This data protection framework places obligations on organisations and strengthens the rights that individuals have over the processing of their personal information.
The UK General Data Protection Regulation (UK GDPR) as supplemented by the UK Data Protection Act 2018 has legal effect.
The Greater Manchester Authorities have produced this guide to explain your enhanced rights and how we will deal with any requests we may receive from you.
You can also obtain full information about your rights from the Information Commissioner’s Office (ICO). The ICO is the UK's independent regulator responsible for upholding and enforcing the rights of individuals under data protection law.
In brief, you have the following rights:
Please be aware that these rights are not absolute and are subject to conditions and exemptions.
In some cases the rights described above only apply if the processing activity is undertaken on specific legal grounds and/or in defined circumstances. Therefore, all of these rights are unlikely to be engaged in all cases.
This guide sets out:
Access your personal information
Every time we seek to collect information from you, we must inform you why we need to process your personal information, including:
If we receive information about you from someone else, we will usually tell you before we use or share your personal information unless we are aware you already have this information or, where the law says this is not necessary, such as where this would be prejudicial to ongoing law enforcement/criminal investigations.
We meet these obligations in various ways depending on how you come into contact with us, including directing you to our Privacy Notice viewable on our web site.
You are entitled to ask us for copies of the personal information that we hold about you, known as a Subject Access Request.
At the time of fulfilling your subject access request, we will provide the following information:
We will also explain if we have redacted any information that identifies third parties.
If we withhold information on the basis that it is exempt from disclosure, where it is possible to do so, we will explain the exemption(s) we are relying on and the reason why one or more exemptions apply.
In certain circumstances we may refuse to respond to your request if we consider that it is unfounded, excessive or repetitive in nature.
You are entitled to ask us to:
If we agree that the personal information you have identified is factually inaccurate, we will correct it. We will:
If we disagree with your view that the information we hold about you is factually wrong, then in our response we will explain the basis for our decision and your right to complain to the Information Commissioner if you are not satisfied.
If you consider that personal information we hold about you is incomplete and we do not agree with this, we may offer you the option of adding a supplementary statement explaining why you consider the information we hold is incomplete.
You have the right to object to us using your personal information where it is being processed for:
If you object to us using your personal information for direct marketing (or profiling linked to direct marketing) we will cease processing for this purpose(s).
If you object to the use of your personal data for scientific/historical research or statistical purposes on one or both of the above grounds, we will carefully consider your request and let you know the outcome. It may not always be possible to meet your objection if for example, the processing is carried out for the purpose of measures or decisions with respect to particular individuals where this is in accordance the law and is necessary for specified bodies to carry out approved medical research.
Where you object to us processing your personal information for any of the other reasons above, we will:
Where the law requires us to process your information to meet our statutory functions and public tasks, including our law enforcement functions, it is very likely that we will not be able to comply with your request. For example, you will not be able to use this right to prevent us from:
If we do not uphold your objection, we will explain our reasons in our response and your right to complain to the Information Commissioner if you are not satisfied.
This right may be exercised in circumstances where:
If you make a request, we will let you know if we agree to restrict access to your information for one or more of the above reasons.
If we decide a restriction is appropriate, we will endeavour to notify any recipients of your personal information and let you know who they are if you ask us to do so.
Where processing is restricted, as well as storing your personal information we will only process it during the period of restriction with your consent or if it's necessary for:
Where a restriction is applied pending a determination of 'accuracy' or any 'objection' you may have submitted, we will let you know the outcome of your representations and will notify you prior to lifting the restriction.
Where the reason for the restriction is for one of the other reasons above, the erasure of the personal information will not take place until we have resolved evidential issues with you.
We will also tell you about your right to complain to the Information Commissioner if you are not satisfied.
You have the right to request to be forgotten, also known as 'erasure', of your personal information in defined circumstances. These defined circumstances are:
We will carefully consider a request for erasure. Our response will outline whether or not we consider retention of your personal information is unwarranted.
There are circumstances why it may not always be possible to agree to your erasure request and we have listed a number of grounds below where it may be necessary for us to retain your information:
If we agree to erase your personal information, we will endeavour to notify any recipients and let you know who they are if you ask us to do so.
If we refuse your request for erasure we will explain our reasons in our response and your right to complain to the Information Commissioner if you are not satisfied.
In certain circumstances, you have the right to request that personal information you have supplied to an organisation be converted into a structured, commonly used and machine-readable format so that it can be transmitted to another organisation. This right is primarily intended to stimulate competition in the commercial sector by making it easier for consumers to switch from one supplier to another.
As most of the processing activities undertaken by us are governed by statute or as a result of legal obligations imposed on us, this right is only be engaged where:
If you make a request for the personal information you have supplied to us to be converted into a portable format where our legal basis for processing falls within one of the grounds above, we will let you know our decision and if you are not satisfied with our response of your right to complain to the Information Commissioner.
In general, decisions which affect you legally or have similarly significant effects are not permitted using solely automated processing, especially if this involves the use of personal information which because of its nature, is termed 'Special' or 'Sensitive'. This is because decisions made using automated electronic programmes or software do not involve human beings.
But there are some exceptions where automated decision-making is permitted. This is where the processing:
Where an automated decision is made about you based on one of the reasons above, you are entitled to be:
If you contest an automated decision and ask for it to be reconsidered, we will respond within the allowed time period and let you know whether or not this fresh decision has led to the same or a different outcome.
We will also explain your right to complain to the Information Commissioner if you are not satisfied.
Means a decision which is based solely on Automated Processing (including Profiling) which produces legal effects or significantly affects an individual. The UK GDPR generally prohibits Automated Decision-Making except in defined circumstances, subject to certain conditions and safeguards being met.
Means any processing of personal information that is automated through the use of computers and computer software.
Must be freely given, specific, informed and unambiguous indication of an individuals' wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Explicit Consent
Requires a very clear and specific statement, leaving no room for misinterpretation.
Means the person or organisation (in this case us) that determines when, why and how to process personal information.
Means UK legislation that repeals the 1998 Act, and provides for the role, responsibilities and enforcement powers of the Information Commissioner and sets data protection standards for processing activities that do not fall within the purview of the UK GDPR.
A living, identified or identifiable individual about whom we as the Controller hold personal information.
Means one calendar month counted from the first working day after proof of ID and any requested information is received by us, except where this falls on a weekend or a bank holiday in which case the "latest due date" is treated as the first working day after the weekend or bank holiday. The same method is applied to calculating the "latest due date" for complex requests where an extension of time is permitted and claimed.
Means any information relating to an identified or identifiable living person. An identifiable person is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number or online identifier.
Are notices setting out the information given to you at the time we collect information from you or within a reasonable time period after we obtain information about you from someone else. These notices may take the form of an overarching privacy statement (as available on our web site) or apply to a specific group of individuals (for example, service specific or employee privacy notices) or they may be stand-alone, one time privacy statements covering processing related to a specific purpose.
Means any activity that involves the use of personal information. It includes obtaining, recording or holding the information, or carrying out any operation or set of operations on the information including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal information to other Recipients.
Means the recording and analysis of a person's psychological and behavioural characteristics, so as to assess or predict their capabilities in a certain sphere or to assist in identifying categories of people.
Means a person or organisation who receives your personal information from us. This may be a company with whom we have entered into a contract to provide services on our behalf or another Controller with whom we are either required or permitted to share personal information.
Is information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and personal information relating to criminal offences and convictions.
Is a living individual other than the person who is the data subject.
Means the retained version of the General Information Protection Regulation ((EU) 2016/679).