The UK General Data Protection Regulation and Data Protection Act 2018 became law on 25 May 2018.
It gives us the responsibility of handling your data securely and ensures that we do not disclose it to other people or organisations without meeting legal conditions that protect your privacy. For example, in some circumstances we may need to ask your permission first.
The Act calls users of personal data ‘data controllers’. Data Controllers, such as the district council, must work within the requirements of the Act when obtaining and using information about you. The Information Commissioner regulates the Act and maintains a public register of data controllers. Detailed information about the Act can be found on the Information Commissioner’s website.
We regard the lawful and correct treatment of personal data as vital to maintaining the confidence of the many individuals we deal with. We will treat personal data lawfully and correctly and will comply with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 and our Data Protection Policy.
We hold a wide range of information, some of which is personal.
We collect and hold certain personal data so we can provide you with the services you require. For example, we process data to:
The Information Commissioner maintains a public register of data controllers. Each register entry gives details of the data controller and a general description of what the personal data held is used for.
Your rights are detailed within the East Suffolk Privacy Notice.
Normally, personal data we hold about you has been collected for a specific purpose. However, occasionally consent may be required when using data for a different purpose from that for which it was gathered.
Positive consent is required for any discretional services that we provide to you.
All application forms and requests for your personal information explain why we require the information requested and whether or not we need your consent.
You can access the information we hold about you by making a Subject Access Request. Requests for information can be made by completing the relevant Subject Access Request form and returning it with identification. This service is free.
The UK General Data Protection Regulation and Data Protection Act 2018 aims to improve your rights.
The Act says that organisations collecting and holding personal information must be open and clear about how it is to be used and with whom it is shared.
By law we must maintain a record of the data processing activities we are responsible for. This is contained in our Record of Processing Activities.
As a Data Subject you have the right of access to the personal data held about you by your council.
In general, personal information will only be given to an individual, and then only with appropriate identification. In addition, requests for information about a person other than yourself may be rejected except in some situations e.g.:
We aim to provide as much information as we can.
Under the Data Protection laws, we must respond to your request within one month. This time period does not start until we have received all information required to process your request.
If you wish to complain about the way your request has been processed you must first complain to us through our complaints procedure. If you have followed our complaints procedure and are still not satisfied, then you can take your complaint to the Information Commissioner.
All personal information held by us is kept securely and is only released in accordance with the UK General Data Protection Regulation and Data Protection Act 2018.
Partner organisations, contractors and any personal data processors must ensure that information security adheres to the council's standards.
We are required by law to protect the public funds we administer. We may share information provided to us with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative - a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the UK General Data Protection Regulation and Data Protection Act 2018.
Data matching by the Cabinet Office is subject to a Code of Practice.
Further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.
In addition, the council may work with and share personal information with fraud prevention agencies such as Cifas, who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment.
Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights.
For further information on data matching at the council contact our Head of Internal Audit.