Data protection rights
Every individual has a number of rights in relation to their own personal data and their privacy. Find out about those rights and how you can exercise them.
Right of access (Subject Access Request)
Data Subjects (the individual who the data is about) have a very strong right of access to their own personal data held by an organisation. This could be information held in electronic form (ie emails or database entries). It could also be paper files that we hold (ie paper records or archived files).
What information you’re entitled to
If you’re the Data Subject, then you’re only entitled to your own personal data. If data about other individuals are included within your files then it’s likely that you won’t have access to that information.
Acting on behalf of a Data Subject
If you are acting on behalf of a Data Subject (ie you are their parent, legal guardian, or solicitor) then you may still have a right of access to information about the data subject. We would require the following to be able to disclose records to you:
- Child under 12 (or child lacking mental capacity) – demonstrable evidence that you have parental responsibility for that child
- Child over 12 – in certain circumstances your child may be asked to consent to disclose data to you
- Adult (who lacks mental capacity) – official paperwork listing you as legal guardian of the data subject
- Solicitor or Agent (acting on behalf of an individual) – a form of authority addressed specifically to us and signed by the data subject or their legal representative. In some circumstances we may also request explicit consent from the data subject.
Accessing the records of someone deceased
- A common law of confidentiality restricts us from disclosing a deceased person’s records to any individual other than the personal representative of the deceased’s estate. We can only disclose the information to an individual who has a grant of probate (if the deceased left a will) or a letter of administration (if the deceased did not leave a will, otherwise known as intestate).
- If you are the personal representative for the deceased’s estate and affairs, then we’ll need the legal documentation from you which validates this. We’ll need this before we can disclose the requested records.
The information we can withhold
We can withhold information if disclosure could prejudice a criminal investigation, if disclosure could cause mental or physical harm to any individual, or if information originates from the Court. These are known as exemptions.
Exemptions are not applied to information very often but when they are, we may not need to inform you.
Right to erasure, right to rectification and right to restriction
All individuals have a right to request that an organisation deletes, corrects or limits part or all of the personal information that it holds about them.
If we process your personal data based on a legal power or an official authority, we will only comply with one of these requests if:
- It is certain that the personal data it holds about you is incorrect or
- It no longer requires your personal data for the purpose that it was collected
In most cases we will upload and save your complaint with any other information we hold about you, so we have a record of your request.
Please be aware that decisions are made on a case-by-case basis and take in to account any relevant information required to decide if complying with such a request is suitable.
Automated decision-making
If we’ve used any automated decision-making software (ie if a computer has made a decision about you without human involvement) then you have a right to ask for a human being to review the decision instead.
We will always tell you when we do use automated decision making and provide you with details about how you are able to appeal.
How do I make a data protection request?
To make a Data Protection request, complete the Data Protection Request form.
The same form covers:
- Subject Access requests (right of access)
- Erasure (right to be forgotten)
- Rectification (putting right information that is incorrect)
- Restriction (restricting use of your data to one purpose only).
Once this is done, we’ll need you to validate your identity (so that we can be certain that only you have access to your personal data). Below is a list of the proof of identity documents accepted by the Council.
For security reasons you will need to provide your proof of identity by visiting our Council offices in person or by sending us copies (NOT originals) of your ID by post to this address:
Private and Confidential
Corporate Governance SAR
Ryedale District Council
Ryedale House
Malton
North Yorkshire
YO17 7HH
You can also write to us at the address above to request a Data Protection Request, or email the Council’s SAR email. If you email we recommend you provide your proof of identity separately in person or by post, for security reasons.
Accepted proof of identity documents
Please provide copies of one document from section A and one document from section B (you do not need to do this if it is likely that we will be able to identify you from our existing records, for example because you currently receive a service from us).
Section A – proof of name – provide a copy of one document from this list
- Current signed passport
- Original birth certificate (UK birth certificate issued within 12 months of the date of birth in full form including those issued by UK authorities overseas such as Embassies High Commissions and HM Forces)
- EEA member state identity card (which can also be used as evidence of address if it carries this)
- Current UK or EEA photocard driving licence
- Current full old-style UK driving licence
- Photographic registration cards for self-employed individuals in the construction industry -CIS4
- Benefit book or original notification letter from Benefits Agency
- Firearms or shotgun certificate
- Residence permit issued by the Home Office to EEA nationals on sight of own country passport
- National identity card bearing a photograph of the applicant
Section B – proof of address – provide a copy of one document from this list
- Utility bill issued within the last three months
- Local authority council tax bill for the current council tax year
- Current UK driving licence (but only if not used for the name evidence)
- Bank, Building Society or Credit Union statement or passbook
- Original mortgage statement from a recognised lender issued for the last full year
- Solicitors letter confirming recent house purchase or land registry confirmation of address
- Council or housing association rent card or tenancy agreement for the current year
- Benefit book or original notification letter from Benefits Agency (but not if used as proof of name)
- Inland Revenue self-assessment or tax demand
- NHS Medical card
Right to complain
If you are unhappy with the way in which your data has been handled, or the way in which a data protection request has been answered, then you may complain to our Data Protection Officer.
Email the Data Protection Officer or write to:
Data Protection Officer
Ryedale District Council
c/o County Hall
Northallerton
North Yorkshire
DL7 8AL
If you remain dissatisfied with the response from our Data Protection Officer, or if you would rather complain straight to a regulator, then you may make a complaint to the Information Commissioner’s Office (ICO) who regulate Data Protection and Information Governance matters in the UK.