Data protection - Summary of your rights

Introduction

The General Data Protection Regulation (GDPR) as supplemented by the UK Data Protection Act 2018 has legal effect. This data protection framework places obligations on organisations and strengthens the rights that individuals have over the processing of their personal information.

The Greater Manchester Authorities have produced this guide to explain your enhanced rights and how we will deal with any requests we may receive from you.

You can also obtain full information about your rights from the Information Commissioner’s Office (the ICO). The ICO is the UK's independent regulator responsible for upholding and enforcing the rights of individuals under data protection law. 

In brief, you have the following rights:

  • the right to be informed;
  • to ask us for access to copies of the personal information we hold about you (see: Subject Access Request - How to request personal information an organisation holds about you);
  • to ask us to rectify your personal information if it is inaccurate or incomplete;
  • to ask us to stop processing your personal information (this is known as the 'right to object');
  • to ask us to erase personal information we hold about you (this is also known as the 'right to be forgotten');
  • to ask us to 'restrict' the processing of your personal information (e.g. restrict our access and use pending our consideration, for example, of any objection or erasure request you have submitted);
  • to ask us ensure that a decision which legally affects you is reviewed by a person if the decision has been made solely using an automated computerised process; 
  • to ask us to put the personal information you have given us into a portable electronic machine readable format so it is capable of being transmitted to someone else.

Please be aware that these rights are not absolute and are subject to conditions and exemptions. In some cases the rights described above only apply if the processing activity is undertaken on specific legal grounds and/or in defined circumstances. Therefore all of these rights are unlikely to be engaged in all cases. 

This Guide sets out:

  • a summary of your rights
    • what these are, and
    • when and how these apply
  • how you can exercise these rights
    • what we will need from you; and
    • what you can expect from us
  • the meaning of some of the terms we have used (see: Data protection - Meaning of terms)

Right to be informed

Every time we seek to collect information from you, we must inform you why we need to process your personal information, including how we propose to use it, who we intend to share it with and the safeguards we have put in place. If we receive information about you from someone else, we will usually tell you before we use or share your personal information unless we are aware you already have this information or, where the law says this is not necessary, such as where this would be prejudicial to ongoing law enforcement/criminal investigations.

We meet these obligations in various ways depending on how you come into contact with us, including directing you to our Privacy Notice viewable on our web site.

Access to your personal information

You are entitled to ask us for copies of the personal information that we hold about you (see: Subject Access Request - How to request personal information an organisation holds about you).

At the time of fulfilling your access request, we will provide the following information:

  • (a) the reasons why it is necessary to process your personal information;
  • (b) the types of personal information we process;
  • (c) the recipients or categories of recipient to whom your personal information have been or will be disclosed, including any recipients in third countries or international organisations and if relevant, the safeguards applicable to the transfer;
  • (d) where possible, the envisaged period for which your personal information will be stored, or, if not possible, the criteria used to determine that period;
  • (e) the right to request rectification, erasure of personal information or to object or seek to restrict such processing;
  • (f) the right to lodge a complaint with a supervisory authority;
  • (g) the source(s) of any personal information we hold that has not been collected directly from you;
  • (h) whether or not decisions are made about you solely using automated means, including profiling, without human intervention  and, if so, provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

We will also explain if we have redacted any information that identifies third parties.

If we withhold information on the basis that it is exempt from disclosure, where it is possible to do so, we will explain the exemption(s) we are relying on and the reason why one or more exemptions apply.

In certain circumstances we may refuse to respond to your request if we consider that it is unfounded, excessive or repetitive in nature.

Rectification

You are entitled to ask us to:

  • correct inaccurate information about you
  • update the information we hold if it is incomplete 

If we agree that the personal information you have identified is factually inaccurate, we will correct it.

We will:

  • endeavour to inform anyone with whom we may have shared your personal information of any correction(s) we have made so they can rectify the information they hold about you;
  • tell you who the recipients of your information are if you ask us to do this so you can check they if have updated the personal information they hold about you.

If we disagree with your view that the information we hold about you is factually wrong, then in our response we will explain the basis for our decision and your right to complain to the Information Commissioner if you are not satisfied.

If you consider that personal information we hold about you is incomplete and we do not agree with this, we may offer you the option of adding a supplementary statement explaining why you consider the information we hold is incomplete.    

Objections to processing

You have the right to object to us using your personal information where it is being processed for:

  • direct marketing
  • profiling whether linked to direct marketing or for other purposes
  • performing our statutory functions, tasks carried out in the public interest or when exercising official authority; 
  • our legitimate interest or those of a third party;
  • scientific/historical research/statistics where:
  • this is likely to cause substantial damage or substantial or distress; or
  • involves decision-making about an individual

If you object to us using your personal information for direct marketing (or profiling linked to direct marketing) we will cease processing for this purpose(s).

If you object to the use of your personal data for scientific/historical research or statistical purposes on one or both of the above grounds, we will carefully consider your request and let you know the outcome. It may not always be possible to meet your objection if for example, the processing is carried out for the purpose of measures or decisions with respect to particular individuals where this is in accordance the law and is necessary for specified bodies to carry out approved medical research.

Where you object to us processing your personal information for any of the other reasons above, we will:

  • consider if we have compelling legitimate grounds for continued processing; and
  • whether or not these grounds are sufficiently compelling to justify overriding your privacy rights.

Where the law requires us to process your information to meet our statutory functions and public tasks, including our law enforcement functions, it is very likely that we will not be able to comply with your request. 

For example, you will not be able to use this right to prevent us from:

  • collecting and administering council tax or assessing benefit entitlements
  • taking measures to protect the health and safety of our staff
  • establishing, exercising or defending our legal rights
  • pursuing criminal investigations or proceedings

If we do not uphold your objection, we will explain our reasons in our response and your right to complain to the Information Commissioner if you are not satisfied.  

Restriction on use / access

This right may be exercised in circumstances where:

  • we need time to consider your representations where you are:
    • contesting the accuracy of the personal information we hold about you; or
    • objecting to our processing of your information
  • it has already been determined the processing is 'unlawful' and you ask us to retain and 'restrict' its use;
  • we no longer need to retain your personal information but you ask us to retain it for the establishment, exercise or defence of own legal claims.

If you make a request we will let you know if we agree to restrict access to your information for one or more of the above reasons.

If we decide a restriction is appropriate, we will endeavour to notify any recipients of your personal information and let you know who they are if you ask us to do so. 

Where processing is restricted, as well as storing your personal information we will only process it during the period of restriction:

  • with your consent; or
  • if it is necessary for the establishment, exercise or defence of legal claims;
  • if it is necessary for the protection of the rights of another person; or
  • if it is necessary for reasons of important public interest, including for example, communicating with the Information Commissioner.

Where a restriction is applied pending a determination of 'accuracy' or any 'objection' you may have submitted, we will let you know the outcome of your representations and will notify you prior to lifting the restriction.

Where the reason for the restriction is for one of the other reasons above, the erasure of the personal information will not take place until we have resolved evidential issues with you.   

We will also tell you about your right to complain to the Information Commissioner if you are not satisfied.   

Erasure (also referred to as the right to be "forgotten")

You have the right to request that we erase your personal information in defined circumstances.  

These defined circumstances are:

  • (a) if we are storing your personal information for longer than is necessary or in breach of a legal obligation that requires its erasure;
  • (b) you decide to withdraw your consent and you ask us to erase your personal information where there is no other legal ground for processing;
  • (c) we have accepted an objection made by you to our processing of your personal information and you have further requested that we erase the personal information in question;
  • (d) we are processing or publishing your personal information without a legal basis for doing so;

We will carefully consider a request for erasure. Our response will outline whether or not we consider retention of your personal information is unwarranted.  

There are circumstances why it may not always be possible to agree to your erasure request and we have listed a number of grounds below where it may be necessary for us to retain your information:

  • in the interests of freedom of expression (special journalistic purposes)
  • in order to comply with a legal obligation;
  • for archiving in public interest;
  • for public health functions in public interest
  • for exercising legal rights or defending legal claims

If we agree to erase your personal information, we will endeavour to notify any recipients and let you know who they are if you ask us to do so.  

If we refuse your request for erasure we will explain our reasons in our response and your right to complain to the Information Commissioner if you are not satisfied.  

Data Portability

In certain circumstances, you have the right to request that personal information you have supplied to an organisation be converted into a structured, commonly used and machine-readable format so that it can be transmitted to another organisation. This right is primarily intended to stimulate competition in the commercial sector by making it easier for consumers to switch from one supplier to another.

As most of the processing activities undertaken by us are governed by statute or as a result of legal obligations imposed on us, this right is only be engaged where:

  • we process your personal information on an automated basis, and the legal basis for our processing:
    • is based on your consent; or
    • is for entering into or the performance of a contract with you 

If you make a request for the personal information you have supplied to us to be converted into a portable format where our legal basis for processing falls within one of the grounds above, we will let you know our decision and if you are not satisfied with our response of your right to complain to the Information Commissioner.

Automated Decision Making

In general, decisions which affect you legally or have similarly significant effects are not permitted using solely automated processing, especially if this involves the use of personal information which because of its nature, is termed 'Special' or 'Sensitive'. This is because decisions made using automated electronic programmes or software do not involve human beings.

But there are some exceptions where automated decision-making is permitted. This is where the processing:

  • is based on your explicit consent;
  • is necessary for entering into or the performance of a contract with you;
  • it is required or authorised by law  

Where an automated decision is made about you based on one of the reasons above, you are entitled to be:

  • informed that our processing activity involves automated decision making and to be informed about the logic involved and the likely consequences of the processing for you;
  • told what measures and safeguards we have implemented to protect your privacy; 
  • Within 1 month of your receipt of the above notification, you have the right to:
    • contest the automated decision;
    • to ask that the automated decision be reconsidered by an appropriate person with the authority/seniority to reach a fresh decision that is not based solely on automated processing.

If you contest an automated decision and ask for it to be reconsidered, we will respond within the allowed time period and let you know whether or not this fresh decision has led to the same or a different outcome.  

We will also explain your right to complain to the Information Commissioner if you are not satisfied.