Data protection policy

Information about how we protect data in line with the Data Protection Act 2018

The Data Protection Act 2018, regulates the processing of information about living individuals.

This Act applies to all personal data held electronically and to personal data held manually in a relevant filing system. The authority will process personal data and sensitive personal data in compliance with this legislation.


This Policy applies to all personal data that Redcar and Cleveland Borough Council Processes. It covers personal data held in manual files as well as on computer databases.

All Local Authorities have a duty to improve the health of the population they serve.

To help with this, we use data and information from a range of sources including hospital episodes and births and death registrations to understand more about the nature and causes of disease and ill-health in the area, alongside health and care needs.

This data is processed in order to fulfil our requirements with regards to public health.

Our Policy

We are committed to ensuring the confidentiality and security of all personal data we come into contact with. This is successfully achieved by acting in accordance with the following 6 principles of the Data Protection Act 2018;

  • Personal data shall be processed lawfully, fairly and in a transparent manner
  • Personal data should be collected for specified, explicit and legitimate purposes
  • Personal data should be adequate, relevant and limited to what is necessary
  • Personal data should be accurate and where necessary kept up to date
  • Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed and;
  • Processed in a manner that ensures appropriate security of the personal data.

We will notify the Information Commissioner of details of our Personal Data processing activities and maintain an accurate entry in the Public Register of Data Controllers.

All data subjects will be informed of the purposes for which their personal data are to be processed and where necessary will be asked to consent to further processing.

We will only hold the minimum amount of personal data to carry out the processes specified.

We will ensure that all data is accurate and up-to-date and where no longer required it will be destroyed in line with Retention Legislation, Council Policies or best practice.

Personal data will be collected, stored and processed safely and securely and will only be made available to those who need it in order to carry out the functions.

All Staff, Members and Agents are responsible for ensuring that they adhere to the Data Protection Act in the course of their employment and when handling personal data.

Elected Members and staff will be trained to an appropriate level in the use and security of personal data.

Deliberate unauthorised access to, copying of, alteration of, deletion of or interference with data held by the Council is forbidden.

Compliance with this policy and related procedures will be monitored and any deliberate breach of this policy or the Data Protection Act will be seen as misconduct and may be subject to action under the disciplinary procedure.

Data matching, which involves comparing computer records from one body against those from another body, will only take place in instances where it is permitted by Legislation and will be carried out in line with the Code of Practice.

The National Fraud Initiative is an example of where data matching is required by law.

If on any occasion personal data is lost, stolen or compromised, the designated officers of the authority will be notified. Should this occur, all Staff, Members and Agents are aware of the appropriate procedure to follow.

On more serious occasions the Information Commissioner's Office will also be notified.


The overall responsibility for the notification to the Information Commissioner of the Council as a Data Controller and as a Data Processor, for publication of the Councils Publication Scheme and for ensuring compliance with the appropriate statutes rests with the Managing Director

The Managing Director must be provided with details of any existing information systems and any proposal to introduce a new information system or to make a change to an existing system in order that any implications for personal data and information security and publication may be assessed and approved before implementation.

This will include any necessary amendments to the Council's notifications under the DPA.

Schools are separate entities from the Council and are responsible for their own arrangements. Elected Members have separate notifications covering their constituency work.

Directorates must ensure that contracts with organisations such as data processors, computer suppliers and maintenance companies contain adequate safeguards regarding access to personal data by those organisations.

Individual Directorates are responsible for ensuring any confidential documentation no longer required is disposed of in an appropriate manner and with due regard to its sensitivity.

Strict procedures for the distribution, storage and disposal of documentation must be established by individual departments, having regard to the peculiarities of the particular system.

Rights of the individual

Personal data will be processed in accordance with the rights of the individual which are set out in the act. These rights are as follows:

  • The right to be informed;
  • The right of access;
  • The right to rectification;
  • The right to erasure;
  • The right to restrict processing;
  • The right to data portability;
  • The right to object
  • Rights in relation to automated decision making and profiling.

Subject Access Requests

Where any individual submits a valid subject access request (which requires the request in writing and proof of identification, we aim to provide the requester with a copy of their records within the time limits set out by the Data Protection Act 2018.

The Data Protection Act 2018 contains certain exemptions one of these being the provision of confidential references about members of staff written by the Council.

Further information on Subject Access Requests can be found on the Guidance for data subjects page on our website.

Freedom of Information

Where any person submits a request under the Freedom of Information Act 2000 or Environmental Information Regulations 2004 we will aim to provide a response to this request with the statutory time limit (20 working days).

We maintain an accurate Publication Scheme which enables access to documents we are required to publish by law and other documents which we think you will be interested in.

All information will be disclosed upon receipt of a valid request provided that no exemptions/exceptions apply. For more detailed information on how to submit a request under this legislation please see the guidance on our website.

The Caldicott Guardian

A Caldicott Guardian is a senior person who is responsible for the oversight of the arrangements in that organisation for the use and sharing of clinical information.

The role of the Caldicott Guardian is based around the following 6 principles:

  • Justify the purpose(s) for using confidential information
  • Only use it when absolutely necessary
  • Use the minimum that is required
  • Access should be on a strict need-to-know basis
  • Everybody must understand his or her responsibilities​
  • Understand and comply with the law

Further information on our Caldicott Guardian and contact details for them can be found on our website under The Role of the Caldicott Guardian 


For the purposes of our policy the following definitions apply:

Personal Data is data about a living individual, who can be identified from either those data alone, or those data and other information which is in our possession, or is likely to come into our possession.

Sensitive Personal Data includes the race or ethnic origin of the data subject, their political or religious beliefs, membership of a trade union, physical or mental health, sexual life and orientation, criminal offences either alleged or proven and any sentences they have received.

Relevant filing System is described as any set of information structured by reference to individuals or that can be accessed by reference to criteria relating to individuals.

Processing covers all actions involved in obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data.

"Data Controller means the person or organisation that determines how data is processed. Redcar and Cleveland Borough Council is the Data Controller for personal data that it processes.​