Data protection policies

Hillingdon Council's Cabinet approved a range of policies on 24 May 2018, which are designed to ensure that the council continues to take proper care of residents' personal data.

Privacy notice

The council is required by law to publish a privacy notice.  Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. The council is therefore required to provide individuals with the type of information contained within this Notice and this is known as 'privacy information'.

Data Protection Policy

Our Data Protection Policy (PDF, 193 KB) provides important information about how we keep data safe and secure and other responsibilities necessary to meet the requirements of the DPA and the GDPR.

Individual Rights Policy

The GDPR introduces the following rights for individuals:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • the right not to be subject to automated decision making including profiling.

Data Protection Individuals Rights Policy (PDF, 194 KB) 

Subject Access Policy and Procedure

The Data Protection Act 2018 gives individuals the right to request copies of all their personal data processed by Hillingdon Council.

Information Governance Policy

Our  Information Governance Policy (PDF, 195 KB) sets out the framework by which the council handles information. It applies to sensitive and personal information of residents and employees and also to information related to the business of the council.

The 'lawful basis for processing'

Your personal data may only be used by us if there is a clear lawful basis (PDF, 204 KB) for doing so.  

There are 6 types of lawful basis under GDPR:

  1. Consent
  2. Contract
  3. Legal obligation
  4. Necessary to protect the vital interests of the individual or of another person
  5. Necessary to perform a public task or to exercise official authority
  6. Necessary because of legitimate interests

Managing an information security breach

Any suspected breach of personal data must be investigated immediately and, if sufficiently serious, must be reported to the Information Commissioner's Office within 72 hours.  

Procedure for Reporting Data Protection Breaches (PDF, 229 KB)

Data protection impact assessments

When the council makes changes to services which might affect the control of personal data it must carry out a  Data Protection Impact Assessment (PDF, 231 KB).

Retention and Destruction of personal data

Personal data should not be kept any longer than is necessary.

Retention and Destruction of Personal Data (PDF, 178 KB) (item 7)

Page last updated: 02 May 2023