Data protection

Anyone processing personal data must comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA18).

This ensures that the data we collect is:

fairly and lawfully processed
obtained only for one or more specified and lawful purposes
adequate, relevant and not excessive
accurate
not kept longer than necessary
looked after with the appropriate security and protection

Cheltenham Borough Council is a data controller for the purposes of the Data Protection Act 2018.

The Data Protection Act gives you the right to apply for a copy of specific information held about you. You can, if you wish, appoint someone to apply for you such as a solicitor, or member of your family.

Further guidance about the data protection legislation is available from the Information Commissioner’s Office.

Our policies

Our Data protection policy leads and advises on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.

PDF Icon Data Protection Policy - pdf - 618 Kb

Our Data quality policy is in place to ensure our data is accurate, complete and up to date.

PDF Icon Data Quality Policy - pdf - 563 Kb

Reporting personal data breaches

Data breaches are defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a data breach is more than just losing personal data.

You must report data breaches to the council’s Data Protection Officer (DPO) as soon as you become aware of them. There is a strict requirement on us to notify reportable breaches to the Information Commissioner’s Office without undue delay and within 72 hours. The clock starts ticking for our data protection officer to make a report to the Information Commissioner’s Office as soon as we become aware of the data breach.

Delays in reporting breaches or suspected data breaches to the council mean that there is less time to investigate these matters and take appropriate action to mitigate any harms which may be caused to the individuals affected.

Please ensure that any data breaches reported include an accurate summary of the personal data involved and the number of people affected. Remember to respond promptly to any further questions asked by the Data Protection Officer.

Data breaches can have a significant detrimental impact on individuals and organisations, so please do all you can to enable us to respond efficiently and well within the reporting requirements.

Make a request to obtain information we hold about you

Under data protection legislation you have the right to access the information that an organisation holds about you. Accessing personal data in this way is known as making a subject access request.

Subject access requests are different to requests submitted under freedom of information (FOI) legislation, which relate to information about the organisation itself.

You are entitled:

to be informed whether your personal data are being processed
to be sent a copy of your personal data subject to any applicable exemptions and the removal of other people's personal data as appropriate
to be sent certain information about your personal data

You can submit a request to the council in whatever format you wish. We have created a standard subject access request form which you can complete and email to XXX

Using the form will help us to verify your identity and give a timely and accurate response to your request. There is no charge to make a subject access request.

Insert download

Privacy notices

Cheltenham Borough Council holds and uses a considerable amount of information, including personal data, so that we can provide services to you.

Please visit the service privacy notice section to read how we use your personal data.

Retention schedule

The council’s Data Retention Policy sets out a list of records for which pre-determined retention dates have been established. The retention schedule brings together the following information:

The name and purpose for processing of the council's data processing activities;
disposal, pseudonymisation or anonymisation of those records which have completed their retention period;

storage of records which have to be kept after their retention period insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Personal information requests – police and other agencies

In some circumstances, the police and other authorised agencies can request access to personal information held by the council for specified purposes. These types of requests may be permitted if an exemption under Schedule 2 Part 1 of the Data Protection Act 2018 applies.

The Data Protection Act does not give an automatic right of access to information, however, it does allow the council to assess the merits of requests and decide whether or not to apply an exemption.

Please see the Information Commissioner's guidance on the Data Protection Act exemptions. To make a request under an exemption, please complete our Data Sharing Request Form. This form will be sent to the council's Data Protection Officer for consideration.

For more information or assistance, please contact the council's Data Protection Officer by emailing data.protection@westoxon.gov.uk.

Who's responsible for our compliance?

The information governance officer is responsible for ensuring our compliance with data protection legislation and with this policy.

If you have any questions about the operation of this policy or any concerns that the policy has not been followed, email foi@cheltenham.gov.uk.

You can also write to:

Information Governance Officer
Cheltenham Borough Council
Municipal Offices
Promenade
Cheltenham, GL50 9SA

Complaints

If you're unhappy with the response you've received to an information request, you have the right to complain. Find out how to make a complaint.

You also have the right to make a complaint to the ICO. You can do this by visiting the ICO website