What is data protection?
Data protection is about respecting personal data and only using it appropriately. The General Data Protection Regulations (GDPR) and the UK Data Protection Act governs how personal data should be processed by organisations.
What is personal data?
Personal data is any information which relates to a person who can be identified (either directly or indirectly) from this information. This also includes information which only identifies someone when combined with other information in a person's possession. For example, a car registration number on its own is not personal data but when combined with information held by the DVLA it can be used to identify someone and accordingly may then form part of that individual's personal data. This means a lot of information falls within the scope of 'personal data' and needs to be processed in accordance with the law.
To process personal data we need to have a lawful basis under Article 6 of the general data protection regulation (GDPR). Those the Council may rely on are:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions.
What is special category data?
Special category data is personal data which is more sensitive and has the potential to cause more harm if processed inappropriately. It includes the data that used to be categorised as sensitive personal data under the Data Protection Act 1998. The following types of information are special category data:
- ethnic origin
- trade union membership
- biometrics (where used for ID purposes)
- sex life
- sexual orientation
To process special category data we also need a lawful basis under Article 9 of the GDPR. The ones which the Council may rely on are:
- the data subject has given explicit consent to the processing
- processing is necessary for the purposes of employment and social security and social protection law
- processing is necessary to protect the vital interests of the data subject
- processing relates to personal data which are manifestly made public by the data subject
- processing is necessary for the establishment, exercise or defence of legal claims
- processing is necessary for reasons of substantial public interest
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
- processing is necessary for reasons of public interest in the area of public health
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
What do we mean by 'processed'?
Processing of data can mean using the personal information in any way, such as:
- collecting / obtaining / recording
- storing (including holding on someone else's behalf)
- reading / viewing
- sharing and disclosing
- amending or altering
- deleting / destroying
Everything the council does with your personal information will be classed as processing.
Walsall Council recognises that this information belongs to you, it is your data, and we are committed to protecting it and only using it appropriately in compliance with the data protection legislation.
For further information on what personal information we collect and use in order to provide our services please see our privacy notice.