Data Subject Rights
You have rights under the General Data Protection Regulation 2016 (GDPR) regarding the personal data the council, as the data controller, processes about you.
Download a copy of the full data subject rights leaflet. If you wish to view a specific section please select from the following options.
What rights do I have?
How to exercise your rights
Right to notification
A privacy notice will be provided to you explaining how and why we intend to process your data. This ‘Privacy Notice’ will be based on the general statement on our website but with details specific to the service you are involved with.
This information will be on the website, on the form you complete or you will be told verbally over the phone.
When does this apply?
When we first gather information from you we will confirm that:
- we are the data controller
- let you know who our Data Protection Officer is and how to make contact
- the legal basis for processing your data and the purpose(s) we will use it for
- any consequences of you not providing all the data requested
- who we share this with and how long we keep them for
- we will let you know your rights to have data rectified, to be forgotten, to portability, to object to processing and to complain
- we will let you know if the data will be subject to any automated decision making
- transfers outside European Economic Area and
- if the data was not provided by you, the identity of the source and the categories of data we hold.
If we intend to use your data for a purpose other than that which we initially intended we will also issue you a further privacy notice prior to processing.
When does this not apply?
If you already have this information.
For example
When you simply update your contact details on your Human Resource record or Council Tax account.
If it would be impossible or involve disproportionate effort to let you know if the data collection is set in law and measures are in place to safeguard privacy.
Subject Access Request
You can ask for a copy of the data we hold on you.
When does this apply?
This applies to any personal data that we hold and we can tell you what data and what categories of data we hold.
To help us do this we will ask you to tell us which services are likely to hold your data, for example there may be a Housing Benefit file, employment records, housing file or a topic or area of correspondence you have had.
You will need to provide proof of your identify, including a utilities bill or bank statement with your current address and something confirming your identity such as a driving licence or birth certificate so that we can ensure that the correct data is provided to you and that your data and the data of others is adequately protected.
Data will, where ever possible, be sent to you electronically, and there is no charge. However if you request further copies, we may charge or consider if we can meet the request.
We will let you know the purpose(s) the data is processed for, and any other organisations we share the data with, also if any data we hold is collected from other sources.
For example
We may be given data from the Department of Work and Pensions regarding benefit applications.
In order to provide you with services such applications for Housing we will share your data with our Housing partners.
We have set periods (or retention schedules) that we hold data for, which vary depending on the service and we will tell you how long we will hold data for each relevant service. We will also tell you the legal basis we have for processing the data.
The data we hold is safely stored and processed. If any of your data is transferred outside the European Economic Area and to a territory without adequate security we would let you know but we do not believe we hold any data that falls into this category.
If your data is processed and automated decisions made or we conduct any profiling, we will also let you know of this. Further details on your rights regarding automated decisions and examples of when this may occur can be found at section viii. And we will let you know your rights to rectify inaccurate or incomplete data, to object to processing, restrict access to your data and to complain.
When does this not apply?
There are some circumstances in which we cannot provide your data.
The law permits us to reject a request that is manifestly unfounded or excessive. If we believe this to be the case we will let you know why we think this is the case.
If it is necessary to protect the rights and freedoms of others.
For example
If other family members’ details are in your social care or housing file, we would need to either obtain their permissions to share this part of the file or redact that data.
Other exemptions are yet to be defined under the GDPR and this booklet will be updated once UK legislation is passed.
Current exemptions under the Data Protection Act 1998 may be reflected and these include:
- confidential references
- publically available information
- crime and taxation (the prevention and detection of crime, prosecution of offenders and the assessment or collection of tax)
- management information (for forecasting or planning)
- negotiations with the requestor
- regulatory activities
- legal advice and proceedings
- social work records (if the data would be likely to prejudice the carrying out of social work by causing harm to the health of the requestor
- other exemptions can apply to health records and education.
Right to be forgotten
This allows you to request that we delete our records or some of our records in so far as they identify you. It does not apply in all circumstances.
When does this apply?
If you provided the information with your consent.
For example
You agreed to take part in a consultation or you signed up for a newsletter. You can withdraw your consent.
- If the data is no longer necessary and the timescale for us to keep records has expired
- If the data is being unlawfully processed, e.g we have processed data for a purpose we were not entitled to
- If the data was provided on line when you were a child and you or your parent(s) gave consent at the time. However we do not think that the council holds any data that falls in this category
- If you successfully object to the data processing under the Right to Object (see section vii)
- If we are obliged to erase the data to comply with a legal obligation
- And if we have made the data available on-line or to others, we will need to erase that data or ask the other party to do so.
When does this not apply?
If we need the information to provide a service we are authorised to provide by law, for a legal obligation or we believe the data to be necessary for a task in the overriding public interest.
- If the data is required for a contract to which you are party
- If records are required to protect public health
- If we require the data to establish, exercise or defend a legal claim
- If records are required for archiving in the public interest or for scientific or historical interest.
For example
A task carried out in the public interest will include a wide range of the council’s functions such as:
- assessing and collecting Council Tax and Business Rates
- processing anti-social behaviour complaints
- refuse collection
- FOI requests
- Data matching for Troubled Families initiative.
So if you ask for your complaints of noise nuisance or antisocial behaviour to be erased, the council will have to consider whether there are overriding reasons in the public interest to keep those records.
This may be to ensure sufficient evidence is held to rectify the nuisance for the good of the community balanced against any possible detriment to you.
But if you ask for Council Tax records to be erased the council on balance is likely to say they need to be retained until the end of the statutory retention period to be sure all monies due are appropriately charged and collected.
Right to rectification
This concerns correcting your personal data that is held.
When does this apply?
If you believe the data held is not accurate, you can request that it is corrected without undue delay. Similarly if data is incomplete you can ask that it is completed.
When does this not apply?
We are obliged to correct incorrect data and incomplete data without undue delay.
However if we need to make further checks or dispute that the data we hold is incorrect we may restrict access to the data pending a decision.
Rectification can be achieved by adding to the record or creating a supplementary record. Even if we decide that the information is correct, we will place a statement from you on the record with the data you believe to be correct or stating your dispute.
And if we have made the data available on-line or to others, we will need to correct that data or ask the other party to do so.
Right to restriction of processing
You can ask that access to your records is limited in certain circumstances.
When does this apply?
If you are contesting the accuracy of the data on record and we are seeking to verify it.
If the processing of your data is unlawful, but you want the record preserved.
- This could be because you are pursuing a complaint.
- It could also be because you need the data to establish a legal claim, to exercise and/ or defend a legal claim.
- This could also be while you are making an objection to the council processing your data under a lawful authority. This also applies to objections to processing under legitimate interest but the council will not be processing data under this condition.
In these circumstances the council may only process the data with your consent or to establish exercise or defend a legal claim or to protect the rights of another person or important public interest.
For example
You object to the council processing school attendance data for your children as you believe the records are inaccurate. The council may restrict access to the data while your objection is being considered and the data verified.
An exception to this may be if the matter is being contested in court
And if we have made the data available on-line or to others, we will need to restrict that data or ask the other party to do so.
While there is a request for restriction of processing, we must inform you before lifting that restriction.
Right to portability
This allows you to be provided with a copy of your data in an accessible electronic format. This does not apply to all data.
When does this apply?
- If you gave us the data with your consent
- If the data was provided as required for a contract between you and the council.
- If the processing is electronic
When does this not apply?
- It does not apply to data collected in any other circumstances
- The data we provide to you can also include data directly observed from the information you provided to us.
For example
If you have used the Idea Store lending service you may ask to have a copy of your registration record and all transactions from the lending services.
At your request we can pass this data to another data controller.
E.g. if you move to another authority you may wish to transfer details, but as this does not apply to data we process for a task carried out in the public interest so many of the Council’s services will not be able to comply with such a request.
Right to object
You have the right to object to the Council processing your data if you dispute the authority to processed data.
When does this apply?
The GDPR provides a right to object to data processed under ‘lawful authority’ and ‘legitimate interests’. Legitimate interests does not apply to local authorities so we will focus on lawful authority.
The GDPR provides for a local authority to process data to perform a task carried out in the public interests or with lawful authority.
This condition will cover almost all services that the council provides and some services will also be covered by a specific legal obligation to process the data.
Some examples were given in Right to to Forgotten, other examples are:
- Complaints records
- Schools admissions and appeals
- Social care records
- Housing applications and medical assessments
- Homeless services
- Parking
- Leisure centres
- Public Health
- Special Educational Needs
- Waste collection
If you make an objection, you can ask that we restrict processing while you objection is being considered.
When does this not apply?
When the council has demonstrated overriding grounds to continue processing.
The council will have to demonstrate overriding grounds to continue processing your data under its lawful authority or a task carried out in the public interest, or to establish exercise or defend a legal claim.
You can also object separately to your data being used for direct marketing and for research. You can also object to your data being processed for research purpose unless the council has public interest justification for this.
When conducting research we will in most instances anonymise the data so your personal data cannot be identified. Or there may be projects where we combine data and then remove any personal identifiers. This way the outcomes are not linked to any individuals.
Right to object to automated decision making
Some decisions are made by machine calculation of data held.
When does this apply?
The regulation allows you to object to having decisions made by an automated process.
For example:
We match applicants for housing with suitable properties according to the established policy criteria and data held on their application record
This also includes profiling data which has a legal or other significant effect on you. Profiling could mean analysing and predicting your performance at work, your economic situation, your health, your location or movements, and you preferences or behaviour. The council is unlikely to undertake profiling that has a significant and/or legal impact but will at times use data held to identify populations impacted by policy and legislative changes.
For example
We may wish to notify and assist residents who are likely to be affected by changes in benefit law such as the bedroom tax, and will use the data we hold to decide who we need to contact about the changes.
When does this not apply?
- If the processing is necessary for a contract between you and the council, for example, your employment contract.
- For tax evasion, fraud or regulatory activities or the council
- If processing is authorised by law with necessary safeguards to your rights and freedoms
- If you gave explicit consent.
- If you object, you have the right to have the decision explained to you.
- You also have the right to have manual intervention so the decision is verified.
For example
Your lettings bid will be processed and all applicants for the property will be ranked in report according to the range of factors relevant to their application. This will include the overcrowding, medical factors, the application’s preference data.
You can ask for this automated decision to be explained to you and to have an officer review the decision / preference ranking for that offer.
Right to complaint to supervisory body (the Information Commissioner)
You have the right to complain to the Information Commissioner if you believe the processing of your personal data infringes the General Data Protection Regulation.
Right to Judicial Remedy against Supervisory Body (the Information Commissioner)
You have the right to seek a judicial remedy against the Information Commissioner without prejudicing any other administrative or non-judicial remedy about a binding decision of the commissioner or if the Commissioner does not handle a complaint within three months. This is likely to be achieved in a tribunal.
Right to Judicial Remedy against the council
You have the right to seek a judicial remedy against the council, without prejudicing any other administrative or non-judicial remedy about the processing of your data where you believe the data processing did not comply with the GDPR. This can be achieved in the County Court or High Court in England.
Right to compensation
You have a right to receive compensation from the controller or processor if you have suffered material or non-material damage as a result of an infringement of the GDPR.
Such a claim can be made in the County Court or High Court.
How to exercise your rights
The council's Data Protection Officer can be contacted at DPO@towerhamlets.gov.uk.
If you are dissatisfied with our handling of your data or how we have dealt with your data subject rights, you can complain to our Data Protection Officer, and also to the Information Commissioner's office casework@ICO.org.uk. You can also seek judicial remedy in some circumstances.
We will respond to your request to exercise any of the above rights as soon as we can and within one month of your request. If this is not possible due to the complexity or size of the request we will let you know. In exceptional circumstances we can extend the timescale to 3 months or 90 days. We will let you know why if this is the case.
How to contact us and the Information Commissioner
For further information, or to make a request to exercise any of your data subject rights you can contact this council or the Information Commissioner’s Office.
Tower Hamlets Council
The Data Protection Officer
Complaints and Information Team
Tower Hamlets Town Hall
160 Whitechapel Road
London
E1 1BJ
Tel: 020 7364 4161
Email: DPO@towerhamlets.gov.uk
Information Commissioner’s Office
Water Lane
Wilmslow, Cheshire
SK9 5AF
Tel: 0303 123 1113
Visit the Information Commissioner's website.