Data Protection Policy
Data Subject Rights
Right to be Informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR. Section 4.1 on Data Sources, Section 4.3 on Privacy Notices and Appendix C provides further information on compliance with this right.
Right of Access (Subject Access Request)
If an individual makes a request relating to any of the rights listed, Pembrokeshire County Council will consider each request in accordance with all applicable Data Protection laws and regulations. No administration fee will be charged for considering and/or complying with such a request unless the request is deemed to be unnecessary or excessive in nature.
Data Subjects are entitled to obtain, based upon a request made to the Access to Records Team and upon successful verification of their identity, the following information about their own Personal Data;
Confirmation as to whether or not personal data concerning him or her is being processed. Where that is the case, access to the personal information as defined below:
- The purposes of the collection, processing, use and storage of their personal data;
- The source(s) of the personal data, if it was not obtained from the Data Subject;
- The categories of personal data stored for the Data Subject;
- The recipients or categories of recipients to whom the personal data has been or may be transmitted, along with the location of those recipients;
- The envisaged period of storage for the personal data or the rationale for determining the storage period;
- The use of any automated decision-making, including profiling;
- The right of the Data Subject to:
- Object to processing of their Personal Data
- Lodge a complaint with the Information Commissioner’s Office
- Request rectification or erasure of their personal data
- Request restriction of processing of their personal data.
All requests received for access to personal data must be directed to the Access to Records Team in accordance with the Subject Access Request Procedure. Under NO circumstances should this procedure be circumvented and failure to comply will result in disciplinary action.
It should be noted that situations may arise where providing the information requested by a Data Subject would disclose Personal Data about another individual which will need to be redacted.
The Access to Records Team are trained in handling requests and identifying third party data and are equipped with the redaction software to assist with this process, which is why it is essential that all requests are processed by the Access to Records Team.
Right to Rectification
Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. Requests must be recorded on the customer’s primary record and processed within one calendar month. Retaining records of the date the request was received, who received it and how (e.g. email, letter, telephone call) and when actioned, will fulfil the accountability requirement.
In certain circumstances a request for rectification can be refused. For example, there may be a record maintained of an error: while it would be appropriate to correct an error it would also be appropriate to keep a record that the error had been corrected. If an individual requested that the record of the error be removed this could be refused as the record that the error occurred is in itself accurate. In certain circumstances, an individual may dispute the accuracy of a professional opinion, however, this is an opinion and in itself is subjective. As long as the record clearly records that it is an opinion and whose opinion it is, this would constitute an accurate record.
Right to Restrict Processing
This is not an absolute right and only applies in certain circumstances, e.g. the accuracy of the data is being contested, the data has been unlawfully processed, the individual has objected to processing and the legitimate grounds for processing are being considered.
When processing is restricted it can be stored, but not used. Information Asset Owners will be responsible for ensuring that there are appropriate safeguards within their systems to enable the restriction of processing.
Right to Erasure
This is also known as ‘the right to be forgotten’. Individuals can make the request for erasure verbally or in writing and must be responded to within one calendar month. The right to erasure only applies in certain circumstances:
- The personal data is no longer necessary for the purpose which it was originally collected or processed for;
- The legal basis for processing is ‘consent’;
- The legal basis for processing is ‘legitimate interests’, the individual objects to the processing and there is no overriding legitimate interest to continue this processing;
- The processing is for direct marketing purposes and the individual objects to that processing;
- The personal data has been processed unlawfully;
- Compliance with a legal obligation;
- The personal data has been processed to offer information society services to a child.
There is an emphasis on the right to have personal data erased if the request relates to data collected from children. This reflects the enhanced protection of children’s information, especially in online environments, under the UK GDPR.
If the personal data has been disclosed to others, each recipient must be contacted and informed of the erasure, unless this proves impossible or involves disproportionate effort. If asked to do so, you must inform the individual’s about these recipients.
Right to Data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right will mainly apply to utility service providers, banking and mobile phone providers and is unlikely to apply to service provided by the Council. The right only applies to information provided to the Council.
Right to Object
The UK GDPR gives individuals the right to object to processing of their personal data in certain circumstances. Individuals have the absolute right to stop their data being used for direct marketing.
An individual can object where one of the following lawful bases are being relied on:
- ‘public task’ (for the performance of a task carried out in the public interest);
- ‘public task’ (for the exercise of official authority vested in the Council); or
- ‘legitimate interests’.
An individual must provide a specific reason why they are objecting to the processing of their data. In these circumstances, this is not an absolute right, and processing can continue if:
- The Council can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- The processing is for the establishment, exercise or defence of legal claims.
Individuals must be informed of their right to object. If an objection is received it must be responded to within one calendar month. The rationale for the decision must be clearly recorded and communicated to the individual. If the objection is refused the individual must be notified of their right to make a complaint to the ICO.
Rights Related to Automated Decision-Making Including Profiling
The UK GDPR has provisions on:
- Automated individual decision-making (making a decision solely by automated means without any human involvement); and
- Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision making process.
The UK GDPR has additional rules to protect individuals solely automated decision-making is being undertaken that has a legal or similarly significant effects on them. This type of decision-making can only be undertaken where the decision is:
- Necessary for the entry into or performance of a contract; or
- Authorised by Union or UK law; or
- Based on an individual’s explicit consent.