Data protection explained

Why does data protection matter?

Data protection laws giving confidence to individuals that their personal data will be treated appropriately and that it will not be misused. The council and its staff have a duty to protect data and treat information securely.

They protect personal data that is data about living identifiable individuals.

The Data Protection Act 2018 was updated following a new European Union Regulation, the General Data Protection Regulation (GDPR). Because GDPR is a regulation it is automatically applied in all EU member states from the 25 May 2018, the UK was part of the EU at the time. In the UK we are interested in both GDPR and the Data Protection Act 2018.

Data protection laws reinforce common sense rules regarding information handling which most organisations, including East Riding of Yorkshire Council, would try to follow anyway.  

Read more information about GDPR and the Data Protection Act 2018.

The council has a data protection policy in place to ensure it acts in accordance with data protection laws.

What are the council’s obligations under the Act?

There are 6 core principles governing the use of personal information which the council must comply with.  In addition there is also a requirement to demonstrate compliance with the 6 principles. 

Lawfulness, fairness and transparency

Personal data shall be processed lawfully, fairly and in a transparent manner.

Purpose limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Personal data shall be adequate, relevant and limited to what is necessary.

Accuracy

Personal data shall be accurate and, where necessary, kept up-to-date.

Storage limitation

Personal data shall be kept in a form which permits identification for no longer than is necessary.

Integrity and confidentiality

Personal data shall be processed in a manner that ensures appropriate security, including unauthorised or unlawful processing and protection against loss or destruction and/or damage.

The principles are in essence a code of good practice for processing personal data.

Under the requirements of the Data Protection Act, businesses and organisations that handle personal data must register with the ICO as Data Controllers, unless they are exempt.

The council is registered with the ICO, our registration number is Z5968256.

Who can I contact if I need further information?

The council has a Data Protection Officer (DPO) whose role it is to monitor internal compliance, inform and advise on the council’s data protection obligations and provide advice regarding Data Protection Impact Assessments (DPIAs).

The council’s DPO is supported by the council’s Data Protection and Feedback Team. To ensure the council is compliant we have a number of policies and procedures in place in relation to data protection. We also ensure we train all of our staff on data protection matters.

If you want to contact the DPO or data protection and feedback team use the details below:

Email:  data.protection@eastriding.gov.uk 

Tel: (01482) 391419.

A translation service is also available. Requests for assistance can be made at any of the council's customer service centres.

How does the council identify privacy risks?

The council is committed to ensuring that privacy is considered from the start of any project or change in the way we do things. We also ensure that your privacy is taken into account and personal information is handled with the utmost care. This principle of building privacy/data protection into the way we work is often referred to as ‘privacy by design’. 

The council carries out Data Protection Impact Assessments (DPIAs), a process to help you identify and minimise the data protection risks. These DPIAs are a way of recording action taken to minimise risk and ensure that privacy risks are reduced. The council has a record of every DPIA it undertakes and they are built into our internal processes to ensure they take place.

The table below provides a list of all Stage 2 DPIAs completed:

What if something goes wrong?

If you think something has gone wrong and there has been a data protection breach you should contact the data protection and feedback team:

Email: data.protection@eastriding.gov.uk 

Tel: (01482) 391419.

What is a personal data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Remember personal data is data which relate to a living individual who can be identified.

In the unlikely scenario something does go wrong the council has processes in place to deal with this type of thing, so please contact us in the first instance on the details above. 

If appropriate we will also notify the Information Commissioner's Office (ICO) (external website).

What do I do if I'm not happy with how the council has used my information?

The first thing you should do is contact the council so we can look into your concerns.

Following this, if you remain unhappy, it is the ICO is responsible for upholding your rights, ensuring the council is open and protects people’s privacy.

Part of the role of the ICO is to take action to ensure we meet our information rights obligation. This includes monetary penalties and fines, enforcement notices and other actions including criminal prosecutions we may be subject to.  

Read more about the role of ICO:

The Information Commissioner's Office (ICO) (external website)

ICO address:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF.

ICO helpline: 0303 123 1113 or (01625) 545745.