Introduction

The law on data protection changed in 2018. The old Data Protection Act 1998 was repealed and new laws came into force.  These are the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR).  

The GDPR is the EU Regulation which applies across the whole of Europe. The UK has brought this into UK law through the DPA. This means that the new data protection rules will not be affected by Brexit. 

Personal Data

The new data protection laws made some changes to the way all organisations, including Camden, handle information about people.  The new law applies only to ‘personal data’.  

Find out more about personal data here and about the new laws on the Information Commissioner’s website.

Data protection officer

The council must have a named Data Protection Officer who is responsible for data protection matters and available to contact by members of the public.

Camden’s Data Protection Officer is Andrew Maughan, the Borough Solicitor who is the council’s most senior legal officer.  He can be contacted by email at dpo@camden.gov.uk

Alternatively use this form.

What rights does the new law give me and how do I exercise them?

The new laws gives people a number of rights about how the council can exercise their personal data.  The GDPR refers to these rights as ‘data subject rights’. You can find out about the GDPR rights at the ICO website.

The rights are summarised below.  If you want to exercise the rights please read the sections below and then complete the web form below, giving us as much information as possible about what you want us to do and why.  We will acknowledge your request within 2 working days and then contact you within 2 weeks if we need to ask for ID or to get more information from you.  

There is more information on these pages about each of the rights, how to exercise them and what conditions might apply.

These areas apply to every data subject right:  

  • All communications Camden Council sends you about the rights need to be in clear and plain language.
  • Identification:
    Camden Council must take all reasonable steps to make sure you are who you say you are.  This means that unless we are already sure of your identity, we will ask for one photo identification and one recent proof of address when you ask to exercise a right.   
  • Time limits:
    Once we have enough information to be sure of your identity and be clear what you are asking for, the DPA gives us one calendar month to respond to your request.  We can extend this time by 2 calendar months if the request is complex or you are exercising several of your data subject rights at once.  We will let you know within one month if this is the case.   We will also acknowledge your request within 2 working days so you know we have received it.  
  • Electronic information:
    If you have made your request by email or webform and given us an email address, we will assume that you are happy for us to reply to you and provide any information you have requested by email.    We will do this unless you ask for it by post.  We will send any personal information to you by secure email. If you ask for it to be sent by post we will send it special delivery so you will have to sign for it.  It is best for us to send information to you by secure email, it also uses less paper and you won’t have to wait at home for a delivery. 
  • Fee:
    There is no fee to exercise any of the data subject rights.  However, the GDPR says that if Camden Council decides that your request is ‘unfounded’ or ‘manifestly excessive’ it can charge a fee.  Unfounded means that there is no good reason to make the request.  Manifestly excessive means that the request is obviously  disproportionate or far too large to be reasonable.  The fee we will charge will take account of the costs to Camden in responding.   We will contact you before we charge a fee to discuss how you could change your request to stop it being unfounded or manifestly excessive.
  • Refusing requests:
    The GDPR allows the council to refuse your request if it is unfounded or manifestly excessive.  In most cases we will contact you before we refuse a request to discuss how you could change your request to stop it being refused.

How you can exercise any of the Data Subject Rights:

Before you contact us, you might find it helpful to read the information below which explains the rights in more detail, sets out some of the conditions that we must follow and the exemptions that may apply.  You can find more information on the ICO website.

These are the ways to contact us to exercise your data subject rights:

Complete our web form
Email the Data Protection Officer at dpo@camden.gov.uk
By post: 
Data Protection Officer 
London Borough of Camden 
Information and Records Management 
Judd Street 
London
WC1H 9JE

Please note: it is quicker for you to use the web form or email.
 

Right to be informed

Camden must tell you a number of things when we obtain personal data from you. The GDPR gives a list of information we must tell you when we get your information from a third party.  

Information we need to tell you is on our website in our Privacy Notice. We will usually also give you relevant information in a leaflet, in a consent form (where we use consent) or by referring you to a web page when we collect information from you.

The list of information is:

  • the identity of the data controller 
  • the contact for our Data Protection Officer: dpo@camden.gov.uk
  • the legal basis for the council to process your personal data, which is the list of conditions Camden Council meets for processing personal data, and where it is special category data also the list of conditions it meets for processing special category data.
  • the purposes (reasons why) we process the data, 
  • how long we keep it for, 
  • who we will share data with or disclose it to,
  • details about any personal data we transfer out of the EEA  
  • details of data subject rights (which links back to this page) and your rights to complain the regulator (the ICO)
  • if Camden is relying on a  legal obligation to provide data, we will detail the consequences of a failure to supply it  
  • where we receive personal data from third parties – people who aren’t you or the Council. The Privacy Notice explains who these are.

The full list and all the information we need to give you is on our website.

There are some exemptions to this, for example, where we are receiving information from a source to do with crime and disorder, we do not need to tell you.

Subject Access Requests

The DPA gives you the right to have a copy of your personal data.  This is generally known as a Subject Access Request (SAR).  

How to make an effective Subject Access Request

You do not need to specifically refer to the DPA or use the phrase ‘Subject Access Request’.  The most important thing is that we can identify you and what information you are asking for.

Everyone can make a written request to Camden for the information we hold about them.  You might want to have a copy of your housing file, or your social care records or your housing benefit file.  You can ask for all the information we hold about you or just for a small amount e.g. for particular documents or for a specific date range.  Please only ask for the information you need, to save time and allow us to be more efficient. 

The ICO recommend you include information such as:

  • your full name, address, and contact telephone number
  • any information that we use to identify you, such as a housing application number or any other unique identifiers
  • details of the specific information along with relevant dates, for example:
    • your housing benefit file
    • emails between ‘name’ and ‘name’ between 2/8/2016 and 06/01/2018 about your complaint
    • copies of statements (between 20010 and 2016) held in account number xxxxx

If you think it would help us locate the information, then an explanation of why you are seeking the information may be useful.  If you can tell us about a specific team or officer that you think will have the information this will help us to find the information.

If you need us to make any reasonable adjustments for you due to disability, such as using Braille or large print, please contact us to discuss this. 

Making a request on someone else’s behalf

If you are making a SAR for someone else we must be satisfied that you can act on their behalf.  This may mean that they have given you their consent or you have the authority to represent them such as Power of Attorney.  We will need to confirm the identity of the person you are representing and see evidence that you have been appointed to act on their behalf.   If relying on consent we will need to check they have given informed consent as we need to be sure the person you represent understands what is being requested and the consequences of the request.  We may contact the person to discuss this with them if appropriate.

Requests by parents or guardians about children

Parents often make SARs for information about their children.  However, the personal data belongs to the subject of the data even if they are children.  Children can have their own data when they are ‘competent’, which means the child can understand what it means to make a request and understand their rights.   When a child is competent Camden should respond to the child.

In England, the law does not give an age to say when a child can be assumed to understand their rights and make a SAR: it depends on the individual child. The new Data Protection Act gives age 13 for ‘information services’ and we have used this as our basis.  Where the child is aged 12 years or older we will normally contact them to confirm how we should go ahead.  We will consider the child’s level of maturity and any views they may have about the disclosure of the information.  In all requests made on behalf of children, Camden will carefully consider all the circumstances when deciding whether to respond directly to the parent or the child. 

Exemptions

We will remove (redact) information if one of the exemptions applies.  These exemptions include:

  • Third party information.  This is the most common exemption.  Third party information means information about other people i.e. not the data subject themselves.  We cannot refuse to disclose information just because it has come from a third party.  Camden will consider if it is fair to disclose the information or not.  Where the information is purely work related or already known to the data subject then it will be fair to release it.

We will disclose third party data with consent, or without consent if we consider it is reasonable to do so.  When considering if it is reasonable to disclose without consent we will take the following into account:

  • the type of information
  • what the data subject already knows
  • any duty of confidentiality to the third party
  • any steps we have taken to consider consent or the third party’s views
  • any express refusal of consent from the third party

The following will be disclosed without consent as there is an assumption in the law that this is reasonable:

  • names and so on of health professionals involved in the data subject’s care
  • names of children’s court officer
  • names and so on of social workers
  • names and so on of teachers and other education workers 
  • Legal advice where it is covered by legal professional privilege
  • For crime and taxation reasons.  An example is if the data subject is under investigation for benefit fraud, and giving them information is likely to make them destroy evidence or abscond we would be allowed to withhold the information.
  • References given by Camden where given them in confidence and for the purposes of an individual’s education, training, or employment or the provision of a service by them.
  • Management forecasts where disclosure is likely to prejudice the conduct of the business such as by causing unrest among staff.
  • Negotiations with the requestor where disclosure would prejudice negotiations with the requestor, for example, information showing what Camden would pay to settle a court case.
  • Health, social work or education records: when an appropriate professional tells Camden that release of the information in these records is likely to cause serious harm to the mental or physical health of the data subject or someone else, the information can be withheld.
  • Legal prohibitions – such as where a specific piece of law forbids disclosure under a Subject Access request. Examples include adoption records and reports, Special Educational Needs (SEN) statements and Parental Order records. 

Explaining the response

We must provide the information in a form that is understandable to the average person, so we must explain any technical terms, abbreviations, or codes that you would not be expected to know. We are not required to translate the information into other languages or offer explanations beyond those described above.

Right to erasure

You have the right to ask us to delete or remove (erase) your personal data where one of these applies:
  • the data is no longer necessary
  • it was processed with consent which has been withdrawn and there are no other legal grounds to keep it
  • you have made a successful objection to the processing – see the right to object
  • Camden’s data processing data was unlawful 
  • Camden has a lawful obligation to erase it
  • the data was processed online with parental consent

Please note Camden does not have to erase your information where one of these exemptions applies:

  • Camden needs to use it to comply with a legal obligation or for the performance of a public interest task or exercise of official authority.  For example, we must keep adoption records for a specific period, and there are statutory duties on the council such as safeguarding and council tax that require us to process personal data.  This means you cannot ask us to remove your personal data to stop us e.g. collecting council tax from you or from contacting you about child welfare matters etc.  
  • for public health purposes in the public interest such as dealing with pandemic flu.
  • where Camden needs to use the information in legal proceedings.  
  • where we are exercising artistic or journalistic freedom of expression.
  • where erasure would undermine archiving in the public interest or scientific or historical research. 

Right to rectification

You have the right to ask Camden to rectify or correct your personal data if what we hold is inaccurate or incomplete.  We must do this without undue delay, although the maximum time is still a month. See what rights does the new law give me and how do I exercise them?

 Please note Camden must only change facts that are wrong, things like your date of birth or marital status.  It does not have to change opinions that you feel are wrong such as a social worker’s professional opinion. However, you can ask us to add a statement to our records giving your point of view in these cases. 

Right to restrict processing

You have the right to ask Camden to mark your personal data, or parts of it, as restricted when you make an objection.  This will prevent us from processing it whilst we consider the objections.  You can ask for restriction in these cases:
  • you are disputing its accuracy – see right to rectification
  • Camden’s processing is unlawful, but you don’t want us to erase it, for example so you can pursue a complaint to the ICO
  • Camden is processing your data for public interest or legitimate interest reasons and you’ve objected to this – right to object
Please note there are some cases where we will not be able to or not have to comply with this request.  These include:
  • where there is public interest for example we need to comply with planning laws or the law relating to children’s welfare.
  • for the protection of others’ rights
  • where Camden needs to process the data for legal cases or legal advice and so on.

Data portability

You have the right to ask Camden to provide your personal data in a ‘structured commonly used and machine-readable format’ so you can take it to another data controller. This only applies to your personal data that you’ve given us actively and knowingly and when we’re processing based on contract or your consent. It only applies when the processing is done by automated means.  

Camden has undertaken a full audit of our processing and we do not carry out any processing of this type. 

Right to object

You have the right to object to Camden Council processing your personal data where we are processing your personal data:

  • based on consent
  • for direct marketing, including profiling  

If you object to us processing your personal data and the processing is based on consent or is for direct marketing, then you can withdraw your consent and ask us at any time to stop processing.  

Please note that Camden does very little processing based on consent as most of our processing is done because the law requires us to undertake functions such as planning, social services functions, council tax recovery and so on.  

Camden does not process your data for direct marketing at all. There are not many cases where you will be able to withdraw consent for processing.  

You also have the right to object to Camden Council processing your personal data where we are processing your personal data:

  • based on the performance of a task in the public interest/exercise of official authority (including profiling).  Please note that Camden does not undertake profiling
  • for purposes of scientific/historical research and statistics.

If you object and the processing is based on the performance of a task in the public interest/exercise of official authority or for the purposes of scientific/historical research and statistics, then Camden must stop processing the personal data.  However, there are two cases where we do not have to stop the processing:

  • where we can show compelling legitimate grounds for the processing that override the data subject’s interests, rights and freedoms. This would be in cases where we are undertaking work such as enforcement work in public safety or environmental health, safeguarding work etc. 
  • where Camden is processing the personal data for the establishment, exercise or defence of legal claims.  

Rights concerning automated decision making and profiling

You have rights around automated decision making and profiling.  These provide safeguards against the risk that automated decisions can sometimes cause damage.  Automated decisions are those taken without human intervention i.e. solely by a machine, for example where an application for credit is decided by a computer programme alone without any human decision making.  The rights do not apply to all automated decisions, but only where they have ‘a legal or similarly significant effect’ on someone.  

Where Camden have taken an automated decision then data subjects have the right to:

  • obtain human intervention
  • express their point of view
  • obtain an explanation of the decision
  • challenge the decision

Camden has undertaken a full information audit and has determined that it does not undertake automated decision making of this type.  Camden does not undertake profiling.

You can find out more about automated decision making, profiling and your rights at the ICO website.

Your right to complain to the Information Commissioner’s Office

We appreciate that these new rights might seem complicated.  You can find more information on the ICO website. If you need help please contact us via this web form and we will get in touch.

You have the right to complain to the Information Commissioner’s Office (ICO), the data protection regulator.  Details are on their website. However, before you contact them, you might wish to email Camden’s Data Protection Officer and explain why you are dissatisfied as we may be able to solve your problem without you contacting the ICO. The Data Protection Officer will review your request and respond to you within 10 working days.

What is personal data?

Personal data is information that allows a living person to be identified from that information, or a combination of information that is held by the council. Examples of personal data are names and addresses, reference numbers and photographs. Personal data can also be information that allows people to be identified in a less direct way than their name or address. It can include social services’ case numbers such as MOSAIC references, or combinations of information the council holds, such as details of a complaint made about a neighbour combined with council tax information. The person has to be indefinable from the information, so for example information that just described a 50 year old male living on the Chalcots estate would not be personal data because it would not allow the exact  person to be identified. 

Personal data also includes ‘pseudonymised data’. This is where the council has taken out names and other identifiers and replaced them with a key (eg a number). As you cannot see who the information is about unless you have the key for the code, the information is partly anonymised, which is called pseudonymised. If it is easy to use the key to work out who the references apply to, then this information is considered to be personal data.  

‘Special Categories of Personal Data’

There is a sub-category of personal data which covers more sensitive information. This was called ‘sensitive personal data’ in the old Data Protection Act 1998. The council needs to comply with more safeguards when processing special personal data – see below.

Special category personal data is personal data that reveals:

  • racial or ethnic origin, 
  • political opinions, 
  • religious or philosophical beliefs, 
  • trade union membership, 
  • or is about their health, sex life or sexual orientation.  
  • It also includes their genetic and biometric data. Biometric data includes areas like thumb prints which some school use for students to pay for school meals. 

Camden’s commitments under Data Protection laws

The council will comply with all of these, which means it will ensure that personal data is: 

  • processed lawfully, fairly and in a transparent manner in relation to individuals
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Data Protection Act in order to safeguard the rights and freedoms of individuals
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The council will demonstrate its compliance with these principles.  We do this by our Privacy Notice.

Camden’s commitments to processing personal data lawfully

Camden will determine its lawful basis for processing personal information and ensure this is adequately recorded.

There are a number of ways that processing can be lawful. Consent is one method but it is important to know that consent is not always required. The council can lawfully process personal data if one condition below is met, even if this is not consent. For example, the council would be unlikely to collect council tax arrears if residents could withdraw their consent for processing their data for this.  

The council must meet one of the conditions in the first list to process personal data lawfully. If it is special category personal data the council must also meet a condition from the second list.

Lawfulness of processing conditions 

The council needs to meet one of these conditions.  If consent is not obtained it can still lawfully process the data if a different condition applies. These are set out in the Data Protection Act 2018 and they are:

  • consent of the data subject
  • processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • processing is necessary for compliance with a legal obligation
  • processing is  necessary to protect the vital interests of a data subject or another person
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Conditions for special categories of data

If the data is special personal data, then, as well as one of the conditions above, the council also needs to meet a second condition. Like personal data, consent is not needed if a different condition is met.

  • explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
  • processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement
  • processing is  necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent
  • processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
  • processing relates to personal data manifestly made public by the data subject
  • processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
  • processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards
  • processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
  • processing is  necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
  • processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1)

Guidance for Organisations Requesting Disclosure of Personal Information under GDPR 2018

Purpose of the guidance sheet

This guidance sheet is designed to give you background information on how to make a formal request for information under Disclosure. The information you provide will allow Camden Council to respond to your request. Based on the grounds for applying the exemption, it allows Camden Council to make an informed decision concerning the release of the information.

Please note

  • Failure to complete the DPA 2018 form fully is likely to delay the process of obtaining the information.
  • The final decision to release the requested information is held by Camden Council.

Background information

Organisations that have a crime prevention, law enforcement, or tax or duty collection function may require personal information held by Camden Council to prevent or detect a crime, apprehend or prosecute an offender, or for taxation/benefit purposes. If you are an individual you (or your lawyer) may need to request personal data about someone else to get legal advice or to help in legal proceedings. These are called disclosure requests. The decision about releasing is the council’s, we’re not obliged to disclose information made under these requests.

Who can request for information

  • The Police
  • HM Revenue and Customs
  • Child Support Agency
  • Health and Safety Executives
  • Official Receiver
  • Solicitors or another acting on your client’s behalf
  • Solicitor acting on your client’s behalf but asking for another’s data
  • Other Local Authorities or Public Bodies acting under authorized powers

How to make a request

You will need to complete a Request form. For the purposes of detection of crime and taxation you would need to complete Data Protection Act 2018 Schedule 2, Part 1 2(1) form. For request of personal data required by law/court order or necessary for legal proceedings you need to complete the Data Protection Act 2018 Schedule 2, Part 1 5(3) form.

Form download for Schedule 2,Part 1 2(1) request for personal data under Data Protection Act 2018 crime and taxation.

Form download for Schedule 2, Part 1 5(3) request for personal data under Data Protection Act 2018 required by law/court order or necessary for legal proceedings.

Section 1

  • Please provide your name, organisation, address, job title. Please include your telephone number and a secure e-mail address to allow us contact you securely. If you don’t have one we will use Egress and explain how you can access the reply. 

Section 2.

  • Please provide specific details of the information you require to avoid delay to your request being processed.

Section 3

  • A concise reason/s why disclosure is required should be ticked with full details provided.

Section 4

  • Remember to sign and date your form. For request for personal data under Schedule 2, Part 1 2(1) you would need a senior officer or manager to sign the form with their name and job title

All completed form should be forwarded to disclosurerequests@camden.gov.uk. You can send all enquiries you have to the same e-mail address. Secure e-mail address: disclosurerequests@camden.gov.uk.cjsm.net or disclosurerequests@camden.gcsx.gov.uk

Data Protection Impact Assessments (DPIAs)

A data protection impact assessment (DPIA) is a process to identify privacy risks to individuals in the collection, use, storing, and disclosure of information. This allows Camden to identify problems so that risks can be removed or reduced to acceptable levels.

The DPIA helps ensure that systems and projects comply with the GDPR/Data Protection Act 2018. It also reduces privacy breaches and complaints which can damage the Council’s reputation or enforcement action against it by the Information Commissioner (the regulator).

There is a legal requirement to complete one where processing data could be ‘likely to result in a high risk’. Examples include:

  • Using systematic and extensive data profiling with significant effects;
  • Processing special category (see here) or criminal offence data on a large scale;
  • Systematically monitoring publicly accessible places on a large scale;
  • Using new technology where this is likely to cause a high risk to the rights and freedoms of individuals

Key points:

  • Even where no high risks are identified DPIAs are useful tools for major projects involving processing personal data
  • It does not have to mitigate all risks but should help identify any remaining ones and determine if they are justified
  • Should be reviewed regularly

More information: Further information is available on the Information Commissioner’s website (see here)

If you have any questions about any of the DPIAs we have published please contact our Data Protection officer Andrew Maughan at DPO@camden.gov.uk