Data Protection

Introduction

Principles of processing personal information

The Information Commissioner, who oversees compliance and promotes good practice, requires all organisations, and individuals, who process personal data, to comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This data protection legislation includes 6 principles that requires personal data to be:

processed lawfully, fairly and in a transparent manner in relation to individuals; privacy notices must be issued when data is collected to let individuals know why their information is needed, what it will be used for and who it will be shared with.
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Subject Access Requests

Under the GDPR, individuals have the right to obtain:

confirmation that their data is being processed; and
access to their personal data

Under the new legislation there is no longer a fee for dealing with a subject access request. However, you may be charged a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. You may also be charged a reasonable fee to comply with requests for further copies of the same information.

Identification needs to be provided.

Replies to requests should be provided without delay, and within one month from receipt of the request. This timescale can be extended by a further two months where requests are complex or numerous. If this is the case, we will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the council has the right to refuse to respond.

Application Process

Please download and complete our 'Access to record form'. (PDF, 94.22 KB, 6 pages)
Proof of name and address and if you have changed your name, copies of the relevant documents will be needed.
Further instructions regarding the documentation we will need from you are listed within the application form.
Once completed you will need to send the form with all relevant documents to: Corporate Information Unit, Isle of Wight Council, Legal Services, County Hall, Newport, Isle of Wight, PO30 1UD

Individual’s rights

In addition to the right of access, the GDPR provides the following rights for individuals:

The right to be informed.
The right of access.
The right to rectification.
The right to erasure.
The right to restrict processing.
The right to data portability.
The right to object.
Rights in relation to automated decision making and profiling.

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the council has the right to refuse to respond.

If you wish to obtain further details on these rights, please visit the information commissioner's office (ICO) website.

Data Protection Breaches/complaints

If the individual believes that the council has not acted in accordance with data protection legislation, and/or they believe their rights have been breached, they may complain in writing to the Data Protection Officer.

Address:

Data Protection Officer
Corporate Information unit
Isle of Wight Council
County Hall
Newport
Isle of Wight
PO30 1UD

Email: dpo@iow.gov.uk

If the individual remains dissatisfied they are able to complain to the Information Commissioner.

Address:

Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Sharing Personal Data

The Corporate Information Unit (CIU) also coordinates requests for personal information including from other agencies such as the police, other local authorities and partner agencies. This is to ensure that there is a justified reason to share the information, to apply consistency and for audit purposes. CIU will then contact the relevant department/s to discuss access to relevant information.

CIU consists of the following members of staff:

Principal Lawyer.
Senior Information Management Officer.
3 x Information Access Officers.

Further details relating to data protection laws can be found at the Information Commissioners Office (ICO) website at www.ico.org.uk.

Further information relating to how the council handles your personal data can be found on the council’s website at www.iwight.com/privacy and council services individual web pages, or by writing to the Corporate Information Unit.