GDPR establishes a set of principles for the way that personal information must be used. This states that:-
1. Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
To ensure that East Dunbartonshire Council complies with the terms of the GDPR, a Data Protection Policy has been published and can be viewed in the Documents section of this page. This gives information on the act, the Council’s responsibilities under it and its commitment to it.
Transparency is a key requirement of GDPR. The Council will always ensure that individuals are aware of how their information is used, who will have access to it, how long it will be kept for and what rights they have over their personal information in the Council’s care.
Individuals have the right to access the personal information that the Council holds about them. This can be a request for a copy of the personal data, also known as a Subject Access Request (SAR). The right is however wider, giving individuals the ability to request additional information about the way the information is held.
The Council takes a privacy by design approach to personal information, ensuring that the rights of individuals to privacy is built into the Council’s use of their personal information from the earliest opportunity.
One aspect of this is the Council’s Data Protection Impact Assessment (DPIA). DPIAs are a tool, which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
It is often necessary for the Council to share personal information. This sharing is carried out in order to meet the needs of individuals or to meet statutory responsibilities. Where the Council shares an individual’s personal information with any other organisation this will be explained through the Council’s Privacy Notices. The Council has in place a process in place to ensure that proposals to share personal information are fair and proportionate to the individual(s) whose information is to be shared.
GDPR is enforced and promoted by the UK Information Commissioner (link is external). The Commissioner offers advice and guidance on GDPR and the Data Protection Act 2018 and also investigates complaints regarding possible breaches of GDPR and the 2018 Act.
The UK Information Commissioner is not the same person as the Scottish Information Commissioner, who is responsible for the Freedom of Information (Scotland) Act, but not Data Protection in Scotland.