Data protection guide

You need to be aware of rights given to individuals by the UK GDPR. It is everybody’s responsibility to identify if an individual is relying on their rights:

• Right to be informed (Has somebody asked us what we hold, what we use it for)
• Right of access (Has somebody asked for a copy of the personal information we hold)
• Right to rectification (Does somebody want us to correct facts that are wrong)
• Right to restriction of processing (Have we been asked to restrict or stop use, especially if in dispute over accuracy)
• Right to erasure (Does somebody want us to delete their information? Also known as the right to be forgotten)
• Right to data portability (The ability to transfer your data from one organisation to another)
• Right to object (Has somebody asked to stop processing because their consent is withdrawn or our use is unlawful)
• Rights related to automated decision making and profiling (Decisions made by computer and monitoring or evaluation)

The Information Rights Team are a direct contact for members of the public, but this does not stop them from making requests to any colleague of Cheshire East Council. You must comply with the contents of these individual rights, facilitate them, and, be prepared to act if a data subject exercises them.

The Information Rights Team can be contacted at: informationrequests@cheshireeast.gov.uk

If you intend to share personal data, you may need to identify a lawful basis to process it to comply with UK GDPR.

A list of lawful bases help you identify which lawful basis you may be able to rely on to allow you to process the data.

Because of the rights given to data subjects by the UK GDPR, even information already available, e.g., by an internet search, should not always be treated as free to share. It is always best to check before sharing if you are unsure.

Data Protection Impact Assessment

Because of the risks of infringement of an individual’s fundamental rights, processing of special category personal data is usually considered high risk. High risk processing requires a Data Protection Impact Assessment.

Data on Criminal offences or convictions or related security measures:

Data relating to criminal offences, convictions, or security measures are not a special category data, but merit similar special protection due to the risks associated with the data. You will need to identify your lawful basis under Article 6 UK GDPR and your processing must meet a condition within Schedule 1 Data Protection Act 2018.

Frequently, job applications for certain positions (especially those dealing with children or vulnerable adults) will require information on criminal history. It is lawful to ask for criminal record information when recruiting for jobs where relevant, but you must make sure that your recruitment privacy notice is explicit that such data is being collected under the obligation to ensure that candidates are fit to work in sensitive spheres for example, with children.

If your data sharing or processing is necessary to comply with a law or statutory obligation, you can rely on a legal obligation as your lawful basis. If you can reasonably comply without processing the data, it will not be seen as necessary.

If you rely on a legal obligation, you should be able to either identify the specific legal provision or an appropriate source of guidance that clearly sets out your obligation. For example, to share data with Ofsted for the purpose of safeguarding requirements, you would need to find your legal gateway in the Education Act 2005 and the Children Act 1989 which outlines the aims and obligations.

It does not have to be explicit – very few laws refer directly to permitting data sharing. But you should ensure that the data subject understands that there is a purpose laid down in a statutory basis with which you have an obligation to comply.

Remember to include your purposes and lawful basis in your Privacy Notice – which includes reference to the legal obligation that gives rise to the authority to process data. Help with your privacy notice.

Consent will only be appropriate where you can offer a truly free choice to an individual as to whether they would like their data to be shared or processed by you.

The request for consent should be clear, concise, separate from other terms and conditions and in plain English. You should not use pre-ticked boxes to gain consent because the UK GDPR mandates that there must be an affirmative opt-in.

You want your data subjects to be well informed, so the request for their consent should include:

• name of organisation and any third-party controllers who may rely on the consent
• why you want the data
• what you want to do with the data (the processing activities)
• inform them that they have the right to withdraw consent, and you should detail how this can be done.

If consent is withheld, you cannot change to another lawful basis (Article 6 UK GDPR). If there is another lawful basis you could use, this should be the first option.

You must keep records to evidence consent, to record who consented, when, how, and what they were told at the time of consenting.

Remember that by giving consent, the data subject gives rise to their right to withdraw it. Your records should allow for this, and it is up to you to update subjects’ preferences as soon as they change. Not doing so could be a breach of UK GDPR.

Remember that consent should be reviewed periodically and refreshed if there are any changes.

Responsibility with partner agencies

If you share the data with partner agencies, you need to be explicit about what these partner agencies will do with the data they access and how. As Cheshire East Council is a data controller, the responsibility remains with you (regardless of who the data is shared with) to ensure that any personal data processed or shared is secure.

Data subject capacity to consent

You may assume that adults have the capacity to consent to their data being shared unless you have any reason to believe the contrary. UK GDPR requires informed consent, so if the individual cannot understand the information, then they cannot give informed consent.

For example, an individual who lacks capacity around their care and support needs may not be able to give their own consent to social care assessments being transferred from social worker to other teams.

 A third party with the legal right to make decisions on the behalf of a person (for example, Power of Attorney) can give consent for them. 

If in the exercise of your professional judgement you decide it is in the individual’s best interest to process data, and you give consent on their behalf, you must record your decision. You should only share the minimum data necessary, observing the principle of data minimisation.

If you perform a specific task in the public interest and exercise an official authority (public functions and powers laid down in law), you must be able to show that your processing is necessary for the purpose.

The relevant task or authority must be laid down in domestic law, but it need not be explicit, so long as the application of the law (and the subsequent processing/sharing of data) is clear and foreseeable.

You should be able to identify a legal provision, or an aim set out in law, that entitles you. It need not be specific legal authority. It is enough that:

• Your purpose is to perform a public interest task or official function
• Such task has a basis in law
• It is necessary for that task that you share certain data.

Remember, whatever entitles you to process data should also be in your Privacy Notice. Help on writing your Privacy Notice

Public Authorities can only rely on legitimate interests as a lawful basis to process data when they are processing for a legitimate reason other than performing their task as a public authority. This leaves very little scope for its use, for example tasks in commercial interest.

You may find that you have a legislative obligation to process the data. Or, you may be exercising your official function. If you do not, consider whether you could offer your data subjects a genuinely free choice for them to consent to your processing.

Children have the same rights as adults over their personal data; for example, right to access, right to erasure, request rectification, object to processing. Competent children can exercise these rights.

Processing children’s data requires a lawful basis, but of these, consent may not be the most appropriate if there are questions around the capacity (competency, maturity) of the child.

The general law in the UK does not specify the age that a child gains competence, so a case-by-case assessment of whether the child can understand the nature of their rights, what exercising them will entail, and the consent for themselves.

You may share data of a child if you have a lawful basis to do so, but it should be done with a more risk-based approach than when the data subject is an adult, and it is also important to consider appropriate safeguards against those risks.

Surveys that include child respondents must be clear about what the survey is for, who it is aimed at, what you want to achieve and what happens to the personally identifiable data that you collect for the survey. You must be mindful that the language used to deliver this information is befitting of the vocabulary and experience to be expected from children.

You must be cautious when distributing surveys to children online, as this could trigger the regulations surrounding Information Society Service (ISS). If you rely on consent to process children’s data, you must gather consent from the child’s parent if the child is under 13. You must also take reasonable steps to verify age, too. This lengthy administration could place barriers to surveying looked after children.

A data controller is the person or organisation who determines the purposes for which, and the way in which, personal data is used.

A data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).

To determine whether you are the controller or the processor, you need to establish who is responsible for deciding how the data will be processed and for what purpose.

If you act only on the instruction (under contract) in relation to personal data, then you are the processor.

If you decide what data to collect, what to do with it, and are not given instructions to this end (even if there is an agreement in place), then you are a controller.

You may be asked to provide information that relates to a person who has died.

The UK GDPR does not apply to deceased people, which means that any request for their information would be outside of the Data Protection Act 2018. However, you must still consider their wishes and that confidentiality may be owed to that person even after their death.

It is important to respect the privacy and the dignity of the deceased person as we would when they were living. For example, highly sensitive social care records relating to the deceased person, may not be appropriate to share. It could cause detriment to the person even once they have died, and cause distress to the surviving family.

If you share information about a deceased person, you should take care not to include information relating to living, identifiable individuals. This is the case even if the information is about a family member of the deceased, or a family member of the person making the request. You should only consider sharing properly redacted information.

You should not share information that is accessible to the requester by other means.

You should only give as much information as is necessary in order for the purpose of the request to be fulfilled. For example, if information is requested by a coroner to determine the cause of death, you should provide sufficient detail in order for this to be done, but withholding information which is irrelevant to the request.

You should always keep a record of any requests made for information relating to a deceased person and you should record your justification for sharing, too.

Formal requests for information about living individuals should be sent to informationrequests@cheshireeast.gov.uk .