Personal information

Your personal information – how we process and protect

Data protection is all about keeping you and your personal information safe and secure.

Your personal information, or data, is exactly that – personal – and we have various policies and procedures to make sure it stays that way whether it’s your name, address, phone number, email address, photograph, IP address, mobile device identifier or something more sensitive like your health/medical details, religion or ethnicity.

We collect, store and use personal information in lots of different ways across the Council. For example, personal information is included in employee records, school pupil files, social work records, application forms, payment forms, and tenancy agreements – to name just a few.

We have a responsibility to ensure we handle your personal information in line with the relevant legislation, and that’s a responsibility we take very seriously.

You may be aware that data protection law is changing from 25 May 2018. We want you to know what this means for you.

The legal changes

From 25 May 2018, the General Data Protection Regulation 2016 (GDPR) will replace the Data Protection Act 1998.

This is a European regulation that will create a new law that applies to all European Union citizens, ensuring a clear and consistent approach to processing and protecting people’s personal information.

The GDPR forms the basis of the new Data Protection law in the UK – even after Brexit.

The GDPR will be supplemented by a new Data Protection Act 2018 which will update how data protection law will function in the UK, as well as extending data protection laws to areas which are not covered by the GDPR. Both these laws provide a comprehensive package to protect personal data.

What the new law means

The principles of the new legislation are similar to what’s currently in place, but create clearer rules on how personal information can be used, increase the rights people have in relation to their personal information, and make organisations accountable for showing how they are complying with the new regulation.

In summary:

  • We need to have a lawful – or legal – basis for holding and processing personal information. This can be consent of the data subject (person); for performance of a contract; compliance with a legal obligation; protection of vital interests; public interest; legitimate interests. You can find out more about what these mean on the Information Commissioner’s Office website.
  • We must tell people how and why we are going to use their personal data.
  • We must only use the data for the purpose we collected it for.
  • We must make sure we only use the personal data/information that’s actually needed.
  • We must make sure it’s the correct personal information and keep it up to date.
  • We must keep personal data and information private and confidential, and safe and secure at all times.
  • We must have an appointed Data Protection Officer.
  • We need to report data breaches to the Information Commissioner or face a fine for failing to do so.
  • We could also face a significant fine if we’re found to have breached the laws in place.
  • You have the right to be informed how we use your personal data, the right to access what personal data we hold about you, the right to object to processing of your data, the right to ask us to correct your personal information if it is inaccurate and get personal data amended or deleted (this is known as ‘the right to be forgotten’). The lawful basis for processing/using your personal data directly impacts which rights are available to you.

Privacy notices

As the ‘data controller’ for the personal information – or data – we hold about you, South Ayrshire Council decides how your personal information is used or processed, and what it is used for.

We will always let you know exactly what we will do with your personal information – what information we collect, why we collect it and what we do with it.

We will do this via a ‘privacy notice’ and it may be provided in print, be available on our website, or explained to you in person or over the phone.

We don’t have a ‘one size fits all’ privacy notice that we use as a Council – as the privacy notice is specific to your personal information and the reason we have it in the first place.

You can find out more about our individual privacy notices.

Access to your personal data

The General Data Protection Regulation 2016 (GDPR) gives individuals (data subjects) a number of rights including the right to access personal data that an organisation holds about them. The right of access extends to all information held on an individual subject to exemptions such as where disclosure could prejudice a criminal investigation. If an individual makes a request to view their information, it is known as a "Subject Access Request".

You must:

  • make the request in writing
  • supply information to prove who you are (to eliminate risk of unauthorised disclosure)
  • supply appropriate information to help the council to locate the information they require

The request should include details and provide evidence of who you are (e.g. driving licence, passport, birth certificate, utility bills). You should also provide as much detail as possible regarding the information you wish to access (e.g. where and by whom information is believed to be held, specific details of information required).

This list is not exhaustive and other forms of identification may be acceptable. At least one form of identification should contain the same signature that is on your application form or letter and one with a photograph. Please note that the Council will not be able to comply with any requests received unless satisfactory proof of identification is provided.

The right to access the information held about you by the Council is free of charge.

If you are a current or former Social Work client and wish to see your Social Work file, if you wish to obtain any records held by the Council relating to you, of if you have any general data protection queries, please contact the Council’s Data Protection Service at:

Data Protection Officer
Information Governance Team
Legal & Democratic Services
County Buildings
Wellington Square
Ayr
KA7 1DR

Email: DataProtection@south-ayrshire.gov.uk
Telephone: 01292 612223

The jargon

Data protection legislation, including GDPR, uses particular technical terms, at times, to describe the different roles, responsibilities and actions of individuals and organisations.

Some of the most commonly-used terms are:

  • Data controller: An individual person or organisation who determines why and how any personal information is to be processed.

    For our purposes, South Ayrshire Council is the data controller, regardless of which employees are responsible for data protection.

    For the purposes of their constituency work, Councillors are the data controllers and take on the related responsibilities – not the Council.

  • Data processor: A person, other than an employee of the Council, who processes personal data on behalf of the Council and provided for in contract– for example, contractors and suppliers.

    The data processor can only use personal data in line with what’s been agreed with the Council as the data controller.

  • Data subject: The living person who is the subject of and can be identified from the personal data or from additional information held, or obtained, by the Council.

  • Data processing: This covers all the actions relating to personal data – collecting, recording, analysing, amending, using, sharing, disclosing, storing and destroying.

  • Subject Access Request (SAR): The right granted to an individual to request a copy of personal information held about them.

  • Data breach: A breach of security that leads to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access to personal data.

Frequently asked questions

How can I find out what personal information you hold and why you’re holding it?

Our privacy notices tell you what personal information we hold as well as the purposes of the processing. Please visit our privacy notice page to view the privacy notice for the Council’s core functions. Otherwise please contact the Data Protection Officer using the contact details below.

How can I find out what the legal basis is for the Council holding my personal information?

Our privacy notices include our lawful basis for processing as well as the purposes of the processing. Please visit our privacy notice page to view the privacy notice for the Council’s core functions. Otherwise please contact the Data Protection Officer using the contact details below.

What can I ask you to do with my personal information?

The GDPR provides the following rights for individuals:
  1. The right of access
  2. The right to recification
  3. The right to erasure
  4. The right to be informed
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

The lawful basis for processing/using your personal data directly impacts which rights are available to you. This means that some of the above rights are only available to you in certain circumstance - for example, if the Council is processing your personal data based on a public interest task (e.g. keeping school pupil records) then you do not have right to erasure.

What steps will you take to keep my personal information safe and secure?

It’s our responsibility to keep your information safe. We have trained our staff to ensure they are aware of their obligation to adhere to data protection laws. We have also adopted policies and procedures to assist in keeping your personal information safe and secure.

What do I do if I have a complaint about how you are using my personal information?

If you are unhappy with the way we have dealt with your personal information, you can complain to the Council’s Data Protection Officer:

Data Protection Officer
Information Governance Team
Legal & Democratic Services
County Buildings
Wellington Square
Ayr
KA7 1DR

Email: DataProtection@south-ayrshire.gov.uk
Telephone: 01292 612223

If you remain dissatisfied after contacting us, you have the right to complain to the Information Commissioner:

Information Commissioner’s Office – Scotland
45 Melville Street
Edinburgh
EH3 7HL
Telephone: 0303 123 1115
Email: scotland@ico.org.uk

Contacts

South Ayrshire Council

Data Protection Officer, County Buildings, Wellington Square, Ayr KA7 1DR
DataProtection@south-ayrshire.gov.uk
01292 612 223

Information Commissioner's Office

www.ico.org.uk
Information Commissioner's Office – Scotland, 45 Melville Street, Edinburgh, EH3 7HL
Email: scotland@ico.org.uk
0303 123 1115