Data Protection Act
A Five Minute Guide for Frontline Staff
- The Act gives the public rights to know what information is stored by the Council about them.
- The Act puts responsibilities on all Council employees to make sure that they handle personal information responsibly and protect the privacy of individuals.
- A lot of the Act is common sense. If you are in doubt what to do in any situation ask yourself:
"if this was my personal information how would I expect the Council to look after it?"
What information does the Act cover?
The Act covers personal information relating to individuals however this is stored i.e. on computer, fiche, paper, e-mail and any other storable media.
What rights do people have?
- to ask the authority if it holds personal information about them
- to ask what it uses the information for
- to be provided with a copy of the information
- to be given details of the purposes for which the authority uses the information
- to ask for incorrect data to be corrected
It is good practice when taking information from people to explain why you are taking personal information, where and for how long it will be stored, what the information will be used for and the rights of access that they have to this information. (You will maybe be familiar with the "Data Protection Clause" which appears on literature from banks, building societies and other public bodies). Here is a suggested statement you may want to consider using for your service when taking information from people.
The Council will use the information about you on this form to [detail of service / function] e.g. assess your housing needs.
The Council delivers a range of services for the benefit of you and the local community. The personal information you provide may be shared between Council departments and other agencies where we are legally required to do so.
We have a duty to handle this information responsibility and to respect your privacy. Read our Data Protection Policy.
Sometimes you will receive information about an individual from another public body or agency. In this situation you should check that this body has authority under the Data Protection Act to provide you with this information or that the consent of the individual has been sought.
Occasionally you may wish to obtain the specific consent of an individual before you use their personal information e.g. where you plan to use their personal information for a purpose unrelated to the council’s normal functions. View or download a form of consent (MS Word document)
You should only store personal information for as long as you need to. This information should be kept in a secure place and should be organised in such a way that it is easy to retrieve information held about individuals.
Where you may be asked for statistical information or records about your service you should also be able to provide this without identifying individuals or disclosing personal information.
In general people have a right to see what information is held by the Council about them. They should make the request in writing and their identity should be checked (to make sure that you are not giving out someone's personal information to another person). They must also meet the cost up to £10. The response must be dealt with within 40 days. Generally requests can be dealt with by individual departments. Sometimes a request can cover different departments and you may wish it to be dealt with centrally. Please contact the Data Protection Officer in this instance.
There are a number of important exceptions to the general right of people to see personal information held about them:-
- Where dealing with the request would involve excessive time / expense.
- Where the information includes sensitive personal information and disclosing this may harm the individual.
- Where the information is required for crime prevention or taxation purposes.
- Where information includes details about another individual.
- Where you feel it would not be right to disclose personal information to a person, there may well be an exception within the legislation.
If in any doubt about whether to release information, seek advice from the Data Protection Officer.
Giving information to outside bodies
Generally, personal information should only be given to the individual who the information relates to. Outside bodies can however request for this information from the Council in defined circumstances. If you receive a request then:-
- Ask what authority the body has to receive this information under the Data Protection Act.
- You can ask consent from the individual to release this information if appropriate.
- If you are in doubt, ask for advice from the Data Protection Officer.
It is good practice to systematically review your records (files, databases etc) to ensure that these are accurate, and up to date. Records need to be kept for varying amounts of time and will require to be destroyed from time to time. Any information which can identify an individual must be shredded, incinerated or otherwise destroyed.
What if other legislation requires me to disclose personal information to another person?
Often, other legislation requires us to make personal information publicly available. For example we are obliged to keep a list of all planning applications. This is still okay but consider the privacy of people on the list. For example, you may wish to publish such a list on the internet. This would be fine if the names of individuals were removed.
How does Data Protection relate to the right of access to information under the Freedom of Information Act
The Freedom of Information Act will give a general right of access to the public over most information held by the Council apart from personal information held on individuals. This is protected under the Data Protection Act.