Data protection policies
Hillingdon Council's Cabinet approved a range of policies on 24 May 2018, which are designed to ensure that the council continues to take proper care of residents' personal data.
Privacy notice
The council is required by law to publish a privacy notice. Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. The council is therefore required to provide individuals with the type of information contained within this Notice and this is known as 'privacy information'.
Data Protection Policy
Our Data Protection Policy (PDF, 193 KB) provides important information about how we keep data safe and secure and other responsibilities necessary to meet the requirements of the DPA and the GDPR.
Individual Rights Policy
The GDPR introduces the following rights for individuals:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision making including profiling.
Data Protection Individuals Rights Policy (PDF, 194 KB)
Subject Access Policy and Procedure
The Data Protection Act 2018 gives individuals the right to request copies of all their personal data processed by Hillingdon Council.
- Subject Access Request Policy and Procedure (PDF, 216 KB) (includes Subject Access Form)
Information Governance Policy
Our Information Governance Policy (PDF, 195 KB) sets out the framework by which the council handles information. It applies to sensitive and personal information of residents and employees and also to information related to the business of the council.
The 'lawful basis for processing'
Your personal data may only be used by us if there is a clear lawful basis (PDF, 204 KB) for doing so.
There are 6 types of lawful basis under GDPR:
- Consent
- Contract
- Legal obligation
- Necessary to protect the vital interests of the individual or of another person
- Necessary to perform a public task or to exercise official authority
- Necessary because of legitimate interests
Managing an information security breach
Any suspected breach of personal data must be investigated immediately and, if sufficiently serious, must be reported to the Information Commissioner's Office within 72 hours.
Procedure for Reporting Data Protection Breaches (PDF, 229 KB)
Data protection impact assessments
When the council makes changes to services which might affect the control of personal data it must carry out a Data Protection Impact Assessment (PDF, 231 KB).
Retention and Destruction of personal data
Personal data should not be kept any longer than is necessary.
Retention and Destruction of Personal Data (PDF, 178 KB) (item 7)