Data Protection Act

The General Data Protection Regulation (GDPR) and new UK Data Protection Act 2018 extends the rights of individuals and require organisations holding personal data to comply with a new stricter set of rules. It also aims to give people more control over their data.

Further details about the data protection laws and how we comply with them can be found here in our Data Protection Guide for the Public.

Data Protection Principles

There are seven principles under the GDPR to ensure that personal information is handled properly by organisations. They require personal data to be:

  • Processed lawfully, fairly and in a transparent manner
  • Obtained for a specified, explicit and legitimate purpose
  • Adequate, relevant and limited
  • Accurate and, where necessary, kept up to date
  • Kept no longer than is necessary
  • Have appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction of personal data
  • The organisation also has to be able to demonstrate accountability and compliance with the principles.

Subject Access & Information Rights

The GDPR creates new rights for individuals and strengthens existing rights.

You have the following rights regarding your information:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure (“be forgotten”)
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right to automated decision-making, including profiling.

If you wish to request a copy of your information or find out more about your information rights, please refer to the Subject Access & Information Rights Leaflet & Form.

All requests are free of charge. We will respond with the information within 30 calendar days of the request being received, unless it is a complex request, where on such occasions the deadline for responding may require extending by a further two months. However if this is the case, we will let you know within one month from the date of receiving your request.

Police & other agencies requesting personal information from the Council

What personal information the police and other agencies can request from the Council and how to action such requests?

The police and other agencies can request access to personal information held by the Council for specified purposes. These types of request are permitted under exemptions found under Schedule 2 Part 1 Paragraph 2 of the Data Protection Act 2018 (formerly S29 of Data Protection Act 1998) and where the Council has entered into an Information Sharing Protocol with the police and other agencies with requests relating to the particular information sharing protocol in place.

They can ask for information if it's about:

  • prevention or detection of crime
  • the apprehension or prosecution of offenders
  • assessment or collection of tax, duty or imposition of a similar nature.

The Data Protection Act does not give an automatic right of access to information by the police and other agencies and allows the Council to assess the merits of requests and decide whether or not to apply the exemption.

See the Information Commissioners’ Office guidance about exemptions. It includes reasons the Council must take into consideration when deciding whether to release information to relevant authorities.

To make a Schedule 2 Data Protection Act Request


Subject Access & Information Rights Leaflet & Form

Data Protection Guide for the Public

Handling of Sensitive & Criminal Information

Freedom of Information Request

Environmental Information Regulations Request  

Related pages

Freedom of Information Act

Environmental Information Regulations (EIR)

Useful links

Information Commissioner's Office

Data Protection Act

Crown Copyright Information

Contact details

Information Officer
Stevenage Borough Council,
Daneshill House

01438 242242

The Information Commissioner Office (ICO) 
Wycliffe House
Water Lane

0303 123 1113