Data Protection Policy

Introduction 

This document sets out Wirral Council’s policy regarding Data Protection; it is based on The Data Protection Act (DPA 2018), The UK General Data Protection Regulation (UK GDPR) and the Data (Use and Access) Act 2025, which makes amendments to the UK’s data protection framework. This policy will be reviewed and revised as the Council develops policies under Information Management legislation such as Freedom of Information Act and Human Rights Act 1998, which both enhance the protection and the individual rights given under the Data Protection legislation. 

The purpose of data protection legislation is to regulate the way that personal information about living individuals is obtained, stored, used and disclosed. The legislation grants rights to individuals: 

1. Right to be informed 

We must be completely transparent with you by providing information 'in a concise, transparent, intelligible and easily accessible form, using clear and plain language'. Our privacy notice is one of the ways we try and let you know how data is handled (see Principal Privacy Notice). 

Some limited categories of cookies and similar technologies may be used without consent were permitted by law, for example for statistical or service improvement purposes. 

2. Right of access 

You have the right to access your personal information except where: 

• it contains confidential information about other people, and the Council has to balance the rights of other individuals
• includes information a care professional thinks will cause serious harm to your or someone else’s physical or mental wellbeing
• information which may prejudice an investigation if disclosed 

When responding to requests for access, the Council will carry out reasonable and proportionate searches for personal data and may pause the response timeframe where further clarification is required from the requester (For instance, when proof of identification is required).  

3. Right to rectification 

You have the right without undue delay to request the rectification or updating of inaccurate personal data. 

4. Right to restrict processing 

You can ask for there to be a restriction of processing such as where the accuracy of the personal data is contested. This means that we may only store the personal data and not further process it except in limited circumstances. 

5. Right to object 

You can object to certain types of processing such as direct marketing. The right to object also applies to other types of processing such as processing for scientific, historical research or statistical purposes (although processing may still be carried out for reasons of public interest). 

6. Rights on automated decision-making and profiling 

The law allows decisions to be made using automated processing, including profiling, in certain circumstances. Where such decisions have legal or similarly significant effects, the Council will ensure appropriate safeguards are in place, including the right to obtain human intervention, to express a view, and to challenge the decision, including where such processing is permitted under applicable lawful bases. 

7. Right to data portability 

Where personal data is processed on the basis of consent and by automated means, you have the right to have your personal data transmitted directly from one data controller to another where this is technically possible. 

8. Right to erasure or 'right to be forgotten' 

You can request the erasure of your personal data when: 

1. the personal data is no longer necessary in relation to the purposes for which it was collected and processed
2. the Council’s lawful basis for processing your personal data was consent and you no longer provide your consent and there is no other legal ground for the processing, or
3. you object to the processing and there are no overriding legitimate grounds for the processing 

For further information on the rights of individuals see the ICO’s advice and guidance 

9. Right to complain to the organisation 

You have the right to raise a complaint directly with the Council if you believe your personal data has not been handled in accordance with data protection law. The Council will provide accessible means to submit complaints, will acknowledge receipt, and will respond without undue delay. If you remain dissatisfied, you also have the right to complain to the Information Commissioner. 

Definitions 

To aid understanding of this document, the following key definitions found in both The Act and GDPR need to be understood: 

Personal data 

Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. 

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria i.e. chronologically ordered sets of manual records containing personal data. The Act extends this to personal data held by an FOI public authority to include manual unstructured systems. 

Personal data that has been pseudonymised, for example key-coded, can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. 

Sensitive personal data 

The Act and GDPR refers to sensitive personal data as “special categories of personal data” 

Special category data: 

• race;
• ethnic origin;
• politics;
• religion;
• trade union membership;
• genetics;
• biometrics (where used for ID purposes);
• health;
• sex life; or
• sexual orientation 

The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. 

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to their processing (see Article 10). 

Controller 

‘a Controller is a natural or legal person or organisation which determines the purposes and means of processing personal data’; and 

Processor 

‘a Processor is a natural or legal person or organisation which processes personal data on behalf of a Controller’. 

Processing 

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 

Data subject: 

‘identified or identifiable natural person’ 

Principles 

The UK GDPR sets out key principles relating to the collection, use, processing, and protection of personal data. 

These Principles are listed below: 

1. requirement that processing is lawful and fair;
2. requirement that purposes of processing be specified, explicit and legitimate;
3. requirement that personal data be adequate, relevant and not excessive;
4. requirement that personal data be accurate and kept up to date;
5. requirement that personal data be kept for no longer than is necessary;
6. requirement that personal data be processed in a secure manner
7. requirement to demonstrate compliance with all GDPR principles 

Further information, including advice on all aspects of The Act is available from The Office of The Information Commissioner website 

Policy 

Wirral Council supports the objectives of The Act and is bound by its regulation with regard to personal data. This policy is designed to ensure that the confidentiality of personal data is maintained and to increase the access given to individuals to information relating to them. The Policy is designed to complement other Council policies, which relate to personal data in some way. These include but are not limited to HR policies, Information Sharing Protocols and any future policies or protocols agreed with internal departments or external partners. 

Wirral Council will hold the minimum personal data necessary to enable it to perform its functions. The data will be deleted in accordance with the corporate Records Retention and Destruction Policy of the Council. Every effort will be made to ensure that data is accurate and up to date, and that inaccuracies are corrected quickly. 

Wirral Council, when designing new services or updating existing services which process personal data will institute Data Protection by Design and Default. This means that the appropriate data protection technical and organisational measures are implemented at the design stage of the service and not bolted on at the end as an afterthought.  

A Data Privacy Impact Assessment may be carried out to assist in this matter. A DPIA is a mechanism for identifying quantifying and mitigating data privacy risks. It is undertaken to ensure appropriate controls are put in place when any new process, system or ways of working involving the use of high-risk processing (such as processing “health data”) is introduced. 

When undertaking a DPIA, an organisation’s designated Data Protection Officer must be consulted. Any DPIA must be completed before any new process, system or way of working goes live (i.e. at the business planning stage of a project) where it involves high risk processing. The completion of a DPIA will help to minimise the chance that any new process, system or way of working will present a high risk to the rights of individuals. The Council uses the Information Commissioner’s template for any DPIA. 

Where services are likely to be accessed by children, the Council will take into account children’s specific protection needs, including their different levels of understanding and vulnerability, as part of data protection by design and default and to explain how their data is collected and used. 

Wirral Council will provide to any individual who makes a request either in writing, by email or verbally, for their personal data; a reply stating whether we hold personal data about them. A copy of that information in clear language will be given, unless specific legal exemptions apply. The Council will respond to requests for access to personal data without undue delay and within one month, in accordance with data protection law. 

The data subject has the right to have records amended if they are inaccurate. Wirral Council do not make a financial charge for this service. 

You can make a request via email to DPO@wirral.gov.uk or informationmanager@imt.wirral.gov.uk; 

You can make a request by writing to: 

Data Protection Officer 
Wirral Council 
PO Box 290 
Brighton Street 
Wallasey 
Wirral 
CH27 9FQ 

The Act requires the Council to be satisfied that the individual requesting the information is legally entitled to receive it. In the case of requesting information on behalf of a third party, we would need proof of identity of the third party and their written or verbal consent to allow us to disclose their information to the requester. Therefore, in order to progress an enquiry the Council would first require a requestor to provide two documents which confirm your identity and current address. 

Acceptable proof of identity (one of the following): 

• current Passport
• birth certificate
• unexpired photo card licence (full or provisional) 

Acceptable proof of current address (one of the following): 

• utility bill dated within the last 3 months
• council tax bill for current year
• unexpired old style paper driving licence
• bank statement dated within the last 3 months
• benefits agency/state pension correspondence (on letter header paper) dated within the last 3 months 

These ID documents can be scanned and emailed to either of the email address given above or posted to the surface mail address shown above.   If emailing or posting, please note to send photocopies only and not original documents. 

Data sharing within Wirral Council, to council officers or elected members will only be conducted as per the lawful basis for processing the personal data and within the stated Principles of The Act and GDPR. In addition to existing lawful bases, the Council may process personal data where this is necessary for recognised legitimate interests as defined in legislation, such as safeguarding, prevention of crime, or responding to emergencies, in accordance with applicable safeguards. 

For further information see Wirral Council’s Principal Privacy notice for its lawful basis for processing personal and special category data; who and why we are required to share personal information; and your rights. 

Departments receiving requests for information must decide on a case by case basis whether disclosure would be appropriate under your Right of Access as certain limited exemptions apply (See 2 Rights of Access above).  

The Council maintains procedures to record, monitor, and respond to data protection complaints and uses this information to identify trends, improve services, and support compliance with data protection legislation. Advice is available from the Council’s Data Protection Officer. 

The Council ensures that personal data is treated as confidential. IT systems are designed to comply with the Data Protection Principles. This ensures that access to personal data can be restricted to identifiable system users. 

Wirral Council is committed in its aim that all appropriate staff will be properly trained, fully informed of their obligations under the Act, and made aware of their personal liabilities. The Council expects all of its staff and members to comply fully with this Policy and the Data Protection Principles. Disciplinary action may be taken against any employee who breaches any of the instructions or procedures following from this Policy. 

It is the responsibility of the Data Protection Officer to assist the Council to ensure compliance with this Policy, to specify the procedures to be adopted, and to ensure Wirral Council abides by the legislation. The main duties of the Data Protection Officer in relation to Data Protection are: 

1. maintenance of the Council’s external notifications under the Act, acting as the interface with the Office of the Information Commissioner
2. development, update and publication of Data Protection procedures
3. ensure compliance with Data Protection procedures and practices
4. initial contact point for corporate non-social care subject access requests
5. in conjunction with Human Resources, organise education and training seminars regarding Data Protection issues 

In addition to the formal responsibilities outlined above, all officers and members have a duty to observe the Data Protection Principles and the procedures referred to in this document. 

Jane Corrin 
Data Protection Officer 
June 2026