Toggle menu
  1. Accessibility
  2. Cymraeg

Website upgrade on Tuesday 23 June

What we are doing to upgrade our website to improve accessibility and security for customers.
Data protection and freedom of information
CCTV use
Data protection
Freedom of information
Publication scheme
Open data
Search FOI requests and responses​​

Data protection

General Data Protection Regulation (GDPR) is the new legal framework in the EU which came into force on 25 May 2018. There will also be a new Data Protection Act, which is currently going through Parliament.

This new Act will add to the GDPR and provide new rights to individuals concerning their personal data. They are not in force yet so this page is to provide information in advance of the law changing.

Some departments of the council need to have their own specific privacy policy due to the nature of the services they deliver.

Data Protection Officer

Under the new law, the Council must have a named Data Protection Officer who is responsible to data protection matters. Cardiff Councils Data Protection officer can be contacted by email at [email protected].

 

What does the new law mean for me?

The General Data Protection Regulation and new Data Protection Act provide individuals with enhanced rights in relation to how the Council uses your personal data. You can find out about the GDPR rights on the ICO website.

You will have the right to know how the data has been processed and make requests, in certain circumstances.

 

Why do we keep personal information?

So that we can provide you with the services you require, collect Council tax, collect rent, calculate housing benefit etc. and maintain a record of the services provided. Further information can be found in our Privacy notice.

 

Does the Council need your consent to use information about you for any of these purposes?

We will normally obtain your consent only if we are going to process data about you for purposes other than those we are required to provide by law. Occasionally the law will allow us to do this without your consent if it is reasonable and will not cause you any prejudice, but even then the requirement of fairness means we will take reasonable steps to tell you what we are doing.

All our application forms and requests for information explain why we require the information. They explain how and for what other lawful purposes your information may be used which do not require your explicit consent. When the Council collects personal data it should say how this data may be used and kept. This information is what we call a Fair Processing Disclaimer. In some cases you may be given the option of opting in or out of the Council processing information for other purposes - where this is the case this will be explained on the Fair Processing Disclaimer.

 

What are your rights?

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

 

The right to be informed / access

Under the new law, like now, everyone can make a written request to the council for the information we hold about them. When asking to see your records:

  • Try to include as much details about the information you need
  • Tell us of any service(s) you are receiving and any other information (e.g. rent or Council tax number)
  • This will help us to be more efficient in finding your information.

 

Is there a cost to access my information?

When the new law comes into force, there will be no fee.

 

How long will my request take?

Once we have a valid request, we will have a month to provide the information requested which we can extend in some circumstances. We will be allowed (as we are now) to remove (redact) information, for example, legal advice or information about other people.

 

How do I make a request to access my information?

You can request to access your information online. You can also request access to your information by completing the relevant form and sending it by post to: The Data Protection Officer Information Governance County Hall Atlantic Wharf Cardiff

If you call at any of the Council's offices, you will be given a copy of the 'Individuals Rights Form'. Help is available with filling in this form should you need it.

The request form will also be sent to you if you have not provided the Council with enough detail and we will ask that you fill this in to help identify where we may hold your information.

 

How do we know that you are the person referred to in the Request?

Before any information which may be held can be released we require proof of an individual's identity therefore you need to provide us with:

  • A clear copy of a recent bank statement, or a utility bill, (within the last three months), and
  • A clear copy of valid Photographic ID - i.e. Passport, Drivers Licence.

 

Can somebody make a request for information on my behalf?

If you would prefer for somebody else to act on your behalf then we are happy to process this request.

Please complete the Individual Rights - Third Party Form

If you have a legal authority such as Power of Attorney we will require proof of this authority before being able to deal with the request.

However if you are a solicitor/insurance company acting on behalf of a client please complete the Individual Rights - Third Party Form and follow the instructions outlined on there.

 

What information will you receive?

Unless we are entitled to withhold it, you will receive all of the information you have requested which the Council holds about you on both its computer and manual records. We will also provide a description of the purposes for which we process your data together with a list of others to whom it is disclosed and information about sources.

 

What information may be withheld?

In some very rare circumstances the Council may not be able to comply with your request in full as there are exemptions within the act. If this is the case you will be given a full explanation. You should also be aware that some types of information we hold, which may identify you, may not be covered by the act. For example, if you lodge an objection to a planning application, although we may have your name and address on the objection, this is not necessarily 'personal data' as the objection is about the planning application, not about you. Although in principle you are entitled to have access to all the personal data held on you there are a few exceptions. In particular personal data may be withheld if:

  • It might prejudice the prevention and detection of crime, the prosecution or apprehension of offenders or the assessment or collection of any tax or duty to provide a copy.
  • The data could identify other people who have not consented to the disclosure of their data and where, on balance, it appears wrong to provide it.
  • The disclosure of the data might cause harm or distress to you or another individual.
  • The data consists of information between client and legal adviser (legal professional privilege).

 

How will you be given the information?

You will be given a copy to keep and check for accuracy. This will either be a printout from the computer or a photocopy of your manual records.

 

What is the right to rectification and what do you do if your information is incorrect?

After 25 May 2018, you will have the right to make changes to inaccurate data. You can do this in the same way as the access request by completing and submitting our web form or if you'd prefer you can print the relevant form and send it in the post to:

The Data Protection Officer
Information Governance
County Hall
Atlantic Wharf
Cardiff
CF10 4UW

If the Council does not agree that the information is incorrect you can ask us to record your disagreement on your records. You can also appeal to the Information Commissioner or the Courts if the Council does not correct the information.

 

How do I exercise my Individual Right to rectify / Erase / Object or Restrict the Processing of my Personal Data?

If we are relying on consent to process your data, you can request to withdraw consent or restrict/object to some elements of the processing. The council does not rely on consent on most cases because it has legal requirements to do certain tasks. For example, processing planning applications, collecting council tax payments and social work tasks are based on legal requirements, not on consent.

Where we rely on your consent as our legal basis to process your personal data, you have the right to withdraw your consent and ask for your data to be deleted. As explained above we will not rely on consent in many cases.

After 25 May 2018, you will have the right to:

  • Make changes to inaccurate data.
  • Erase Personal Data deemed unnecessary.
  • Restrict Processing of Personal Data.
  • Object to the processing of your Data.

You can do this in the same way as the access request by completing and submitting the relevant form and send it by post to:
The Data Protection Officer
Information Governance
County Hall
Atlantic Wharf
CardiffCF10 4UW

 

How do I make a request for disclosure of CCTV Footage?

If you would like to make a request for CCTV footage you will need to complete the Request for CCTV Footage form.

Information requested is provided to you at the discretion of the City of Cardiff Council in line with our statutory requirements under the Data Protection Act.

 

Does the Council provide help in understanding/accessing my rights information?

Yes, if you need help with the information provided or the application form, please let us know and someone will to assist you. A translation service is also available.

 

How does Automated Decision Making and Data Portability affect me?

After 25 May 2018, if we process your personal data based on automated decisions, this will have a legal or similarly significant effect on you. You will be able to request a written explanation of the decision made and you can contest the results of the decision.

Cardiff Council does not carry out automated decision making or profiling that comes under this definition.

 

How can you prevent the Council from using information about you for Direct Marketing or stop it from using information for a purpose which could cause you damage or distress?

The Council must ensure it complies with the Privacy and Electronic Communications Regulations 2003.

You should write to the Council asking it not to process your information for direct marketing purposes.