Individual's Rights

UK Data Protection Act 2017

The new UK data protection law changes as of 25th May 2018, the same day the EU's General Data Protection Regulation (GDPR) comes into force.
A key area of change in the new Data Protection Act relates to individuals rights. The law refreshers existing rights by clarifying and extending them and introduces new rights such as the “right to be forgotten”, the “right to restriction of processing” and the “right to data portability”.

However your information rights will be dependent on the reason why and how the data was collected and why it is being used.


General Data

Part 2 of the UK Data Protection Act 2018 stipulates how general personal data should be processed. It applies the standards set in the EU’s General Data Protection Legislation. General data is data which is processed for a reason not involving law enforcement or national security.


Law Enforcement Data

The new law provides instruction on which organisations can process data for law enforcement purposes. These organisations are referred to as “competent authorities”.

Northumbria police are a “competent authority” and can lawfully process personal data for law enforcement purposes. How data should be processed for law enforcement purposes is documented in Part 3 of the UK Data Protection Act 2018.

Law enforcement purposes are considered as prevention and detection of crime, investigation, detection or prosecution of criminal offences, the execution of criminal penalties or the safeguarding against and the prevention of threats to public security.

Part 2 General Processing Information Rights


Right to Be Informed:

You have the right to be informed about the collection and use of your personal data. This is done by using a privacy notice which can be provided to you in a number of different ways, for example,

  • Northumbria Police’s Privacy Notice which can be located here
  • At the top of your consent form
  • On Northumbria Police social media sites.


Right of Access:

This is commonly known as subject access and is the process which entitles individuals to:

  • Confirmation that their data is being processed;
  • Access to their personal data; and
  • Other supplementary information – however all other information should be held in the relevant privacy notice, as documented above.

The purpose of right of access is to allow individuals access to their personal data so that they:

  • Are aware of what data is being processed, and
  • Can verify the lawfulness of the processing.

From the 25th May 2018 subject access requests can be made verbally or in writing and will be free of charge, unless we consider your request to be:

  • deemed as manifestly unfounded, or
  • excessive or repetitive

If we deem one of the above to be the case we may request a reasonable fee or refuse to process your request. If a fee is applied this will be based on the administrative cost of providing the information to you.

We must provide you with your information within one month of receipt, however we can lawfully extend this by a further two months if your request is complex or numerous. If there is a delay in dealing with your request we will inform you within one month of receipt of the request and explain why the extension is necessary. If proof of identity is sought then the one month will commence when your identity has been confirmed.

We may also be required to ask you for documents to prove your identity. If this is required then the one month will commence from the date your identity is confirmed.

If we refuse to process your request we will explain why and inform you of your right to complain to the Information Commissioner, and to a judicial remedy within one month of receipt.


If you would like to exercise your information rights then please complete our form here

Right to Request Rectification:

You are entitled to have personal data rectified if it is inaccurate or incomplete.

Requests for rectification will be responded to within one month of receipt however if we believe your request to be manifestly unfounded or excessive then we may request a reasonable fee or refuse to deal with your request. If we decide to charge a fee we will also notify you within one month of receipt however we will not comply with you request until the fee is received.

The fee will be based on the administrative costs of complying with your request.

If we decide not to take action in response to your request for rectification, we will explain why and inform you of your right to complain to the Information Commissioner and to a “judicial remedy”. We will do this within one month of receiving your request.

We may also be required to ask you for documents to prove your identity. If this is required then the one month will commence from the date your identity is confirmed.

We do have the right to extend the time to respond by a further two months if your request is complex or numerous. We will write to you to advise you of the delay within one month of receiving your request.

If we have disclosed personal data deemed as inaccurate or incomplete to others, then will contact the recipient(s) and inform them of the rectification, unless to do so proves impossible or involves disproportionate effort.

If you would like to have your data rectified please do so by contacting Northumbria Police at:

Email: data.protection@northumbria.pnn.police.uk

Telephone: 0191 295 6940 or 0191 295 6941

Post: The Data Protection Officer, 4th Floor, Cobalt Business Exchange, Cobalt Business Park
Cobalt Way, Newcastle upon Tyne, NE29 9NZ


Right to Erasure

The right to erasure is also known as ‘the right to be forgotten’. This right enables you to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

The right to erasure is not an absolute right and only applies in the following circumstances;

  • Your personal data is no longer necessary for the purpose which we originally collected or processed it for;
  • We relied on your consent as your lawful basis for holding the data, and you now wish to withdraw your consent;
  • We relied on legitimate interests as our reason for processing your personal data and you now object to us processing your data, and we have no overriding legitimate interest to continue this processing;
  • We are processing your personal data for direct marketing purposes and you object to that processing;
  • We have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
  • We have to do it to comply with a legal obligation; or
  • We have processed personal data to offer information society services to a child.

From the 25th May 2018 we will accept requests for erasure verbally or in writing. We will respond to your request within one month of receipt however this can be extended by a further two months if your request is complex or numerous. If proof of identity is required the one month will commence when your identity is confirmed.

If there is a delay in dealing with your request we will inform you within one month of receipt of the request and explain why the extension is necessary.

We may also request a reasonable fee or refuse to comply with your request for erasure if we consider it is manifestly unfounded or excessive. We will write to you within one month of receipt of your request and explain our decision. Any fee will be based on the administrative costs of complying with the request. If we charge a fee then your request will not be processed until the fee is received.

If we refuse to process your request we will explain why and inform you of your right to complain to the Information Commissioner, and to a judicial remedy within one month of receipt.

There are some specific circumstances where the right to erasure does not apply and therefore a request may be refused. These reasons could involve data processed for the following purposes:

  • To exercise the right of freedom of expression and information;
  • To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
  • For public health purposes in the public interest;
  • Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  • The exercise or defence of legal claims.

If we have disclosed your personal data to others, including making it public on an online environment, and then subsequently erase on request, we will contact the recipient(s) and inform them of the erasure, unless to do so proves impossible or involves disproportionate effort.
If you would like to have your data erased please contact Northumbria Police using the contact details above.


The Right to Restrict Processing

Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, organisations are permitted to store the personal data, but not further process it.

Organisations can retain just enough information about the individual to ensure that the restriction is respected in future.

The right to restrict processing is not an absolute right and only applies in certain circumstances.
We are required to restrict the processing of your personal data in the following circumstances:

  • Where you contest the accuracy of your personal data, we must restrict the processing until we have verified the accuracy of your personal data.
  • We have unlawfully processed your personal data and you oppose the erasure and request restriction instead;
  • We no longer need the personal data but you need us to keep it in order to establish, exercise or defend a legal claim; or
  • You have objected to us processing your data under Article 21(1), and we are considering whether our legitimate grounds override your right to object.
  • From the 25th May 2018 requests for erasure will be accepted verbally or in writing, however proof of identity may be required. If proof of identity is sought then the one month will commence when your identity is confirmed.

We may extend the time to respond to you by a further two months if your request is complex or numerous. If there is a delay in dealing with your request we will inform you within one month of receipt of the request and explain why the extension is necessary.

We may also request a reasonable fee or refuse to comply with your request for restriction if we consider it is manifestly unfounded or excessive. We will write to you within one month of receipt of your request and explain our decision. Any fee will be based on the administrative costs of complying with the request. If we charge a fee then your request will not be processed until the fee is received.

If we refuse to process your request we will explain why and inform you of your right to complain to the Information Commissioner, and to a judicial remedy within one month of receipt.

If we have disclosed personal data to others, which we subsequently restrict on request, then we will contact the recipient(s) and inform them of the erasure, unless to do so proves impossible or involves disproportionate effort.

We will also advise you when the restriction on processing is lifted.
If you would like to have the processing of your person data restricted please contact Northumbria Police using the contact details above.


Right to Data Portability

The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.

It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

The right to data portability only applies:

  • To personal data you have provided to a data controller;
  • Where the processing is based on the your consent or for the performance of a contract; and
  • When processing is carried out by automated means.

We will provide your personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use your data.

The information will be provided free of charge.

If requested and technically feasible we will transmit the data directly to another organisation.
If your personal data concerns more than you we must consider whether providing the information would prejudice the rights of the other person.

We will respond to your request for data portability within one month however this can be extended by two months where the request is complex or we receive a number of requests. We will inform you within one month of the receipt of the request and explain why the extension is necessary.

Where we are not taking action in response to a request, we will explain why and inform you of your right to complain to the Information Commissioner and to a judicial remedy without undue delay and at the latest within one month.

If you would like request data portability please contact Northumbria Police using the contact details above.

Right to Object

Individuals have the right to object to:

  • The processing of your personal data based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • The processing of their personal data for direct marketing (including profiling); and
  • The processing of their personal data for the purposes of scientific/historical research and statistics.

We will stop processing your personal data unless:

  • We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • The processing is for the establishment, exercise or defence of legal claims.
  • We will inform you of your right to object at the point of first communication and in our privacy notice.

If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

Rights Relating to Automated Decision Making

Automated individual decision making and profiling is a decision made by automated means without any human involvement.

Examples of this are:

  • An online decision to award a loan; and
  • A recruitment aptitude test which uses pre-programmed algorithms and criteria.

The new data protection law will restrict organisations from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.
The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects, although these effects are not defined, the decision must have a serious negative impact on an individual to be caught by this provision.

A legal effect is something that adversely affects someone’s legal rights. Similarly significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.

We will only carry out solely automated decision making with legal or similarly significant effects if the decision is:

  • Necessary for entering into or performance of a contract between an organisation and the individual;
  • Authorised by law (for example, for the purposes of fraud or tax evasion); or
  • Based on the individual’s explicit consent.
  • The processing is necessary for reasons of substantial public interest.


Restrictions to Information Rights

When dealing with your information rights request a data controller or processor can restrict your rights if they consider it necessary to safeguard:

  • National security;
  • Defence;
  • Public security;
  • The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
  • Other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
  • The protection of judicial independence and judicial proceedings;
  • The prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
  • A monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
  • The protection of the data subject or the rights and freedoms of others;
  • The enforcement of civil law claims.

Information Commissioner

If you are concerned about the way Northumbria Police have handled your information you have the right to make a complaint to the Information Commissioner. 

 

Part 3 Law Enforcement Processing Information Rights

Right to Be Informed:

You have the right to be informed about the collection and use of your personal data, how long it will be kept for and who it will be shared with. This is done by using a privacy notice which can be provided to you in a number of different ways, for example,

We can however limit the information we supply to you under this “Right” if we believe that by doing so would be necessary and appropriate to:

  • Avoid obstructing an official or legal inquiry, investigation or procedure;
  • Avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • Protect public security;
  • Protect national security; or
  • Protect the rights and freedoms of others.

If we do place a restriction then we will advise you unless we believe by doing so would undermine the purpose for the restriction.

Right of Access:

This is commonly known as subject access and is the right which allows you access to your personal data and supplementary information, however it is subject to certain restrictions.

From the 25th May 2018 subject access requests can be made verbally or in writing and will be free of charge.

We may also be required to ask you for documents to prove your identity. If this is required then the one month will commence from the date your identity is confirmed.

If we consider your request to be manifestly unfounded or excessive, in particular because it is repetitive, then we may:

  • charge a reasonable fee taking into account the administrative costs of providing the information (the month starts after we have received the fee); or
  • refuse to respond to your request

If we refuse to process your request we will explain why and inform you of your right to complain to the Information Commissioner, and to a judicial remedy within one month of receipt.

Under this right you are entitled to the following information:

  • Our purposes for processing and the legal basis we rely on;
  • The categories of personal data we are processing;
  • The recipients or categories of recipients we are disclosing the personal data to;
  • Our retention period, or our criteria for determining this;
  • Your right to request rectification, erasure or restriction;
  • Your right to raise a complaint with the Information Commissioner;
  • The personal data we are processing (in writing) and any available information you have about the origin of the data.

We may restrict the information we provide to you where it is necessary and proportionate to protect the “rights and freedoms of others”. This is relevant when the data you request involves third parties.

We can also restrict or limit the amount of data we send you, in particular;

  • Confirmation that we are processing your personal data; and
  • Access to your personal data.

if we believe it necessary and proportionate in order to:

  • Avoid obstructing an official or legal inquiry, investigation or procedure;
  • Avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • Protect public security;
  • Protect national security; or
  • Protect the rights and freedoms of others.

If we do place a restriction then we will advise you unless we believe by doing so would undermine the purpose for the restriction. We will advise you of your right to complain to the Information Commissioner.

If you would like to exercise your information rights then please complete our form here


Right to Request Rectification:

You are entitled to have personal data rectified if it is inaccurate or incomplete.

We will rectify inaccurate personal data when it becomes apparent to us, or, if you request it. If your personal data is identified as inaccurate, or incomplete, we will seek to amend this by rectifying or completing the data. If we are unable to correct it, we may provide a supplementary statement to rectify your personal data, if we deem it appropriate. As a “competent authority” we are allowed to keep accurate records of allegations made, even if the allegations are unfounded.

Requests for rectification can be accepted verbally or in writing and will be responded to within one month of receipt. If we believe your request to be manifestly unfounded or excessive then we may request a reasonable fee or refuse to deal with your request. If we decide to charge a fee will we also notify you within one of receipt however we will not comply with you request until the fee is received. The fee will be based on the administrative costs of complying with your request.

We may also be required to ask you for documents to prove your identity. If this is required then the one month will commence from the date your identity is confirmed.

As a “competent authority” we can limit your right to rectification to:

  • Avoid obstructing an official or legal inquiry, investigation or procedure;
  • Avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • Protect public security;
  • Protect national security; or
  • Protect the rights and freedoms of others.

If we do place a restriction then we will advise you unless we believe by doing so would undermine the purpose for the restriction.

If we decide not to take action in response to your request for rectification, we will explain why and inform you of your right to complain to the Information Commissioner. We will do this within one month of receiving your request.

If we have disclosed personal data deemed as inaccurate or incomplete to others, then will contact the recipient(s) and inform them of the rectification, unless to do so proves impossible or involves disproportionate effort.

If you would like to have your data rectified please do so by contacting Northumbria Police using the contact details above.

Right to Erasure and Right to Restriction

You have the right to request the deletion or removal of your personal data and/or the right to ‘block’ or restrict the processing of your personal data where there is no compelling reason for its continued processing.

We will erase or put your personal data “beyond use” if:

  • The processing of your personal data will infringe the data protection principles;
  • We do not meet safeguards for archiving and processing of sensitive personal data; or
  • We have a legal obligation to erase the data.

From the 25th May 2018 we will accept requests for erasure verbally or in writing. We will respond to your request within one month of receipt however if proof of identity is required the one month will commence when your identity is confirmed.

We may also request a reasonable fee or refuse to comply with your request for erasure if we consider it is manifestly unfounded or excessive. We will write to you within one month of receipt of your request and explain our decision. Any fee will be based on the administrative costs of complying with the request. If we charge a fee then your request will not be processed until the fee is received.

As a “competent authority” we must restrict your right to erasure or restriction in the following two circumstances:

  • When your personal data is being used for evidential purposes
  • If you contest the accuracy of the personal data we hold but we are unable to be certain about its accuracy.

We may also limit the information we provide to you in order to:

  • Avoid obstructing an official or legal inquiry, investigation or procedure;
  • Avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
  • Protect public security;
  • Protect national security; or
  • Protect the rights and freedoms of others.

If we decide not to take action in response to your request for erasure or restriction, we will explain why and inform you of your right to complain to the Information Commissioner. We will do this within one month of receiving your request.

If we have disclosed your personal data to others, including making it public on an online environment, and then subsequently erase on request, we will contact the recipient(s) and inform them of the erasure, unless to do so proves impossible or involves disproportionate effort.
If you would like to have your data erased please contact Northumbria Police using the contact details above.

Rights Relating to Automated Decision Making
Automated individual decision making and profiling is a decision made by automated means without any human involvement.

The new data protection law will restrict organisations from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.
A legal effect is something that adversely affects someone’s legal rights. Similarly significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.
Northumbria Police do not currently use solely automated decision making for law enforcement purposes, however if these were to be introduced we will ensure you are able to:

  • Obtain human intervention;
  • Express their point of view; and
  • Obtain an explanation of the decision and challenge it

If we do make a “qualifying significant decision” using automated decision making you will be advised and given 21 days to request a review of the decision, or take a new decision not based solely on automated means. We will respond within 21 days of receipt of your request to explain the steps we have taken and the outcome. We will also inform you of your right to complain to the Information Commissioner.

You can make a request verbally or in writing and will be free of charge.


Information Commissioner

If you are concerned about the way Northumbria Police have handled your information you have the right to make a complaint to the Information Commissioner.

The Information Commissioners Office can be contacted via the following ways:

Email: casework@ico.org.uk

Telephone Helpline: 0303 123 1113
(Their normal opening hours are Monday to Friday between 9am and 5pm)

Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF