General Data Protection Regulation (GDPR)
On 25 May 2018 the General Data Protection Regulation (GDPR) came into force across all the member states of the European Union. Along with the Data Protection Act 2018, the new legislation sets out the obligations on how the Council uses personal information.
To provide services and carry out our statutory duties, East Dunbartonshire Council must gather personal information about residents, employees and other individuals. This personal information, however it is acquired and used, must be done so lawfully, fairly and transparently.
Principles of Data Protection
GDPR establishes a set of principles for the way that personal information must be used. This states that:-
1. Personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Data Protection Policy
To ensure that East Dunbartonshire Council complies with the terms of the GDPR, a Data Protection Policy has been published and can be viewed in the Documents section of this page. This gives information on the act, the Council’s responsibilities under it and its commitment to it.
Data Subjects' Rights
GDPR provides individuals with a set of rights. These rights are:-
- Right to be informed
- Right of Access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision making including profiling
The Council has produced a Guide for individuals on their rights which can be viewed in the Documents section of this page.
Right to be informed
Transparency is a key requirement of GDPR. The Council will always ensure that individuals are aware of how their information is used, who will have access to it, how long it will be kept for and what rights they have over their personal information in the Council’s care.
Right of Access
Individuals have the right to access the personal information that the Council holds about them. This can be a request for a copy of the personal data, also known as a Subject Access Request (SAR). The right is however wider, giving individuals the ability to request additional information about the way the information is held.
Privacy by Design
The Council takes a privacy by design approach to personal information, ensuring that the rights of individuals to privacy is built into the Council’s use of their personal information from the earliest opportunity.
One aspect of this is the Council’s Data Protection Impact Assessment (DPIA). DPIAs are a tool, which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy.
It is often necessary for the Council to share personal information. This sharing is carried out in order to meet the needs of individuals or to meet statutory responsibilities. Where the Council shares an individual’s personal information with any other organisation this will be explained through the Council’s Privacy Notices. The Council has in place a process in place to ensure that proposals to share personal information are fair and proportionate to the individual(s) whose information is to be shared.
GDPR is enforced and promoted by the UK Information Commissioner (link is external). The Commissioner offers advice and guidance on GDPR and the Data Protection Act 2018 and also investigates complaints regarding possible breaches of GDPR and the 2018 Act.
The UK Information Commissioner is not the same person as the Scottish Information Commissioner, who is responsible for the Freedom of Information (Scotland) Act, but not Data Protection in Scotland.