Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR)

Leeds City Council has to process information in order to deliver and improve services to our citizens.

The Data Protection Act 2018 says that any personal data we collect and hold about you has to be:

  • processed lawfully, fairly and in a transparent manner
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • accurate and, where necessary, kept up to date
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
  • the controller shall be responsible for, and be able to demonstrate compliance with the above principles relating to the processing of personal data

Leeds City Council’s Data Protection Policy Statement and Appropriate Policy are available:

Data Protection Policy Statement

The council needs to process personal data and private information in order to deliver many of its services. The council’s objective is to use personal data and private information in the most efficient and effective way possible to deliver better services, and to enhance privacy.             

The council will strive to:             

  1. Adopt the least intrusive approach. Where services can be delivered or improved without affecting personal privacy, they will be.
  2. Process all personal data fairly and lawfully throughout its whole lifecycle.
  3. Ensure that any processing of personal data (particularly special categories of personal data) is justified on one or other of the legal bases set out in the data protection legislation, and ensure that any dealing with private information is compatible with individuals’ rights set out in human rights legislation.
  4. Ensure that personal data or private information is obtained fairly and transparently.
  5. Use personal data and private information throughout its whole lifecycle in a way which is compatible with the purposes which were communicated at the point of collection or before further processing, or for other purposes which are legally permitted.
  6. Only share personal data or private information where the council has the individual’s consent or where this is legally permitted, or where the council is required to do so by law. Where this is done without consent, the council ensures that there is openness and accountability in the process of striking a fair balance between individual rights and the wider public interest.
  7. Collect and process only the minimum relevant amount of personal data or private information which is required to fulfil the purpose.
  8. Take every reasonable step to ensure that data are accurate and where necessary kept up to date, and to ensure that inaccurate data are erased or rectified without delay.
  9. Ensure that personal data and private information are kept in a form which permits identification for no longer than necessary, and that data and information is no longer retained once the purpose for processing has been fulfilled. Such data and information will be securely destroyed, in line with specific data retention policies.
  10. Process data in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data using appropriate technical and organisational measures Including as appropriate the pseudonymisation and encryption of data, ensuring systems and services are resilient, and availability and access can be restored appropriately, and regularly testing and checking how effective these measures are.
  11. Demonstrate responsibility and accountability for all matters in this Policy Statement, and keep appropriate records of processing activities.
  12. Not transfer personal data or private information to any country outside the European Economic Area unless that country ensures an adequate level of privacy protection, or the council has provided appropriate safeguards.
  13. Facilitate the exercise of data subject rights, including the right of access, the right to rectify or complete data, the right to erasure (right to be forgotten), right to restriction of processing, right to data portability, right to object, and right not to be subject to a decision based solely on automated processing.
  14. Ensure data protection by design, by implementing appropriate technical and organisational measures which are designed to implement the data protection principles above, in an effective manner and to integrate the necessary safeguards into the processing.
  15. Ensure data protection by default, so that by default only data which are necessary for each specific purpose of the processing are processed, and by default data are not made accessible to an indefinite number of people.
  16. Use only data processors who provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of data protection legislation and ensure the rights of data subjects are protected.
  17. Notify personal data breaches to the ICO, and communicate personal data breaches to data subjects as required by data protection legislation and wherever the ICO is notified.
  18. Carry out data protection impact assessments as required by data protection legislation.
  19. Ensure the council’s data protection officer is accessible to data subjects with regard to all issues about the processing of their data, or the exercise of their rights under data protection legislation.
Last updated Tuesday 17 April 2018              

Appropriate Policy

This is the “appropriate policy document” for Leeds City Council. It sets out how we will protect special category and criminal convictions personal data.             

It meets the requirement at paragraph 1 of Schedule 1 to the Data Protection Act 2018 that an appropriate policy document be in place where the processing of special category personal data is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.             

It also meets the requirement at paragraph 5 of Schedule 1 to the Data Protection Act 2018 that an appropriate policy document be in place where the processing of special category personal data is necessary for reasons of substantial public interest. The specific conditions under which data may be processed for reasons of substantial public interest are set out at paragraphs 6 to 28 of Schedule 1 to the Data Protection Act 2018.             

Procedures for securing compliance

Article 5 of the General Data Protection Regulation sets out the data protection principles. These are our procedures for ensuring that we comply with them.             

Principle 1

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The council will:             

  • ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful
  • only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing
  • ensure that data subjects receive full privacy information so that any processing of personal data is transparent

Principle 2

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The council will:             

  • only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice
  • not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first

Principle 3

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.             

The council will only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.             

Principle 4

Personal data shall be accurate and, where necessary, kept up to date.             

The council will ensure that personal data is accurate, and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals.             

Principle 5

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.             

The council will only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so.             

Once we no longer need personal data it shall be deleted or rendered permanently anonymous.             

Principle 6

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.           

The council will ensure that there appropriate organisational and technical measures in place to protect personal data.           

Accountability principle

The controller shall be responsible for, and be able to demonstrate compliance with these principles.             

Our Information Governance team are responsible for ensuring that the department is compliant with these principles.             

The Information Governance team will:             

  • ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request
  • carry out a Data Protection Impact Assessment for any high risk personal data processing, and consult the Information Commissioner if appropriate
  • have appointed a Data Protection Officer to provide independent advice and monitoring of the councils’ personal data handling, and that this person has access to report to the highest management level of the department
  • have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law

Data controller’s policies as regards retention and erasure of personal data

We will ensure, where special category or criminal convictions personal data is processed, that:             

  • there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data
  • where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous
  • data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used
Last updated Thursday 20 December 2018              

If you wish to make a request under Schedule 2, Part 1(2) or Part 1(5) please email dpfoi@leeds.gov.uk.

Contact us

Email

Use this form to give us your comments. Do not use it to give us personal information - please contact us if you need to get in touch.