UK General Data Protection Regulation (GDPR)

The UK GDPR and the Data Protection Act 2018 together govern the ways that personal data can be used and how it must be protected.

Rights for data subjects

The data protection legislation includes extensive rights for individuals and requires organisations holding personal data to comply with a strict set of rules.

Data subjects have the following rights in certain circumstances:

the right to correction of your data
the right to erasure (the right to be forgotten)
the right to restrict processing
the right to object to processing

If we are processing your data on the basis of your consent, this must be explicit, freely given and non-ambiguous, you may also withdraw your consent at any time.

See more information on your individual rights under GDPR and the Data Protection Act 2018.

Accessing your records

There are new rules for if you wish to exercise your right to access any records we may hold about you.

Privacy notices

Privacy notices provide information on how we may use your personal information and your rights in accordance with new legislation.

Commonly used legal bases for processing personal data:
Activity	Legal Basis (UK GDPR Article 6)	Special Category of Data Condition (UK GDPR Article 9 / DPA 2018)	Relevant Statute
Social care provision (for example children's services)	Article 6(1)(c) – Legal obligation	Article 9(2)(h) – Provision of health or social care; Schedule 1, Part 1, para 2 DPA 2018	Children Act 1989
Education allocation and support	Article 6(1)(c) – Legal obligation	Article 9(2)(g) – Substantial public interest; Schedule 1, Part 2, para 6 DPA 2018	Education Act 1996
Employment and HR (for example payroll, recruitment)	Article 6(1)(b) – Contract	Article 9(2)(b) – Employment, social security and social protection law; Schedule 1, Part 1, para 1 DPA 2018	Employment Rights Act 1996
Safeguarding children and vulnerable adults	Article 6(1)(e) – Public task	Article 9(2)(g) – Substantial public interest; Schedule 1, Part 2, para 18 DPA 2018	Children Act 2004; Care Act 2014
Law enforcement and criminal offence data	Article 6(1)(e) – Public task	Article 10 – Criminal offence data; Section 35 DPA 2018	Police and Criminal Evidence Act 1984
Consent-based services (for example biometric login)	Article 6(1)(a) – Consent	Article 9(2)(a) – Explicit consent	N/A (consent-based)
Public health monitoring (for example COVID-19)	Article 6(1)(e) – Public task	Article 9(2)(i) – Public interest in public health	Public Health (Control of Disease) Act 1984
Research and archiving	Article 6(1)(e) – Public task	Article 9(2)(j) – Archiving, research and statistics; Schedule 1, Part 1, para 4 DPA 2018	Statistics and Registration Service Act 2007
Equality monitoring (for example ethnicity, disability)	Article 6(1)(c) – Legal obligation	Article 9(2)(g) – Substantial public interest; Schedule 1, Part 2, para 8 DPA 2018	Equality Act 2010
Electoral services	Article 6(1)(c) – Legal obligation	Article 9(2)(g) – Substantial public interest; Schedule 1, Part 2, para 6 DPA 2018	Representation of the People Act 1983

Mandatory breach notification

In certain circumstances organisations will have to tell the Information Commissioner Office about unauthorised disclosures of personal data as soon as they are discovered. If the disclosure has serious implications for any individuals, they will have to be informed as well.

Find out more about how we report data breaches.

Privacy by design

Organisations should design data protection into development of business processes, new systems and undertake data protection impact assessments (DPIAs).

Data protection officers

A designated post of data protection officer (DPO) is strategically responsible for GDPR.

Our DPO is Jane Lakin.

More background information is available in the GDPR guidance attached to this page.

Contact

email: access2info@derbyshire.gov.uk

Write to:

Data Protection Officer
Derbyshire County Council
Room B209
Legal Services
County Hall
Matlock
Derbyshire
DE4 3AG

Tell us what you think about this page