Go to navigation

Data Protection

Introduction

The Data Protection Act 1998 sets rules for processing personal information and applies to paper as well as electronic records. The Act applies to personal data, that is data about identifiable, living individuals (data subjects). It protects personal data by setting rules and conditions which all users of personal information (data controllers) must obey when obtaining and using information about you. The Act also provides you with certain rights, which the data controller (for example, Medway Council) must respect.

The Data Protection Principles

Anyone processing personal data must comply with the eight enforceable principles of good practice. Data must be:

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate;
  • not kept longer than necessary;
  • processed in accordance with the data subject’s rights;
  • secure;
  • not transferred to other countries without adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances, exemptions will apply.

Processing personal data

The definition of data processing is far wider than under the previous legislation. For example, it incorporates the concepts of obtaining, holding and disclosing data or information. All are considered to be processing, which takes place when an operation or set of operations is carried out on personal data. The Act requires that personal data be processed fairly and lawfully. Personal data will not be considered to be processed fairly unless certain conditions are met. A data subject must be told the identity of the data controller and why that information is to be processed.

Processing may only be carried out where one of the following conditions has been met:

  • the individual has given his or her consent to the processing;
  • the processing is necessary for the performance of a contract with the individual;
  • the processing is required under a legal obligation;
  • the processing is necessary to protect the vital interests of the individual;
  • the processing is necessary to carry out public functions;
  • the processing is necessary to pursue the legitimate interests of the data controller or third parties (unless it could prejudice the interests of the individual).

Processing sensitive data

The Act makes specific provision for sensitive personal data. Sensitive data includes:

  • racial or ethnic origin;
  • political opinions;
  • religious or other beliefs;
  • trade union membership;
  • health;
  • sex life;
  • criminal proceedings or convictions.

Sensitive data can only be processed under strict conditions, which include:

  • having the explicit consent of the individual;
  • being required by law to process the data for employment purposes;
  • needing to process the information to protect the vital interests of the data subject or another;
  • dealing with the administration of justice or legal proceedings.

Relevant filing systems

The Act covers information which is recorded as part of a relevant filing system. This means any set of information in which the records are structured, either by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible. The definition means a significant amount of manually generated data falls under the scope of the Act. The extension of the definition of data to cover accessible records means that records such as school pupil, housing, social services and health records, to which access was previously available under other legislation, are also included.

Subject access request

The Act allows individuals to find out what information is held about themselves on computer and some paper records. This is known as the right of subject access.

Under the Data Protection Act 1998, a request must be made in writing. To make a Subject Access Request (SAR), send an email to customer.first@medway.gov.uk  or write to us at:

Customer First
Medway Council
Gun Wharf
Dock Road
Chatham
Kent ME4 4TR

In order to process your SAR, we require a fee of £10 and copies of documents to verify your identity. Medway Council aims to comply with SARs as quickly as possible and will ensure that it is provided within the 40 calendar days limit set down by the Data Protection Act 1998.

The Act contains a number of terms that have a specific meaning. A guide to the terminology is available on this website.

Medway Council’s own privacy statement is also available on this website.

For further information on the rights of individuals to access their information, visit the Information Commissioner's website at www.ico.gov.uk/.

 

For more information contact Data Protection Officer by telephone: 01634 306000 or by email: dataprotection@medway.gov.uk

Write to: Data Protection Officer, Medway Council, Gun Wharf, Dock Road, Chatham, Kent ME4 4TR

Send this page to a friend: Send

Send a link to the Data Protection page to a friend

  4. Please answer the question below to ensure your form gets through safely to Medway Council. It is to verify that you are a real person and not an automated internet spam programme.