Your rights to information about you
Under the Data Protection Act 1998 individuals have rights of access to personal data, processed by the Council, which relates to them. "Personal data" are information about living individuals who can be identified from the data or from the data and other information which the Council possesses. Personal data include information held on computer or on paper, and images, including photographs and CCTV footage. "Processing" covers most things that can be done with data, including, collecting data, keeping data on a file, using data to make a decision, disclosing data to someone else and destroying data.
Your rights are:
- To be told whether the Council is processing your personal data; and if so,
- To be given a description of:
- the personal data;
- the purposes for which it is being processed;
- those to whom it may or is being disclosed; and
- To be told in an intelligible manner:
- all the information which makes up the personal data;
- any information as to the source of the data.
- Where a significant decision is taken by fully automated means, to be told the logic of the process involved.
- To receive a copy of the all the information which makes up your personal data which exists at the time that you make a request for subject access.
These are called "Subject Access Rights".
How to make a request for subject access
If you want to find out if the Council is processing personal data which relate to you, you can make a request for subject access. When you make a request you can ask for all the personal data processed by the Council relating to you. The Data Protection Act 1998 does not specify how a request for subject access must be made, but it would help us to deal with your request efficiently if you would follow the suggestions below. Please make your request by writing to The Executive Director of Resources via Bury Council.
Please help us to locate your personal data:
- At the very minimum, please include in your letter:
- your current name
- your current address
- details of any specific personal data you are interested in
- If you want to access personal data relating to a specific event, or time, or service, etc. please let us have any information that will help us to find these data, e.g. the name of the department or officer you dealt with, the nature of your business with the Council or the service your received, relevant dates and times.
- If your name or address has changed and you want to access personal data which may include your previous name or address, please let us have details of relevant previous names and addresses.
- If you want access to CCTV footage, please let us have details of the date, time and place where you believe your image was captured on CCTV, and an up to date photograph so that we can identify you. (Please note that unless they are retained in connection with an investigation into a criminal offence, the Council's CCTV tapes are normally re-used after 30 days).
The Council charges a fee of £10 for requests for subject access. Please enclose with your request a cheque for this amount made payable to Bury Council.
Timetable for replying to subject access requests
The Council must respond to your request for subject access within 40 days of receiving your request. However, if you do not provide enough information when you make your request for us to locate your personal data, we may have to write to you for more information. The 40 days would then start from the date on which we received enough information to be able to search for your personal data.
Limits on the right to subject access
In some circumstances, there are limits on the extent to which the Council has to comply with a request for subject access. These include circumstances where:
- The personal data are subject to an exemption contained in the Data Protection Act 1998 which limits subject access rights. For example, if personal data are being processed as part of an investigation into a possible criminal offence and it would damage the investigation if the personal data were disclosed. Confidential references given by the Council are also exempt from the right of subject access.
- The information containing the personal data also contains someone else's personal data and it is not possible to block this out so that we do not disclose that person's personal data to you. The right to subject access only applies to your own personal data and we have to be careful not to wrongly disclose someone else's personal data when we deal with requests for subject access.
- The personal data is included in information which has been given to the Council by someone other than you (a "third party") with an expectation that the Council will keep the information confidential. We would normally need the third party's consent to let you have the personal data.
- You make repeated requests for subject access over a short time period and we have already complied with your request as far as we are obliged to under the Data Protection Act 1998.
Council data protection policy
The Council endorses the objectives of the 1998 Act. This policy is intended to maintain the confidentiality of personal data of individuals held by the Council whether processed on a computer or held in a manual file and also allow access to individuals on information relating to them. This policy is intended to link with other Council policies relating to control of information:
- Information Technology Security Policy and Procedures;
- Personnel Policy.
The Council also shares information under protocols with Police Authority's and other agencies under the Crime and Disorder Act. There are separate arrangements in place for exchange of information under this protocol which appropriate officers have recognised the requirements and obligations of the Data Protection Act 1998. The Council will maintain notification entries with the Office of the Information Commissioner as appropriate. The administrative arrangements for notification will be made through the Council's Data Protection Co-ordinator who is based in the Resources division of the Chief Executive's Department. The Council will in complying with the Act hold the minimum personal data necessary to enable it to perform its functions. Users of personal data will ensure that the notification relating to that data is correct prior to the data being obtained and used. The data will be erased once the purpose for which it was used has finished. Users will make every effort to ensure that the data is accurate and up-to-date and will amend inaccuracies as they are notified. The Council will comply with the Subject Access requirements of the Act. It will provide to any individual making a request the relevant data relating to the individual in an acceptable manner and in a clear and understandable form. A fee of £10 will be charged for this service. Departments will notify the Council's Data Protection Co-ordinator when such requests are received and advice will be given to enable departments to comply with the request.
The Council maintains a number of Public registers that may contain personal data and also identify individuals. The Council will treat such registers in the same way as all other personal data and notify such systems and comply with the subject access requirements. It is recognised however that individuals can access these registers without recourse to the requirements of the Data Protection Act and the data is available to third parties. A list of such registers is available from the Data Protection Co-ordinator. The Council will disclose data in accordance with the provisions of the Act and the Council's notifications. The Council has obligations and duties to supply information, which may contain data relating to individuals, to certain outside agencies such as the Inland Revenue, Customs and Excise, Child Support Agency. Disclosures to these agencies must comply with the statutory or other requirements by which they operate. In most instances there will be other legislation details of which should be obtained to ensure the Council is not disclosing beyond that requirement. Design of new computer systems and amendments to existing systems should comply with the principles of the Data Protection Act so that controls are in place to restrict the access to personal data to system users. Training will be provided to all staff of the Council to ensure they are aware of the requirements of the Act and their personal liabilities.
The Council will require all staff and members to comply fully with this policy and the requirements of the Data Protection Act 1998. Disciplinary action may be taken against any employee who breaches the instructions or procedures contained in this policy or any documents that may be produced as a result of this policy.
Further information can be founds at Bury Council - Data protection and freedom of information.
Complaints about the Council's handling of your request for subject access
If you are dissatisfied with the way the Council has dealt with your request for subject access you are entitled to complain to the Information Commissioner, who is appointed by the Government to oversee the Data Protection Act 1998 and the Freedom of Information Act 2000. The Information Commissioner's address is: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 01625-545700.