The General Data Protection Regulation (GDPR) is a European regulation which came into force on 25 May 2018, and replace the current Data Protection Act 1998.
The Council processes a large amount of personal data, is committed to using it fairly, and keeping it safe. This will not change under the new regulation, and information about its information governance can be found below, to provide assurance to both customers and suppliers.
General Data Protection Regulation (GDPR) - Frequently asked questions
What actions are being taken to prepare for General Data Protection Regulation (GDPR)? SHOW
The Council’s General Data Protection Regulation (GDPR) preparations form part of its annual information governance action plan, which is overseen by its Information Governance Board. The action plan is implemented at a local level by the service areas.
What will be my new rights under the GDPR? SHOW
- The right of access - You have the right to obtain confirmation that your data is being processed, as well as access your personal information. Further info can be found at Subject Access Requests.
- The right to rectification - You have the right to have inaccurate personal data rectified, or completed if it is incomplete.
- The right to erasure - You have the right to have all your data erased, also known as the 'right to be forgotten'.
- The right to restrict processing - You have the right to request the restriction or suppression of your personal data. This is not an absolute right and only applies in certain circumstances.
- The right to data portability - You have the right to obtain and reuse your personal data for any purpose of your own across different services.
- The right to object - You have the right to object to processing in some circumstances. The processing must stop unless there are legitimate grounds that override your rights, interests or freedoms, or the processing has been done in regards to a legal claim.
For further information please go to the Information Commissioner's Office website
What technical and organisational security measures do you have in place to protect personal data? SHOW
The technical security measures will differ between service areas, depending on the nature of the information being processed, but the Council has an information governance structure in place to ensure privacy risks are identified and addressed.
The Council also has suite of information governance polices in place that staff are required to adhere to. These policies cover information security, records management, and the access and use of information.
What policies and procedures do you have in place to protect personal data? SHOW
Southampton City Council has an Information Governance and Risk Framework in place. This includes polices on Information Security, Records Management, and Information Access and Use. If you require further information on the individual policies, or would like copies of these, please contact:firstname.lastname@example.org
How secure are Southampton City Council’s systems? SHOW
The General Data Protection Regulation (GDPR) requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
It requires that appropriate technical or organisational measures are used, and the Council’s handling of its data will satisfy this requirement.
What legal basis does Southampton City Council have for the processing of data? SHOW
As a local authority, in nearly all matters the legal basis for processing data will be that is is necessary to perform its statutory duties, or to ‘carry out a public task’.
In certain circumstances, consent may be required, but the Council will ensure that it is always obtained by an affirmative action, in compliance with the General Data Protection Regulation (GDPR). Where consent is relied on, the individuals will be been given control and choice over the data.
If the processing is not being carried out as part of its statutory duties, Southampton City Council may still be able to process the information if it’s in their ‘legitimate interests’ to do so. Before doing so, we will be satisfied that there is a genuine and legitimate reason to rely on this, and the processing won’t adversely affect the individuals.
Will my data be shared with any third parties? SHOW
There may be occasions where your personal data is shared with other organisations, but the Council will only do so if it necessary as part of providing its services.
A list of the types of organisations we may share your data with can be found on its Information Commissioner’s Office (ICO) registration, but it will depend on the service being provided.
If the Council engages another organisation to process personal data on its behalf, it will be satisfied that it has the necessary technical and organisational measures to keep the data safe before doing so.
Find out more:
Will the processing be governed by a contract? SHOW
Yes, all processing will either be governed by a contract or other legal act. The contract will be complaint with the requirements under the General Data Protection Regulation (GDPR).
Will Southampton City Council staff keep the data safe? SHOW
The Council will ensure that any person authorised to process the personal data has committed themselves to confidentiality or are under an obligation of confidentiality.
What happens to the data once the agreement is expired? SHOW
For information on how long the Council keeps information, please see its retention schedule.
Does Southampton City Council have any information management accreditation? SHOW
The Council does not have any official accreditation however we were audited by the Information Commissioner Office (ICO) in 2016. More information about the audit can be found on their website. With regard to its information held in respect of social care, the council’s latest IG Toolkit return can be viewed on NHS Digital’ website.
How does Southampton City Council send information securely? SHOW
Council staff follow guidance on appropriate technical measures to use when sending different types of information securely.
How does GDPR affect the e-alerts that you send out via your Stay Connected messaging system? SHOW
The recipients of some of our e-alerts will be receiving re-engagement e-mails asking them to confirm that they still wish to receive the e-bulletins they have expressed an interest in. If you receive one of these e-mails, and you still want the e-alert sent to you, you just need to click on the ‘Yes’ button in the e-mail and you’ll continue to receive them. It’s that simple. If you don’t wish to receive them then just log in to your Stay Connected account and you can manage which e-bulletins you receive. Anyone who has received a re-engagement e-mail from us and doesn’t take any action by the 25 May will have their account deleted.