Data protection and freedom of information

The Council is still aiming to process all subject access requests for personal data within the time limits laid down under the General Data Protection Regulation (GDPR).

As regards requests for information under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004, we have a statutory responsibility to provide the information that any third party has requested within 20 working days. However, with the current outbreak of Covid-19 in the UK, we understand from the Information Commissioners Office that these deadlines have been suspended.

As a Council our first priority is the public and to maintain our service to them our workforce must be prepared to be as flexible as possible, meaning that some officers may be diverted away from certain tasks to temporarily work outside their normal roles and responsibilities during this extraordinary period.

Please be assured we are doing all we can and will provide the information you have requested. Many thanks for your patience in these understandable delays during this pandemic.

We use cookies on our website to improve our service to you, by continuing you agree to our use of cookies. You can update your settings at any time.

Cookie policy info

A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a piece of data stored by a website within a browser and subsequently sent back to the same website by the browser. Cookies are a reliable mechanism for websites to remember things a browser had done there in the past, which can include having clicked particular buttons, logging in, or having read pages on that site months or years ago.

Strictly necessary cookies

These cookies cannot be disabled

These cookies are necessary for the website to function and cannot be switched off. They are normally set in response to your interactions on the website eg logging in etc.

Cookies:
  • .ASPXANONYMOUS
  • .DOTNETNUKE
  • __RequestVerificationToken
  • authentication
  • dnn_IsMobile
  • language
  • LastPageId
  • NADevGDPRCookieConsent_portal_0
  • userBrowsingCookie

Performance cookies

These cookies allow us to monitor traffic to our website, so we can improve the performance and content of our site. They help us know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and anonymous. If you do not allow these cookies, we will not know when you visited or how you navigated around our website.

Cookies:
  • _ga
  • _gat
  • _gid

Functional cookies

These cookies enable the website to provide enhanced functionality and content. They may be set by the website or by third party providers whose services we have added to our pages. If you do not allow these cookies some or all of these services may not function properly.

Cookies:

Currently we do not use these types of cookies on our site.

Targeting cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Cookies:

Currently we do not use these types of cookies on our site.

Data protection in the UK is governed by two main areas of law: (1) the General Data Protection Regulation (GDPR), which is a piece of EU legislation, and (2) the Data Protection Act 2018 (DPA) which implements the GDPR into local law, and contains some additional provisions not contained within the GDPR. The DPA also deals with areas which allow Member States a degree of flexibility in applying some of the provisions of the GDPR.

The GDPR has been enacted in UK law after Exit Day, under section 3 of the European Union (Withdrawal) Act 2018. Although some changes to the legislation are unavoidable, since the UK will effectively become a “third country” for the purposes of personal data transfers to and from the EU, the general principles of a high standard of data protection will remain.

The GDPR and DPA place duties on organisations, such as local councils, in relation to how they collect, process, store and disclose information about individuals. The GDPR and DPA also provide people (data subjects) with rights of access to information held about themselves. Data protection legislation has core principles which must be adopted when managing personal data. Personal data must be:

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”).
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”).
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”).
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”).
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (“storage limitation”).
  6. Processed in a manner ensuring appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

We only collect and share personal information about you so we can provide the services you need. We use many kinds of personal information to enable us to deliver our services.  We don’t use all data in the same way. Some of it is useful for monitoring and improving our services, or for providing services to you. But some of it is private and sensitive and we treat it accordingly. For more detail please read our Privacy Notice.

As a data subject you have the following rights:

  • The right to be informed – you have the right to be given information about how your data is being processed, who we are sharing it with, for what purpose and how long we will keep it.
  • The right of access – you have the right to see or have a copy of your personal data.  If providing you with a copy of your personal data would adversely affect the rights and freedoms of others, an extract or summary of the information may be provided instead.
  • The right to rectification – you have the right to request that your personal data is updated if it is inaccurate or incomplete.
  • The right to erasure (“the right to be forgotten”) – you have the right to request that your personal data is removed to prevent processing in certain circumstances. Processing means the carrying out of operations on data, especially by a computer, to retrieve, transform, or classify information.
  • The right to restrict processing – you have the right to block or stop processing of your personal data.
  • The right to data portability – you have the right, when requested, to be provided with your personal data in a structured, commonly used and machine-readable format, such as a PDF attachment sent via email.
  • The right to object – you have the right to object to processing of your personal data in certain circumstances, for example, you can always stop your data being used for direct marketing.

There are two main areas in which individuals can access information. These are a Data Subject Access Request (“DSAR”), and a Freedom of Information Request (“FOI”). These are explained below, however, the main difference is that a DSAR relates to an individual requesting information that the Council holds about him/herself. Whereas under an FOI request, an individual is requesting all the information the Council holds about a particular issue/policy/subject – rather than personal information about the applicant.

Data protection legislation allows you, the data subject, to gain access to any of your personal information held by us.

You can request copies of your information by contacting us in a variety of ways including verbally, in writing or by social media. You can also use our Subject Access Request Form. When you make a request, we will ask for a copy of your ID to check we are sending your personal data to the correct person. We may ask for one of the following forms of photo ID and a proof of address:

  • Passport.
  • Driving licence.
  • Tenancy Agreement.

Once your identity has been verified, we will look at your request and locate your data. We have one calendar month to respond to your request. We may contact you to request additional information to help us find your information. For example, if you ask for all of the information we hold about you, we may ask you which departments you have dealt with. If you decline to provide further information, we may not be able to provide a full response within the one calendar month deadline.

Once you receive your information, you may find certain data has been removed. When we are processing your request, we may need to remove data if:

  • The data is about someone else.
  • By releasing the data, it will cause serious harm to your or someone else’s physical or mental wellbeing.
  • We think giving you the information may stop us from preventing or detecting a crime.

If we have removed any of the data, we will tell you why. We will also tell you:

  • Where we received your data from.
  • Why we are processing your data.
  • How long we will store your data, and how we make this decision.
  • The types of data we are processing.
  • Who we are sharing your data with and why.
  • About your rights to challenge the accuracy of your data, to have it deleted, or to object to its use.
  • About your right to complain to the Information Commissioner’s Office.

Normally, we won’t share your data with any other person. In some situations, you may want someone else to make a subject access request on your behalf. When we receive the request, we will need to see evidence you have given permission for them to do this. This can be done by a signed letter attached to the request. If we are concerned, we may contact you to check you are happy for the release or we may refuse the request in full.

To find out more about the personal information we hold, and how we process this data, please visit Data Protection and Freedom of Information. We have registered our use of personal information at the Information Commissioner’s Office. The Information Commissioner’s Office oversees the Act. If you would like further information about data protection, please contact the Information Commissioner or contact customer services.

The Freedom of Information Act 2000 (“FOIA”) provides public access to information held by public authorities. It does this in two ways:

1. Public authorities are obliged to publish certain information about their activities.

2. Members of the public are entitled to request information from public authorities.

The FOIA covers any recorded information held by a public authority, which includes local/district councils. Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings. The FOIA does not cover environmental information, such as water and air-quality reports.  Requests for environmental information are dealt with under the Environmental Information Regulations 2004.

The FOIA assumes all government information, including information held by local councils, will be made available unless there is a reason not to do so, for example, the Council is not obliged to provide information it does not already hold.

To make an FOI request please complete our freedom of information form or e-mail your freedom of information request. Please give us much information, including:

  • Your full name.
  • An address we can respond to (this can be email or postal).
  • The information you seek, including time periods where applicable.

We can accept a request by social media, such as Twitter, provided it meets the above requirements, but we will only respond via letter or e-mail, to ensure we can provide a detailed response.

We must provide any information requested within 20 working days. In cases where this may not be possible, or there may be a delay, we will discuss how your request can be met. If the request requires exceptional effort, you may be asked to pay the costs of meeting your requirement.

Information currently available from the Council under existing arrangements, such as Land Charges enquires are not affected by the FOIA. To find out more, please visit www.foi.gov.uk.

Councils have to maintain a Publication Scheme, setting out the type of information they hold, how the information is published and if a charge is made for the information. This means a significant amount of information is available that doesn’t need to be specifically requested. Councils are also required to publish a Record Retention Scheme which sets out how long records are held for.

We know how important keeping your personal data secure and safe is. It's very important to us too. We only collect and keep personal information about you so we can provide the services you need, to help us keep details about those services and our contact with you. We will only share your personal data to help us provide services.  

Please read our privacy notice.
Electoral Services privacy notice.

Website terms and conditions.

A cookie is a small text file a web page server places on the hard drive of every computer that visits its website. The cookie carries an identification code to enable the server to recognise returning users. The cookie may also store a record of which information the user has submitted to that website, such as personal details or personalised settings. The server can then reuse this information to prevent users having to re-enter information. We encourage you to accept the cookies our website uses as they help us to improve the user experience for you and many others.

For further information on cookies:

What cookies does our site use?

What happens if I say “no” to allowing cookies in my browser?

What is the impact on our website?

How do I delete cookies?

What is an IP address?

Key definitions used within the data protection legislation are as follows:

  • Data controller - the person or organisation that determines what personal data is used for and how it is processed. Tandridge District Council is a data controller.
  • Data processor - a person or organisation which processes personal data on behalf of the data controller but does not decide how the data is used.
  • Data subject - an individual who is the subject of the personal data.
  • Personal data - any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Processing - processing includes all actions in relation to personal data such as collecting, recording, holding, organising, adapting, altering, retrieving, consulting, using, disclosing, storing, erasing, destroying, blocking and disseminating.
  • Special category data - special category data is personal data relating to:
    • racial or ethnic origin; or
    • political opinions; or
    • religious or philosophical beliefs; or
    • trade union membership; or
    • genetic data, biometric data for the purposes of uniquely identifying a natural person; or
    • data concerning health; or
    • data concerning a natural person’s sex life or sexual orientation.

The Council is required to take extra care in relation to special category data.