È«¹ú̽»¨

Individuals have eight rights under UK GDPR, these are:

1. Right to be informed about how their personal data is being collected and used
2. Right of access to receive a copy of their personal data and receive information about how it’s being processed
3. Right to rectification to correct inaccurate or complete incomplete data
4. Right to erasure to request that their personal data be erased under certain circumstances
5. Right to restrict processing of their data so that it is temporarily suspended or restricted under certain conditions
6. Right to data portability so that their data can be provided to them in a machine-readable format, allowing them to reuse it elsewhere
7. Right to object to the processing of their data in certain circumstances
8. Rights related to automated decision-making and profiling

Please refer to our page make a Data Protection Request

We are committed to protecting your privacy when you use our services. Read more about privacy at how we use your information

Increasingly, public authorities need to share information in order to provide efficient and effective services. By linking up information resources, both internally and with other organisations and partners, we can deliver effective services. The Council works with a number of partners including but not limited to the following:

• Central and Local Government
• health and social care providers
• commercial organisations
• research institutions
• schools and other education providers
• voluntary and community establishments

Data Protection legislation is not an automatic barrier to information sharing. The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 allows organisations to share information for a variety of reasons including safeguarding vulnerable individuals and for the purpose of preventing and detecting crime.

Sharing personal information presents risks and opportunities that need to be managed correctly. The Council has processes and policies in place to manage sharing of personal data. These comply with Data Protection principles including:

• the purposes for sharing data, including the data protection lawful bases and, where relevant, special category conditions
• ensuring all parties involved comply with individual rights and have appropriate technical and organisational measures to secure the information
• establishing that the information shared is relevant, accurate, and only retained for as long as necessary

For routine information sharing, where appropriate, this is accomplished through formal Information Sharing Agreements and in compliance with the Council’s Data Protection, Information Sharing, and Information Security policies.

More information on how the Council uses and shares personal information can be found on our Privacy Statement.

È«¹ú̽»¨ County Council commissions suppliers and contractors to provide services or goods on our behalf. As a result, they may have to process personal data on behalf of the Council. Under UK GDPR, businesses and organisations who provide services to other businesses and organisations under contract (called ‘Processors’ in UK GDPR) now have direct obligations.   

In addition to contractual obligations set out in UK GDPR, a processor has the following direct responsibilities and must:

• only act on the written instructions of the controller
• not use a sub-processor without the prior written authorisation of the controller
• cooperate with the Information Commissioner’s Office (ICO)
• ensure the security of its processing
• keep records of its processing activities
• notify any personal data breaches to the controller
• employ a data protection officer (if required)

A processor should also be aware that:

• it may be subject to investigative and corrective powers of the ICO
• if it fails to meet its obligations, it may be subject to an administrative fine
• if it fails to meet its UK GDPR obligations it may be subject to a penalty
• if it fails to meet its UK GDPR obligations it may have to pay compensation

Personal Data Breaches

If a business or organisation that processes personal data on behalf of the Council experiences a , then they need to report it to the Council as soon as possible. This can be done by emailing dataprotection@worcestershire.gov.uk.

The business or organisation will also need to investigate what has led to the breach and what action now needs to be taken to mitigate or contain the impact of the breach. This will assist the Council with their obligations as the controller. 

Should a data breach occur that you believe is likely to result in a risk to the individuals’ rights and freedoms, there will be a direct obligation under the UK GDPR for the Council to inform the Information Commissioner’s Office within 72 hours of the breach taking place. In these circumstances it is important that the Council is immediately informed about the breach and known risks or likelihoods or impacts. This will enable the Council, as the controller, to make an informed decision about whether the ICO needs to be notified.

All access to È«¹ú̽»¨ County Council (WCC) IT systems and services by 3rd Parties need either a Contract or an Information Sharing Agreement, to ensure that all requirements, including Data Protection, are in place. 

If you are a member of a third party organisation and you have been sponsored by a WCC member of staff to access a system for a particular purpose aligned with Data Protection Legislation, you will need to personally sign a Third Party Access Agreement.

Please ensure that you attach the completed, signed form, to the email you received asking you to sign this form, so that access can be set up for you.  Access will not be granted until this agreement has been signed and returned.

Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the DPA 1998 this was a 'Data Controller'.

Data Protection Officer (DPO)

GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities. A DPO is an independent expert on data protection who works to ensure an organisation is adhering to the requirements of UK GDPR.

Information Commissioner's Office (ICO)

UK’s independent supervisory authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Personal Data

Any information relating to an individual (‘data subject’); who can be identified, directly or indirectly, from the information. In particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Processing 

Any operation, or set of operations, which is performed on personal data or on sets of personal data, whether or not by automated means. Examples include: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. In the DPA 1998 this was a 'Data Processor'.