3. Your data rights
We are required to keep personal data according to a number of data protection principles. In general these require us to:
- Process data fairly and lawfully, and to identify a condition of processing. Different conditions apply to the processing of sensitive personal data;
- Obtain data only for one or more specified purposes and not process incompatibly with that purpose;
- Ensure the data collected is adequate, relevant and not excessive in relation to its purpose(s);
- Ensure data is accurate and kept up to date;
- Keep data for no longer than necessary for the purpose(s);
- Process data in accordance with the your rights
- Keep the data secure;
- Not transfer the data to a country outside the European Economic Area which doesn't have adequate data protection rules, unless certain conditions apply (eg you have consented).
We are committed to comply with the data protection principles wherever applicable and to comply with its other legal obligations.
You (the data subject) have a number of rights although there are a number of exceptions and exemptions. In particular, the range of rights is narrower in relation to certain manual data and transitional provisions apply to such data. Subject to these, you are entitled:
- To be informed whether personal data about you is being processed. If it is, you are entitled to a description of the data, the purposes for which the data is being processed and the recipients to whom the data may be disclosed (section 7 of the Act);
- To have your personal data kept in accordance with the Data Protection principles, to the extent not covered above;
- To prevent by notice any processing, by us, of your personal data which is likely to cause unwarranted and substantial damage or substantial distress (section 10 of the Act);
- To prevent or stop by notice your personal data from being used for direct marketing of products or services (section 11);
- To prevent by notice a decision being taken by us which significantly affects you, based solely on automatic processing of data (section 12);
On application, to have inaccurate personal data about the you corrected or erased or, if there is a disagreement with the us over its accuracy, to have your views recorded (section 14); and
- In an extreme case, to receive compensation for damage (and in some cases for distress) where processing of your personal data has not been in compliance with the Act (section 13).
In relation to a notice or application by you, as outlined above, we will respond promptly and in accordance with the statutory deadlines which are prescribed.
To be lawful we must ensure we are working within our powers as established by administrative law and aren't contravening any other law such as the Human Rights Act 1998 or the common law duty of confidence.
In accordance with the first data protection principle (except in a rare instance where an exemption may apply) the processing of data must take place in line with one or more of a series of conditions. In some cases this may be that you have given you consent; in other cases we may be required, or enabled, to process the information under another condition without your consent (eg where we are required to do so by another statutory requirement, or for the administration of justice).
Sensitive data, including personal data in areas such as ethnic origin, is to be treated with special care. If no other condition applies (and there is no exemption), your explicit consent is needed for the processing of such data. No definition of such consent is given in the Act. From legal guidance produced by the Information Commissioner, we take this to mean that your consent should be absolutely clear. In appropriate cases, it should cover the specific detail of:
- The processing;
- The type of data to be processed (or even the specific information); and
- The purposes of processing and any special aspects which may affect the individual (eg disclosures which may be made).
You may write to us to clarify whether personal data about you is being held or used by us or held or used on our behalf. There is a fee (current maximum £10) and we have up to 40 days in which to reply, once the fees has been received and we are satisfied as your identity - we may require proof of identity in order to protect the confidentiality of records, or appropriate information to enable us to locate the information which is sought .
Unless an exemption applies, if data is held by us, you are entitled, within the 40 day period, to a description of the data, our purposes in holding it and to whom the data is or may be disclosed. If you want a permanent copy we must communicate the data to you in an intelligible form (usually by including an explanation) together with any information available as to the source. Where disclosing data would necessarily involve revealing data about third parties, we may not be required to disclose the data we hold (or all of the data) and will seek a reasonable balance within the Act between the rights and interests concerned.
In certain circumstances particular conditions for processing or exemptions from data protection rules will apply. For example, under special rules for education records, we are prevented from disclosing to a pupil any information which would be likely to cause serious harm to their physical or mental health, or to anyone else. A similar exemption applies where parents exercise their separate right of access to their children's records under education legislation. Queries about data protection matters concerning schools should be made to the school in the first instance.
Where exemptions apply, some or all of your subject access rights or other data protection rights listed above, may not apply. In the case of data processed with a view to preventing or detecting crime, for example, we are not required to give access to the data subject where disclosure would be likely to prejudice such prevention or detection.
We are included in the register of data controllers maintained by the Information Commissioner under section 18 of the Act. Our notification may be accessed via the Data Protection Public Register by inserting registration number Z6351745.
Privacy on our website
If you register online with us you can expect the following:
- To be informed if your personal data is transferred to a third party, on the basis that no such transfer will take place other than in accordance with the requirements of the Act;
- To receive occasional emails from us on matters which we consider may be of interest to you, but for such email contact to cease on request;
- Your visit to the site will be recorded for the purposes of our statistical monitoring of the usage of the site.
Last updated: 16 January 2017