Name: Data Protection Act 2018
Description: Subject access rights data protection act 1998
Skip to content Accessibility access to: Home page Accessibility access to: Accessibility

Data Protection Act 2018

Data Subject Rights

Our Corporate Privacy Notice describes in general terms the personal data we collect and/or create about you. It explains how we use information about you and how we protect your privacy.

'Data Protection Legislation' means the General Data Protection Regulation (EU) 2016/679) (GDPR) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time and any successor legislation to the GDPR or the Data Protection Act 2018 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner

Dartford Borough Council of Civic Centre, Home Gardens, Dartford, Kent DA1 1DR is the Data Controller and is committed to protecting the rights of individuals in line with the Data Protection Legislation and is responsible for deciding how it holds and uses personal information about you.

Marie Kelly-Stone, Civic Centre, Home Gardens, Dartford, Kent DA1 1DR: is the Council's Data Protection Officer overseeing compliance with the Data Protection Legislation and making sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact the Data Protection Officer: dataprotection@dartford.gov.uk Please do not use this email address to make a freedom of information request - instead, refer to our freedom of information guidance and contact our FOI team.

Our Personal Information Promise  PDF, 105.36 KB lists a number of our key commitments to protect your personal information.

Our Data Retention & Disposal Policy  PDF, 1301.24 KB - even if we collect and use personal data fairly and lawfully, we cannot keep it for longer than we actually need it. The Data Protection Legislation does not set specific time limits for different types of data. Unless there are legal or regulatory requirements to retain data for a specific period, it is up to us to agree our retention periods, which will depend on how long we need the data for our specified purposes.

We are a joint data controller with Sevenoaks District Council for the delivery of services relating to Business Rates (NNDR), Council Tax, Environmental Health, Fraud Prevention & Detection and Internal Audit. Retention periods relating to Environmental Health and Internal Audit are published by us. Sevenoaks District Council does not publish its retention periods in a single place for Council Tax and Fraud Prevention & Detection. Requests for retention periods relating to these services are to be made to data.protection@sevenoaks.gov.uk

DATA SUBJECT RIGHTS - PROCEDURAL GUIDELINES

Our procedures for the exercise of your data subject rights - you have certain rights in respect of your personal data. When we process your personal data, we will respect those rights. These guidelines provide a framework for responding to requests to exercise those rights in accordance with Data Protection Legislation.

Your rights

  • Right to access your personal information known as subject access rights (SARs)
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights in relation to automatic decision making and profiling

Proving your identity and address - Before we respond to a request from you to exercise any of your rights, we may ask you to prove your identity and address. We will only request information that is necessary to confirm who you are. The key to this is proportionality. We will take into account what data we hold, the nature of the data, and what we are using it for.

We will let you know without undue delay and within one calendar month of receipt of your request, that we need more information from you to confirm your identity. We do not need to comply with your request until we have received the additional information. We will notify you of our reasons for not taking action in respect of your request, your right to make a complaint to the ICO and  your ability to seek to enforce your rights through a judicial remedy.

Documents to prove your identity and address -  Two forms of identification - one which confirms your identity and one which confirms your current address. Please provide one document from each list below. Photocopies are acceptable.

If you are a representative applying on behalf of the data subject, you must provide written proof of authorisation and two forms of identification, one which confirms the data subject's identity and one which confirms  their current address.

If you are applying on behalf of a child or young person (under 13 years of age), you must provide proof that you hold parental responsibility and two forms of identification, one which confirms the child's/young person's identity and one which confirms their current address. If you are applying on behalf of a child/young person aged 13 years and older, please see the guidance on children & young persons below.

Acceptable proof of identity:

  • Copy current passport
  • Copy birth certificate
  • Copy current photo card driving licence (full or provisional)

Acceptable proof of current address:

  • Copy utility bill dated within the last three months
  • Copy council tax bill for current year
  • Copy bank statement dated within the last three months
  • Copy benefits agency/state pension correspondence (on letterhead) dated within the last three months

To help us find the information we hold we may need:

  • Your full name and date of birth
  • Your address and previous addresses, if they are relevant
  • Details of any services within the Council with whom you have had dealings
  • Details of any reference numbers or names of staff that you have had contact with as this will help us find all the information we have.

CHILDREN AND YOUNG PERSONS - we consider that children aged 13 or over are presumed to be of sufficient age and maturity to provide their own consent for data protection purposes, unless the contrary is shown. A child/young person aged 13 years or older may consent to their personal data being processed. Even if a child/young person is too young to understand the implications of subject access rights, data about them is still their personal data and does not belong to anyone else, such as a parent or guardian. So it is the child/young person who has a right of access to the information held about them, even though in the case of children/young people under 13 years of age, these rights are likely to be exercised by those with parental responsibility for them.

If a child/young person is competent then, just like an adult, they may authorise someone else to act on their behalf.This could be a parent, another adult, or a representative such as a child advocacy service, charity or solicitor. We will only allow a third party to exercise subject access rights on behalf of a child/young person aged 13 years or older if the child/young person authorises them to do so, when the child/young person does not have sufficient understanding to exercise the rights him or herself, or when it is evident that this is in the best interests of the child/young person.

How does this work in practice? –  if we are satisfied that the child/young person is not competent and that the person who has approached us holds parental responsibility for the child/young person, then it is usually appropriate to let the holder of parental responsibility exercise the child’s/young person’s rights on their behalf. The exception to this is if, in the specific circumstances of the case, we have evidence that this is not in the best interests of the child/young person.

If we are confident that the child/young person can understand their rights, then we will usually respond directly to the child/young person. We may, however, allow the adult with parental responsibilty to exercise the child’s/young person’s rights on their behalf if the child/young person authorises this, or again if it is evident that this is in the best interests of the child/young person.

What matters to us is whether the child/young person is able to understand and deal with the implications of exercising their rights. So for example, does the child/young person understand what it means to request a copy of their data and how to interpret the information they receive as a result of doing so?

When considering borderline cases, w will take into account, among other things:

  • where possible, the child’s/young person’s level of maturity and their ability to make decisions like this;
  • the nature of the personal data;
  • any court orders relating to parental access or responsibility that may apply;
  • any duty of confidence owed to the child/young person;
  • any consequences of allowing those with parental responsibility to exercise the child’s/young person’s rights. This is particularly important if there have been allegations of abuse or ill treatment;
  • any detriment to the child/young person if individuals with parental responsibility cannot access this information; and
  • any views the child/young person has on whether those with parental responsibility should have access to information about them.

HOW TO EXERCISE YOUR RIGHTS


1. SUBJECT ACCESS REQUEST (SAR) - You have the right to find out what information we hold about you.

Who is entitled to personal information? - In general, personal information will only be given to you and then only with appropriate identification (see above). Requests for information about a person other than yourself will be refused, except for the following common situations:

  • If you are a parent of a child under 13, you may request information about your child, but there is no automatic right to your child's personal information;
  • A solicitor may request information on your behalf.

How can you find out what information is held about you? - You must make your request in writing either by letter, e-mail or online. Someone else can make a request on your behalf only if we have your permission in writing.

Although not compulsory for you to use, a standard form can make it easier both for us to recognise a SAR and for you to include all the details we might need to locate the information you want. We invite you to submit your SAR using this on-line form PDF, 185.21 KB. Alternatively, download the completed form and email together with scanned copies of your proof of identity and address to: dataprotection@dartford.gov.uk or post to:

Data Protection Officer
Civic Centre
Home Gardens
Dartford
Kent DA1 1DR

If you find it difficult to communicate in writing, we will accept a verbal SAR. If your SAR is complex, we will document it in an accessible format (braille, large print, email or audio) and send it to you to confirm the details.

We will not respond to a subject access request until we have confirmed your identity and address.

When you can expect a response from us - Unless an exemption applies, we will provide you with a copy of your personal information in a commonly used electronic form (unless you either did not make the request by electronic means or have specifically requested not to be provided with the copy in electronic form) without undue delay and generally within one month of receipt of the request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two months. If we extend the period for responding, we will inform you within one month of receipt of the request and explain the reason for the delay. If your SAR is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of providing the personal data, or refuse to act on the request. If we are not going to respond to your SAR, we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.


2. REQUEST TO RECTIFY PERSONAL DATA

Personal information is inaccurate if it is incorrect or misleading as to any matter of fact. You have the right to have your inaccurate personal information rectified. Rectification can include having incomplete personal information completed, for example, by you providing a supplementary statement regarding the information. Where such a request is made, we will, unless an exemption applies, rectify the personal information without undue delay and generally, within one month of your request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two months. If we extend the period for responding, we will inform you within one month of receipt of the request and explain the reason for the delay.We may refuse to deal with a request for rectification where we consider it is manifestly unfounded or excessive or we can charge a 'reasonable fee' to deal with the request. If we are not going to respond to your request for rectification, we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.


3. REQUEST FOR THE ERASURE (right to be forgotten) OF PERSONAL DATA

There are some specific circumstances where the right to erasure does not apply and we can refuse to deal with a request for example, where we are under a legal obligation to process your personal information in order to perform a task in the public interest. You have the right to have personal information erased and to prevent processing in specific circumstances:

  • where the personal information is no longer necessary in relation to the purpose for which it was originally collected/processed;
  • when you withdraw consent;
  • when you object to the processing and there is no overriding legitimate interest for continuing the processing;
  • the personal information was unlawfully processed (ie: otherwise in breach of the GDPR);
  • the personal information has to be erased in order to comply with a legal obligation.

Where such a request is made, we will, unless an exemption applies, comply with your request without undue delay and generally, within one month of your request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two months. If we extend the period for responding, we will inform you within one month of receipt of the request and explain the reason for the delay. We may refuse to deal with your request where we consider it is manifestly unfounded or excessive or we can charge a 'reasonable fee' to deal with the request. If we are not going to respond to your request, we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.


4. REQUEST TO RESTRICT PROCESSING OF PERSONAL DATA

You have the right to restrict processing of your personal information in certain circumstances. Where processing is restricted we are permitted to store your personal information, but we may not process it further. We can retain just enough information about you to ensure that the restriction is respected in future. The right to restrict arises in the following cases:

  • where you contest the accuracy of your personal information, we may restrict the processing until we have verified the accuracy of the personal information;
  • where you have objected to the processing (where it was necessary for the performance of a public interest task) and we are considering whether our legitimate grounds override yours;
  • when processing is unlawful and you have opposed erasure and requested restriction instead;
  • if we no longer need your personal information but you require the personal information to establish, exercise or defend a legal claim.

Where this right applies, we will comply with your request without undue delay and generally, within one month of your request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two months. If we extend the period for responding, we will inform you within one month of receipt of the request and explain the reason for the delay. We may refuse to deal with your request where we consider it is manifestly unfounded or excessive or we can charge a 'reasonable fee' to deal with the request. If we are not going to respond to your request, we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.


5
. REQUEST FOR DATA PORTABILITY

You have the right to obtain from us and reuse your personal information for your own purposes where you have provided the information to us yourself, where we process the information by automated means (excluding paper files) and where our basis for processing is based on consent or contract. Where this right applies we will provide you with your personal information in a structured, commonly used and machine readable form.

We will consider the technical feasibility of a transmission on a request by request basis. The right to data portability does not create an obligation for us to adopt or maintain processing systems which are technically compatible with other systems. Where this right applies, we will comply with your request without undue delay and generally, within one month of your request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two months. If we extend the period for responding, we will inform you within one month of receipt of the request and explain the reason for the delay. We may refuse to deal with your request where we consider it is manifestly unfounded or excessive or we can charge a 'reasonable fee' to deal with the request. If we are not going to respond to your request, we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.


6. OBJECTING TO THE PROCESSING OF PERSONAL DATA

You have a right to object to:

  • processing based on the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

Where the objection is to processing your personal information for direct marketing purposes, we must stop processing your personal information when we receive your objection. Where the objection is to processing your personal information for the performance of a public interest task we must stop processing your personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, or, the processing is for the establishment, exercise or defence of legal claims. Where the objection is to processing your personal data for research purposes, we do not have to comply with your objection where the processing of your personal information is necessary for the performance of a public interest task. We will generally respond to your objection without undue delay and generally within one month of your objection. If the objection is complex, or there are a number of objections, we may extend the period for responding by a further two months. If we extend the period for responding, we will inform you within one month of receipt of your objection and explain the reason for the delay.

We may refuse to deal with your request where we consider it is manifestly unfounded or excessive or we can charge a 'reasonable fee' to deal with the request. If we are not going to respond to your request, we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.


7. REQUEST RELATING TO AUTOMATED DECISION MAKING & PROFILING

You have three rights in relation to automated decision taking:

  • The first is the right to prevent such a decision being taken. We must not take an automated decision if you have given notice in writing asking us not to;
  • The second right applies where no such notice has been given. We must inform you we have taken an automated decision as soon as practicable in the circumstances;
  • The third right relates to the options available to you on receiving this information. If you are unhappy that an automated decision has been taken, you have 21 days to ask us to reconsider the decision or to take a new decision on a different basis. In most cases, both these options are likely to involve a review of the automated decision by us.

We will notify you of our decision and your right to make a complaint to the ICO and your ability to seek to enforce your rights through a judicial remedy.

However, these rights do not apply where our automated decision making is:

  • authorised or required by legislation; or
  • taken in preparation for, or in relation to, a contract with you; and
  • you give us explicit consent; or
  • where we take steps to safeguard your legitimate interests, by allowing you to appeal the decision.

For further information on your rights, please visit the Information Commissioner's website www.ico.org.uk

Last Updated: 13th December 2018 Print Link

Share Facebook Share Twitter