your personal information is to be used so that the Council can meet a legitimate interest beyond the statutory services it provides. This use will always be clearly explained to you.

Special category information must be treated with particular care. The GDPR demands that an additional, stricter, justification must also be met before the Council can lawfully use special category personal data.

From date of receipt the Council has a calendar month to respond

• The Council can extend the timescale to three months in certain circumstances
• The Council may have to take steps to confirm your identity
• The Council must provide you with a copy of your information free of charge when requested, further copies may be charged for
• If a request is clearly unreasonable by being vast in scope or a repeatedly made request then the Council can charge you for providing the response or refuse your request.

You have the right to access the information held about you. This can be a request for a copy of your personal data, also known as a Subject Access Request (SAR). However, the right is wider, giving you the ability to request additional information about the way your information is held.

• Confirmation that your personal information is held by the Council
• The categories of the personal data
• A copy of that personal data
• Details on why it is being used
• Who it has been/ will be shared with
• How long it will be held for
• The source of the information
• Details of your rights to rectification, erasure and objection (explained in this Guide)
• If the Council uses computer systems to make judgements or take decisions about you
• An electronic copy of the information
• Your right to complain to the Information Commissioner’s Office

You have a right to access the information held about you by the Council. However, you do not have a right to obtain the personal information of another person, including family members. If information within your personal data would identify another individual then it may not be disclosed unless the Council can obtain the permission of that person or it is otherwise reasonable to disclose that information. Where possible we seek to redact information relating to other individuals while retaining as much relevant to you as we can.

• Can be made in writing or verbally
• From date of receipt the Council has a calendar month to respond
• The Council can extend the timescale to three months in certain circumstances
• The Council may have to take steps to confirm your identity
• If a request is clearly unreasonable by being vast in scope or a repeatedly made request then the Council can charge you for providing the response or refuse your request.

You may decide that you no longer want the Council to hold information about you. It is your right to ask that this information be deleted from all the Council’s records. If so, the Council must consider if this is appropriate. An important consideration in this decision will be the justification for the Council’s use of the information, set out on page 5 of this Guide, provided to you once the Council obtains the personal data.

• The personal data is no longer necessary for the purpose it was obtained for
• Where you had given consent and now wish to withdraw that consent where there is no other lawful reason for the Council to hold the personal information
• The Council is using your personal information to meet a legitimate interest, that was explained when the personal information was obtained, and you do not agree that this is fair and reasonable
• The Council is using your personal information to send you marketing or promotional material and you no longer wish to receive this material
• You do not think that the Council has a valid justification, as set out on page 3 of this guide, to use your personal information
• There is a legal reason that would compel the Council to stop processing, such as an order from the Court

• Personal information which the Council has a legal obligation to keep
  Details of money owed to the Council through Council Tax
• Details of a license you have been granted by the Council
• Details of your exam marks if you are a pupil at one of the Council’s schools
• Details of an allegation made against you by a neighbour as part of a dispute
• Details of fines owed to the Council through parking offenses
• Personal information about you the Council needs in order to take legal action against you or defend a legal action raised against the Council

• Can be made in writing or verbally
• From date of receipt the Council has a calendar month to respond
• The Council can extend the timescale to three months in certain circumstances
• The Council may have to take steps to confirm your identity
• If a request is clearly unreasonable by being vast in scope or a repeatedly made request then the Council can charge you for providing the response or refuse your request.

The right to restrict processing limits the Council’s use of your personal information. It allows you to ask that the personal information is stored by the Council but not used in another way. This right can be used along with other rights, giving you some control of the personal information being held about you.

• A restriction on your personal data while an investigation is taking place into its accuracy
• A restriction while you object to the Council’s use of your information for a legitimate interest of the Council
• Information due to be destroyed which you require in order to challenge the Council’s actions

• Your details are required to provide state benefits
• Your details are necessary to provide for your wages if you are an employee of the Council.
• Your details are needed to issue a penalty notice against you for littering

• Your personal information will be provided free of charge
• If reasonable the Council may transfer it directly to another organisation at your instruction
• From date of receipt the Council has a calendar month to respond
• The Council can extend the timescale to three months in certain circumstances
• The Council may have to take steps to confirm your identity
• If a request is clearly unreasonable by being vast in scope or a repeatedly made request then the Council can charge you for providing the response or refuse your request.

The right to portability allows you to request that the Council give back to you a copy of the information you have given in a way that allows you to transfer it easily to another organisation, such as an Excel Spreadsheet or a format that can be read by machine.

The right covers information which:

• You have given the Council
• It is being used because it is necessary for a contract or you have given the Council your consent to use
• is being used by automated means, i.e. stored and used by computer.

• Personal data that is not being used for a contractual agreement or you have given your consent to being used
• Where the release will impact on the rights of other individuals.

• Information provided to the Council’s Housing service that would be useful to take to a competing housing provider.

• Information about your utility bill that you want to take to another provider.

• Personal data that is not being used for a contractual agreement or you have given your consent to being used
• Where the release will impact on the rights of other individuals.

• From date of receipt the Council has a calendar month to respond
• The Council can extend the timescale to three months in certain circumstances
• Objection to direct marketing will be dealt with as soon as the request is received
• The Council may have to take steps to confirm your identity.

You can object to the Council using your personal data when that use is carried out for:-

• A legitimate interest as explained to you when the information was obtained
• One of the Council’s public tasks as explained to you when the information was obtained
• direct marketing or profiling
• information about you being used for scientific, historical research and statistical purposes.

The Council will have to demonstrate to you why it is appropriate to continue to use the personal data.

• Requests that the Council stop sending marketing or promotional information to you will be accepted
• If your personal information is no longer required in order to meet the legitimate purpose it was obtained for
• If there is no longer a need to keep information that identifies you to record the statistical information

• The personal information is required to meet a legal obligation such as to collect council tax from you
• Details of fines owed to the Council through dog fouling offenses

• From date of receipt the Council would have a calendar month to respond
• The Council could extend the timescale to three months in certain circumstances
• The Council may take steps to confirm your identity.

You are entitled to that the Council stops using computer algorithms and programs to monitor or predict your behaviour and take decisions about you. Instead, you can ask that an employee of the Council take the decisions that affect you.

An example of this might be where an organisation manages incomes, such as rent due from Council tenants. The use of profiling could identify where support can be given to help the tenant cope with any financial difficulties.

The Council does not use computer systems to profile or make decisions.

• The Council does not use any computer system to profile or take decisions over any member of the public.
• The Council will always tell you when carrying out any profiling of you using electronic systems or where decisions about you are being made by automated means.
• A request from you to have human intervention will be accepted.

If you are unhappy with the way East Dunbartonshire Council has processed your personal data you can contact the Council on:

0300 123 4510 or customerservices@eastdunbartonshire.gov.uk.

The Council’s Data Protection Officer can be contacted on the below noted details:

12 Strathkelvin Place
Kirkintilloch
G66 1TJ

Email: DPO@eastdunbarton.gov.uk
Tel: 0300 123 4510

You also you have the right to complain to the Information Commissioner’s Office:

Head Office Address:
Wycliffe House
Water Lane
Wimslow
Cheshire
SK9 5AF

Tel: 0303 123 1113

Regional Scottish Office Address:

45 Melville Street
Edinburgh
EH3 7HL

Tel: 0303 123 1115
Email: scotland@ico.org.uk