Data Protection Policy

7.1      The UK GDPR and DPA 2018 enshrine a number of personal information rights for subjects. A subject may exercise their rights through any organisation that processes their personal information and they may submit this request in any format, including verbally.

7.2      The Council will request that subjects direct their requests to exercise their personal information rights through the dataprotection@welhat.gov.uk in writing. If a subject would prefer to verbally submit their request, the Council will provide written correspondence outlining our understanding of the submitted request in the acknowledgement.

7.3      To engage with these rights a subject must provide proof of identity for security purposes. The Council will accept various documentation as proof of identity; however, the Council will not accept work IDs or informal correspondence. All documents must be issued by a recognised organisation and/or be official government documentation. In a majority of circumstances, the Council will request photographic ID and a household bill with the subject’s name and address that has been issued in the last 3 months

7.4      The Council will acknowledge all requests within 5 working days of receipt.

7.5      The Council will provide a response to a request within 1 calendar month of receiving the request and confirming the identity of the requester. The Council reserves the right to apply an extension of up to 2 additional calendar months in circumstances where third parties are involved or the request is of a complex and/or voluminous nature.

7.6      All rights are subject to the lawful basis for processing and any relevant exemptions, and in some circumstances the Council will be unable to comply with a request

7.7      If you are unhappy with the handling of your request or you believe your personal information rights have been infringed by the Council, please refer to the Information Governance Appeal Procedure

7.8      For further guidance on personal information rights, please refer to the ICO’s personal information rights guidance.

The right to be informed

7.9      Subjects have the right to be notified that their personal information is being processed and to have an expectation of their rights as set out in a privacy notice statement. For further information on privacy notice statements, please see section 5.7 – 5.9.

The right to access

7.10   Subjects have the right to request their personal information in the form of a subject access request. For further information on subject access requests, please see our information request policy and Information Governance Appeal Procedure.

The right to rectification

7.11   Subjects have the right to request for inaccurate and/or outdated information to be updated/corrected. To submit this request, subjects should specify what information they believe is inaccurate or outdated.

The right to erasure

7.12   Subjects have the right to request for their personal information to be deleted.

The right to restrict processing

7.13   An individual may request that their personal information not be processed for a temporary period if they believe that their information has been processed incorrectly or inaccurately. This may include processing such as using the information to deliver a service, deleting data, or temporarily removing the data from publicly accessible or internal information stores. The usage of this request may result in personal information being erased, amended, or for processing to restart.

The right to data portability

7.14   A subject may request for their personal information to be provided in an accessible format and/or transferred to a third party or a different service area in the Council. Only information provided by the subject directly or collated from the subject’s activities (e.g. website usage) is within scope of this right.

The right to object

7.15   A subject may request for their personal information to no longer be processed for a specific purpose. Personal information will not always be deleted when this request is raised if it is used for multiple purposes.

Rights related to automated processing

7.16    Subjects have the right to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning or affecting them. In circumstances where automated processing that has a legal effect on a subject is taking place, the Council must meet the requirements set out by legislation and ICO guidance, including allowing an individual to request for a human to review and/or appeal the outcome of processing

The right to complain

7.17   The Data Use (and Access) Act 2025 has enshrined the right for subjects to complain where they believe their information has been processed inappropriately, a data breach has harmfully impacted them, or they are unhappy with the handling of their personal information right request. For further information on how to raise a complaint in relation to data protection, please refer to the Information Governance Appeal Procedure.