Data protection and freedom of information

Data protection in the UK is governed by two areas of law:

  1. The General Data Protection Regulation (GDPR), which is EU legislation.
  2. The Data Protection Act 2018 (DPA) which implements the GDPR into local law and contains some additional provisions not contained within the GDPR. The DPA also deals with areas which allow member states a degree of flexibility in applying some of the provisions of the GDPR.

Following the UK's exit from the EU the general principles of a high standard of data protection remain.  There may be some changes to the legislation as the UK is  a “third country” for the purposes of personal data transfers to and from the EU.

The GDPR and DPA place duties on organisations, such as local councils, in relation to how they collect, process, store and disclose information about individuals. The GDPR and DPA also provide people (data subjects) with rights of access to information held about themselves. Data protection legislation has core principles which must be adopted when managing personal data. Personal data must be:

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency).
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation).
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy).
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (storage limitation).
  6. Processed in a manner ensuring appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).

We know how important keeping your personal data secure and safe is. It's very important to us too. We only collect and keep personal information about you so we can provide the services you need, to help us keep details about those services and our contact with you. We will only share your personal data to help us provide services.  

We don’t use all data in the same way. Some of it is useful for monitoring and improving our services, or for providing services to you. But some of it is private and sensitive and we treat it accordingly. 

You can find more information about what data we process and use below. 

As a data subject you have the following rights:

  • The right to be informed – you have the right to be given information about how your data is being processed, who we are sharing it with, for what purpose and how long we will keep it.
  • The right of access – you have the right to see or have a copy of your personal data.  If providing you with a copy of your personal data would adversely affect the rights and freedoms of others, an extract or summary of the information may be provided instead.
  • The right to rectification – you have the right to request that your personal data is updated if it is inaccurate or incomplete.
  • The right to erasure (the right to be forgotten) – you have the right to request that your personal data is removed to prevent processing in certain circumstances. Processing means the carrying out of operations on data, especially by a computer, to retrieve, transform, or classify information.
  • The right to restrict processing – you have the right to block or stop processing of your personal data.
  • The right to data portability – you have the right, when requested, to be provided with your personal data in a structured, commonly used and machine-readable format, such as a PDF attachment sent via email.
  • The right to object – you have the right to object to processing of your personal data in certain circumstances, for example, you can always stop your data being used for direct marketing.

There are two main areas in which individuals can access information. These are a Data Subject Access Request (DSAR) and a Freedom of Information Request (FOI).

These are explained below, but the main difference is that a DSAR relates to an individual requesting information the Council holds about them. Whereas under an FOI request, an individual is requesting all the information the Council holds about a particular issue, policy or subject – rather than personal information about the applicant.

Data protection legislation allows you, the data subject, to gain access to any of your personal information held by us.

You can request copies of your information by contacting us in a variety of ways including verbally, in writing or by social media. You can also use our Subject Access Request form. When you make a request, we will ask for a copy of your ID to check we are sending your personal data to the correct person. We may ask for one of the following forms of photo ID and a proof of address:

  • Passport.
  • Driving licence.
  • Tenancy Agreement.

Once your identity has been verified, we will look at your request and locate your data. We have one calendar month to respond to your request. We may contact you to request additional information to help us find your information. For example, if you ask for all of the information we hold about you, we may ask you which departments you have dealt with. If you decline to provide further information, we may not be able to provide a full response within the one calendar month deadline.

Once you receive your information, you may find certain data has been removed. When we are processing your request, we may need to remove data if:

  • The data is about someone else.
  • By releasing the data, it will cause serious harm to your or someone else’s physical or mental wellbeing.
  • We think giving you the information may stop us from preventing or detecting a crime.

If we have removed any of the data, we will tell you why. We will also tell you:

  • Where we received your data from.
  • Why we are processing your data.
  • How long we will store your data, and how we make this decision.
  • The types of data we are processing.
  • Who we are sharing your data with and why.
  • About your rights to challenge the accuracy of your data, to have it deleted, or to object to its use.
  • About your right to complain to the Information Commissioner’s Office.

Normally, we won’t share your data with any other person. In some situations, you may want someone else to make a subject access request on your behalf. When we receive the request, we will need to see evidence you have given permission for them to do this. This can be done by a signed letter attached to the request. If we are concerned, we may contact you to check you are happy for the release or we may refuse the request in full.

To find out more about the personal information we hold, and how we process this data, please visit Data Protection and Freedom of Information. We have registered our use of personal information at the Information Commissioner’s Office. The Information Commissioner’s Office oversees the Act. If you would like further information about data protection, please contact the Information Commissioner or contact customer services.

The Freedom of Information Act 2000 (FOIA) provides public access to information held by public bodies. It does this in two ways:

1. Public bodies are obliged to publish certain information about their activities.

2. The public is entitled to request information from public bodies.

The FOIA covers any recorded information held by a public authority, which includes councils. Recorded information includes printed documents, computer files, letters, emails, photographs and sound or video recordings. The FOIA does not cover environmental information, such as water and air-quality reports.  Requests for environmental information are dealt with under the Environmental Information Regulations 2004 (EIR).

The FOIA assumes all government information, including information held by local councils, will be made available unless there is a reason not to do so, for example, the Council is not obliged to provide information it does not already hold.

To make an FOI request, please complete our freedom of information form or e-mail your freedom of information request.

To make a request for environmental information under the Environmental Information Regulations 2004, please complete our EIR request form or e-mail your EIR request.

If you’re not sure whether your request is an FOI or EIR, please complete the freedom of information request form.

Please give us much information, including:

  • Your full name.
  • An address we can respond to (this can be e-mail or postal).
  • The information you seek, including time periods where applicable.

We can accept a request by social media, such as Twitter, as long as it meets the above requirements, but we will only respond via letter or e-mail, to ensure we can provide a detailed response.

We must provide any information requested within 20 working days. In cases where this may not be possible, or there may be a delay, we will discuss how your request can be met. If the request requires exceptional effort, you may be asked to pay the costs of meeting your requirement.

Information currently available from the Council under existing arrangements, such as Land Charges enquires are not affected by the FOIA. To find out more, please visit

Councils have to maintain a Publication Scheme, setting out the type of information they hold, how the information is published and if a charge is made for the information. This means a lot of information is available that doesn’t need to be specifically requested. Councils are also required to publish a Record Retention Scheme which sets out how long records are held for.

Key definitions used in the data protection legislation are:

  • Data controller - the person or organisation that determines what personal data is used for and how it is processed. Tandridge District Council is a data controller.
  • Data processor - a person or organisation which processes personal data on behalf of the data controller but does not decide how the data is used.
  • Data subject - an individual who is the subject of the personal data.
  • Personal data - any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Processing - processing includes all actions in relation to personal data such as collecting, recording, holding, organising, adapting, altering, retrieving, consulting, using, disclosing, storing, erasing, destroying, blocking and disseminating.
  • Special category data - special category data is personal data relating to:
    • Racial or ethnic origin.
    • Political opinions.
    • Religious or philosophical beliefs.
    • Trade union membership,
    • Genetic data, biometric data for the purposes of uniquely identifying a natural person.
    • Data concerning health.
    • Data concerning a person’s sex life or sexual orientation.

We are required to take extra care in relation to special category data.

We have a duty to keep personal data safe and prevent anyone seeing it who is not authorised to. If this does happen this means there has been a data breach. All breaches must be recorded by us and any serious breaches reported to the Information Commissioner’s Office, which is the UK's data protection regulator.

Although there is no obligation to publish details about data breaches, in the table below we are publishing quarterly data breach statistics.

For the period October 2023- March 2024 there have been no data breaches.