NB: a number of  websites and apps (the platforms) are offering to submit requests under the Data Protection Act 2018, on behalf of data subjects. These platforms expect data controllers to upload all  data subjects' personal data to their portals. We will not deal with data subjects through these platforms. We will seek to verify that the person making the request via the platform is in fact the data subject, which will involve requesting proof of identity and address directly from the data subject. For further information, see the Informationer's guidance 'Do we have to respond to requests made via a third party online portal?'

Equalities: We are subject to numerous legal duties relating to equalities e.g. race, disability, gender etc.  We  recognise and welcome those duties, which are embraced in our Equality and Diversity Document Framework.

Data Subject Rights:

We have a Data Protection Policy that sets out how your personal  information will be handled.

Our Corporate Privacy Notice describes in general terms the personal data we collect and/or create about you. It explains how we use information about you and how we protect your privacy.

'Data Protection Legislation' means the UK GDPR (derived from the General Data Protection Regulation (EU) 2016/679)) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time and any successor legislation to the UK GDPR or the Data Protection Act 2018 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner

Dartford Borough Council of Civic Centre, Home Gardens, Dartford, Kent DA1 1DR is the Data Controller and is committed to protecting the rights of individuals in line with the Data Protection Legislation and is responsible for deciding how it holds and uses personal information about you.

The interim Head of Legal Services, Civic Centre, Home Gardens, Dartford, Kent DA1 1DR: is the Council's Data Protection Officer overseeing compliance with the Data Protection Legislation and making sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact the Data Protection Officer: dataprotection@dartford.gov.uk Please do not use this email address to make a freedom of information request - instead, refer to our freedom of information guidance and contact our FOI team.

Our Personal Information Promise lists a number of our key commitments to protect your personal information.

Our Data Retention and Disposal Policy - even if we collect and use personal data fairly and lawfully, we cannot keep it for longer than we actually need it. The Data Protection Legislation does not set specific time limits for different types of data. Unless there are legal or regulatory requirements to retain data for a specific period, it is up to us to agree our retention periods, which will depend on how long we need the data for our specified purposes.

We are a joint data controller with Sevenoaks District Council for the delivery of services relating to Business Rates (NNDR), Council Tax, Fraud Prevention and Detection and Internal Audit. Retention periods relating to Internal Audit are published by us. Sevenoaks District Council does not publish its retention periods in a single place for Council Tax and Fraud Prevention and Detection. Requests for retention periods relating to these services are to be made to data.protection@sevenoaks.gov.uk

DATA SUBJECT RIGHTS - PROCEDURAL GUIDELINES:

Our procedures for the exercise of your data subject rights - you have certain rights in respect of your personal data. When we process your personal data, we will respect those rights. These guidelines provide a framework for responding to requests to exercise those rights in accordance with Data Protection Legislation.

Your rights

  • Right to access your personal information known as subject access rights (SARs)
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights in relation to automatic decision making and profiling

Putting information beyond use - information that has been deleted with no intention to use or access this again, may still exist in our backup system, waiting to be over-written with other data. This information is no longer live. As such, we are not required to comply with the rights referred to above. In putting information beyond use, if not actually deleted, we undertake:

  • not to attempt to use the personal data to inform any decision in respect of you or in a manner that affects you in any way;
  • not to give any other organisation access to the personal data;
  • to apply appropriate technical and organisational security to the data; and
  • to permanently delete the data if, or when, this becomes possible

Proving your identity and address - Before we respond to a request from you to exercise any of your rights, we may ask you to prove your identity and address. We will only request information that is necessary to confirm who you are. The key to this is proportionality. We will take into account what data we hold, the nature of the data, and what we are using it for.

We will let you know without undue delay and within one calendar month of the date of receipt of your request, that we need more information from you to confirm your identity. We do not need to comply with your request until we have received the additional information. We will notify you of our reasons for not taking action in respect of your request, your right to make a complaint to the ICO and your ability to seek to enforce your rights through a judicial remedy.

Documents to prove your identity and address - Two forms of identification - one which confirms your identity and one which confirms your current address. Please provide one document from each list below. Photocopies are acceptable.

If you are a representative applying on behalf of the data subject, you must provide written proof of authorisation and two forms of identification, one which confirms the data subject's identity and one which confirms their current address.

If you are applying on behalf of a child or young person (under 13 years of age), you must provide proof that you hold parental responsibility and two forms of identification, one which confirms the child's/young person's identity and one which confirms their current address. If you are applying on behalf of a child/young person aged 13 years and older, please see the guidance on children and young persons below.

Acceptable proof of identity:

  • Copy current passport
  • Copy birth certificate
  • Copy current photo card driving licence (full or provisional)

Acceptable proof of current address:

  • Copy utility bill dated within the last three months
  • Copy council tax bill for current year
  • Copy bank statement dated within the last three months
  • Copy benefits agency/state pension correspondence (on letterhead) dated within the last three months

To help us find the information we hold we may need:

  • Your full name and date of birth
  • Your address and previous addresses, if they are relevant
  • Details of any services within the Council with whom you have had dealings
  • Details of any reference numbers or names of staff that you have had contact with as this will help us find all the information we have

CHILDREN AND YOUNG PERSONS - we consider that children aged 13 or over are presumed to be of sufficient age and maturity to provide their own consent for data protection purposes, unless the contrary is shown. A child/young person aged 13 years or older may consent to their personal data being processed. Even if a child/young person is too young to understand the implications of subject access rights, data about them is still their personal data and does not belong to anyone else, such as a parent or guardian. So it is the child/young person who has a right of access to the information held about them, even though in the case of children/young people under 13 years of age, these rights are likely to be exercised by those with parental responsibility for them.

If a child/young person is competent then, just like an adult, they may authorise someone else to act on their behalf.This could be a parent, another adult, or a representative such as a child advocacy service, charity or solicitor. We will only allow a third party to exercise subject access rights on behalf of a child/young person aged 13 years or older if the child/young person authorises them to do so, when the child/young person does not have sufficient understanding to exercise the rights him or herself, or when it is evident that this is in the best interests of the child/young person.

How does this work in practice? – if we are satisfied that the child/young person is not competent and that the person who has approached us holds parental responsibility for the child/young person, then it is usually appropriate to let the holder of parental responsibility exercise the child’s/young person’s rights on their behalf. The exception to this is if, in the specific circumstances of the case, we have evidence that this is not in the best interests of the child/young person.

If we are confident that the child/young person can understand their rights, then we will usually respond directly to the child/young person. We may, however, allow the adult with parental responsibility to exercise the child’s/young person’s rights on their behalf if the child/young person authorises this, or again if it is evident that this is in the best interests of the child/young person.

What matters to us is whether the child/young person is able to understand and deal with the implications of exercising their rights. So for example, does the child/young person understand what it means to request a copy of their data and how to interpret the information they receive as a result of doing so?

When considering borderline cases, we will take into account, among other things:

  • where possible, the child’s/young person’s level of maturity and their ability to make decisions like this;
  • the nature of the personal data;
  • any court orders relating to parental access or responsibility that may apply;
  • any duty of confidence owed to the child/young person;
  • any consequences of allowing those with parental responsibility to exercise the child’s/young person’s rights. This is particularly important if there have been allegations of abuse or ill treatment;
  • any detriment to the child/young person if individuals with parental responsibility cannot access this information; and
  • any views the child/young person has on whether those with parental responsibility should have access to information about them

HOW TO EXERCISE YOUR RIGHTS:


1. SUBJECT ACCESS REQUEST (SAR) - You have the right to find out what information we hold about you.

Who is entitled to personal information? - In general, personal information will only be given to you and then only with appropriate identification (see above). Requests for information about a person other than yourself will be refused, except for the following common situations:

  • If you are a parent of a child under 13, you may request information about your child, but there is no automatic right to your child's personal information;
  • A solicitor may request information on your behalf

How can you find out what information is held about you? - You must make your request in writing either by letter, e-mail or online. Someone else can make a request on your behalf only if we have your permission in writing.

Although not compulsory for you to use, a standard form can make it easier both for us to recognise a SAR and for you to include all the details we might need to locate the information you want. We invite you to submit your SAR using this on-line form. Alternatively, download the completed form and email together with scanned copies of your proof of identity and address to: dataprotection@dartford.gov.uk or post to:

Data Protection Officer
Civic Centre
Home Gardens
Dartford
Kent DA1 1DR

If you find it difficult to communicate in writing, we will accept a verbal SAR. If your SAR is complex, we will document it in an accessible format (braille, large print, email or audio) and send it to you to confirm the details.

Use of online portals to submit a SAR- if we receive a SAR made on your behalf through an online portal, for example a third party that provides services to assist you in exercising your rights, to determine whether we must comply with the SAR, we need to consider if we:

  • have been made aware that you are making a SAR;
  • are able to verify your identity, if this is in doubt;
  • are satisfied the third party portal is acting with the authority of, and on your behalf; and
  • are able to view the SAR without having to take proactive steps, such as paying a fee or signing up to the portal's service.

We are not obliged to take proactive steps to discover that a SAR has been made. Therefore, if we cannot view a SAR without paying a fee or signing up to the portal's service, we have not ‘received’ the SAR and are not obliged to respond. It is the portal’s responsibility to provide evidence that it has your authority to act on your behalf. Mere reference to the terms and conditions of its service will not be sufficient for this purpose. The portal should provide this evidence when it makes the request (ie: in the same way as other third parties).

When responding to a SAR, we are also not obliged to pay a fee or sign up to the portal's service. We will instead, provide the information directly to you. If we have concerns that you have not authorised the information to be uploaded to the portal, we will contact you before we respond. In some cases, we may be unable to contact you directly, for example if we do not have your address details or are otherwise not satisfied with the ID information provided. If this is the case, we will contact the portal to advise them that we will not respond to the request until they have met each of the above requirements and provided evidence that you have agreed to the information being uploaded to the portal. Until then, we have not received a valid SAR and the time limit does not start until we receive it. If we have concerns about supplying the information via the portal for any reason, including security concerns, we will contact you first to make you aware. If you agree, we will send the response to your SAR directly to you rather than to the portal.

Is a fee payable? - In most cases, we cannot charge a fee to comply with a SAR. However, we can charge a ’reasonable fee’ for the administrative costs of complying with a request if:

  • it is manifestly unfounded or excessive; or
  • you request further copies of your information following a request

Alternatively, we can refuse to comply with a manifestly unfounded or excessive request (see below) . For information about when a request may be manifestly unfounded or excessive, please see ‘When can we refuse to comply with a request?’.

When determining a reasonable fee, we can take into account the administrative costs of:

  • assessing whether or not we are processing the information; locating, retrieving and extracting the information; providing a copy of the information; and
  • communicating the response to you, including contacting you to inform you that we hold the requested information (even if we are not providing the information)

A reasonable fee may include the costs of: photocopying, printing, postage and any other costs involved in transferring the information to you (e.g. the costs of making the information available remotely on an online platform); equipment and supplies (eg discs, envelopes or USB devices); and staff time. We will base the costs of our staff time on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate. Please refer our Schedule of Charges for further information on our fees.

We will not respond to a subject access request until we have confirmed your identity and address.

We will not respond to a subject access request until you have paid your fee, where applicable.

When you can expect a response from us -& Unless an exemption applies, we will provide you with a copy of your personal information in a commonly used electronic form (unless you either did not make the request by electronic means or have specifically requested not to be provided with the copy in electronic form) without undue delay and generally within one calendar month of the date of receipt of the request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two calendar months. If we extend the period for responding, we will inform you within one calendar month of the date of receipt of the request and explain the reason for the delay. If we consider your SAR is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of providing the personal data, or refuse to act on the request. If we are not going to respond to yourSAR,we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.

2. REQUEST TO RECTIFY PERSONAL DATA:

Personal information is inaccurate if it is incorrect or misleading as to any matter of fact. You have the right to have your inaccurate personal information rectified. Rectification can include having incomplete personal information completed, for example, by you providing a supplementary statement regarding the information. Where such a request is made, we will, unless an exemption applies, rectify the personal information without undue delay and generally, within one calendar month of the date of receipt of your request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two calendar months. If we extend the period for responding, we will inform you within one calendar month of the date of receipt of the request and explain the reason for the delay.We may refuse to deal with a request for rectification where we consider it is manifestly unfounded or excessive or we can charge a 'reasonable fee' to deal with the request. If we are not going to respond to your request for rectification, we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.

3. REQUEST FOR THE ERASURE (right to be forgotten) OF PERSONAL DATA:

There are some specific circumstances where the right to erasure does not apply and we can refuse to deal with a request for example, where we are under a legal obligation to process your personal information in order to perform a task in the public interest. You have the right to have personal information erased and to prevent processing in specific circumstances:

  • where the personal information is no longer necessary in relation to the purpose for which it was originally collected/processed;
  • when you withdraw consent;
  • when you object to the processing and there is no overriding legitimate interest for continuing the processing;
  • the personal information was unlawfully processed (ie: otherwise in breach of the GDPR);
  • the personal information has to be erased in order to comply with a legal obligation

Where such a request is made, we will, unless an exemption applies, comply with your request without undue delay and generally, within one calendar month of the date of receipt of your request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two calendar months. If we extend the period for responding, we will inform you within one month of receipt of the request and explain the reason for the delay. We may refuse to deal with your request where we consider it is manifestly unfounded or excessive or we can charge a 'reasonable fee' to deal with the request. If we are not going to respond to your request, we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.

4. REQUEST TO RESTRICT PROCESSING OF PERSONAL DATA:

You have the right to restrict processing of your personal information in certain circumstances. Where processing is restricted we are permitted to store your personal information, but we may not process it further. We can retain just enough information about you to ensure that the restriction is respected in future. The right to restrict arises in the following cases:

  • where you contest the accuracy of your personal information, we may restrict the processing until we have verified the accuracy of the personal information;
  • where you have objected to the processing (where it was necessary for the performance of a public interest task) and we are considering whether our legitimate grounds override yours;
  • when processing is unlawful and you have opposed erasure and requested restriction instead;
  • if we no longer need your personal information but you require the personal information to establish, exercise or defend a legal claim

Where this right applies, we will comply with your request without undue delay and generally, within one calendar month of the date of receipt of your request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two calendar months. If we extend the period for responding, we will inform you within one calendar month of the date of receipt of the request and explain the reason for the delay. We may refuse to deal with your request where we consider it is manifestly unfounded or excessive or we can charge a 'reasonable fee' to deal with the request. If we are not going to respond to your request, we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.

5. REQUEST FOR DATA PORTABILITY:

You have the right to obtain from us and reuse your personal information for your own purposes where you have provided the information to us yourself, where we process the information by automated means (excluding paper files) and where our basis for processing is based on consent or contract. Where this right applies we will provide you with your personal information in a structured, commonly used and machine readable form.

We will consider the technical feasibility of a transmission on a request by request basis. The right to data portability does not create an obligation for us to adopt or maintain processing systems which are technically compatible with other systems. Where this right applies, we will comply with your request without undue delay and generally, within one calendar month of the date of receipt of your request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two calendar months. If we extend the period for responding, we will inform you within one calendar month of the date of receipt of the request and explain the reason for the delay. We may refuse to deal with your request where we consider it is manifestly unfounded or excessive or we can charge a 'reasonable fee' to deal with the request. If we are not going to respond to your request, we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.

6. OBJECTING TO THE PROCESSING OF PERSONAL DATA:

You have a right to object to:

  • processing based on the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics

Where the objection is to processing your personal information for direct marketing purposes, we must stop processing your personal information when we receive your objection. Where the objection is to processing your personal information for the performance of a public interest task we must stop processing your personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, or, the processing is for the establishment, exercise or defence of legal claims. Where the objection is to processing your personal data for research purposes, we do not have to comply with your objection where the processing of your personal information is necessary for the performance of a public interest task. We will generally respond to your objection without undue delay and generally within one calendar month of the date of receipt of your objection. If the objection is complex, or there are a number of objections, we may extend the period for responding by a further two calendar months. If we extend the period for responding, we will inform you within one calendar month of the date of receipt of your objection and explain the reason for the delay.

We may refuse to deal with your request where we consider it is manifestly unfounded or excessive or we can charge a 'reasonable fee' to deal with the request. If we are not going to respond to your request, we will inform you of the reason(s) for not taking action and of the possibility of you lodging a complaint with the ICO and your ability to seek to enforce your right though a judicial remedy.

7. REQUEST RELATING TO AUTOMATED DECISION MAKING and PROFILING:

You have three rights in relation to automated decision taking:

  • The first is the right to prevent such a decision being taken. We must not take an automated decision if you have given notice in writing asking us not to;
  • The second right applies where no such notice has been given. We must inform you we have taken an automated decision as soon as practicable in the circumstances;
  • The third right relates to the options available to you on receiving this information. If you are unhappy that an automated decision has been taken, you have 21 days to ask us to reconsider the decision or to take a new decision on a different basis. In most cases, both these options are likely to involve a review of the automated decision by us

We will notify you of our decision and your right to make a complaint to the ICO and your ability to seek to enforce your rights through a judicial remedy.

However, these rights do not apply where our automated decision making is:

  • authorised or required by legislation; or
  • taken in preparation for, or in relation to, a contract with you; and
  • you give us explicit consent; or
  • where we take steps to safeguard your legitimate interests, by allowing you to appeal the decision

For further information on your rights, please visit the Information Commissioner's website

Corporate Privacy Notice

Our Corporate Privacy Notice explains how we use information about you and how we protect your privacy.

Kent and Medway Information Sharing Agreement

We are a group of local authorities and other public bodies who have joined together with charities and other organisations in an Information Sharing Agreement.

Councillor Commitment to Data Protection

Borough Councillors are Data Controllers for the purposes of processing personal information in their dealings with local constituents and others.