The General Data Protection Regulation (GDPR) came into force on 25th May 2018. From that date your rights in
relation to the personal data that High Life Highland holds changed.
This guide gives you a summary of these rights, how you access your rights and any restrictions which exist.
Definitions
The GDPR covers ‘personal data’. Personal data means any information relating to an individual (data subject is
the term used by the legislation) who can be identified, directly or indirectly, from that information. Individuals
can usually be identified because the personal data contains or is linked to an identifier such as a name, an
identification number, location data, an online identifier (e.g the IP number of your computer or a social media
account name). However, other characteristics which can lead to the identity of an individual are also personal
data.
This guide refers to ‘processing’. Processing means any operation or set of operations which is performed on
personal data or on sets of personal data including collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, restriction, erasure or destruction. Processing can be automated or
manual.
High Life Highland delivers services on behalf of the Highland Council. The data controllers are therefore The
Highland Council. High Life Highland are the processors of this data.
An organisation such as the Council which decides how personal data should be processed is known as a ‘data
controller’. The Council is obliged by the GDPR to publish information about the processing of personal data that
it carries out (Articles 13, 14 and 30). This information is published on our web site
https://www.highlifehighland.com/gdpr/privacy-notices/
General Approach to Rights
Each of the rights described below has a common set of standards which High Life Highland must adhere to:
- Requests can be made in writing or through our website but we must accept requests submitted by
email or other electronic means. - High Life Highland may request identification to ensure that the information is provided to the right
person. - All requests must be responded to in one month.
- Where High Life Highland fails to respond in one month it must provide an explanation and inform
you of your right to contact the Information Commissioner’s Office to complain. - The response time can be extended to two months if the request is complex. High Life Highland
must inform you of the extension within the first month and provide an explanation. - The information provided in a response must be clear, concise and in plain English.
Your Data Protection Rights
High Life Highland doesn’t have to respond to requests that are considered “manifestly unfounded
or excessive” or can charge a reasonable fee to cover the costs of complying with these requests.
In these cases we must provide an explanation which demonstrates that the request is
unreasonable.
Right of Access
You have the right to access the personal data that High Life Highland holds about you.
To request your data complete a Subject Access Request form, which can be found on the website.
Please provide a form of photographic identification which can be linked to your home address as we
need to be sure that we do not provide your personal data to the wrong person.
As well as providing a copy of the personal data held, High Life Highland must inform you of the
purpose(s) for which your data is used and the categories of information which are being processed.
If the information is shared with other organisations, High Life Highland must tell you which
organisations and, if the data is transferred out with the European Economic Area (the EU plus
Iceland, Liechtenstein and Norway) or provided to an international organisation, we must provide
details of the safeguards in place to protect your personal data.
Restrictions affecting the Right of Access
If High Life Highland refuses to provide you with information because of a restriction, we will usually
explain the reasons for this to you, unless the circumstances prevent this.
High Life Highland also has to protect the privacy of other people’s personal data when providing you
with access to yours. This means that data relating to other people may have to be redacted
(removed or blacked out) in order to comply with your subject access request.
You don’t have a right to access anyone else’s personal data unless you are their parent or guardian,
have full power of attorney or they have explicitly given you permission and you can provide
evidence of this to us.
Right to Rectification
You have the right to ensure that the personal data held about you is accurate and up to date.
Where there is a disagreement about the accuracy of the information held, you have the right to
request that a statement is added to your information explaining this and including the information
you believe to be accurate.
Where reasonable and appropriate, High Life Highland must inform other organisations that it has
disclosed the relevant data to, that the data wasn’t accurate to enable them to correct their records
too.
Requests for rectification can be put in writing to High Life Highland (contact details below), describing the data that is inaccurate and providing the required corrections.
Right to Erasure
Known as the right to be forgotten, you have the right to have information held about you deleted in
the following circumstances:
• The data is no longer necessary for the purposes for which it was collected
• The data was being processed on the basis of your consent and you withdraw your consent
• You object to High Life Highland processing your data on the basis that it doesn’t have legal grounds
to do so
• The data has been processed unlawfully
• There is a legal obligation on High Life Highland to erase the data
• The information was processed online
Requests for erasure can be put in writing to High Life Highland’s (contact details below), describing
the data that you wish to be erased.
Where High Life Highland has published data or disclosed it to other organisations, and agrees to its
erasure, we are also obliged to take reasonable steps to make the other data controllers who have
received that data aware of the erasure request.
Exemptions from the Right to Erasure
There are some situations where High Life Highland may refuse to comply with your request for
erasure:
If High Life Highland is obliged by legislation to continue processing.
- If the processing is in the public interest and High Life Highland has the Legal Authority to continue
processing. - If the data relates to public health and it is in the public interest to continue processing.
- If the information is being used for archiving in the public interest, for research or for statistical
analysis. In these cases, we must ensure appropriate safeguards are in place to protect the personal
data concerned. E.g. by keeping the minimum amount of information required or by removing
personal identifiers.
- If the information is required for the establishment, exercise of defence of legal claims.
Where an exemption to the right of erasure applies, High Life Highland must inform you and provide
an explanation.
Right to Restrict Processing
You have the right to request that the processing of your data is restricted. This means that High Life
Highland are unable to use your data, change it or delete it for a period of time. Restriction may be
requested under the following circumstances:
- You consider that the information is inaccurate and have informed High Life Highland. Processing
may be restricted for a period of time to give us the opportunity to verify the accuracy of the data. - You believe that the processing is unlawful but you don’t want the data erased, for example until
such time as you have raised a complaint. - You want High Life Highland to retain data that it would otherwise intend to delete in order that you
can use it for the establishment, exercise or defence of legal claims. - You have objected to the processing of the data (see below). The processing may be restricted while
your objection is considered.
Requests for restriction can be put in writing to High Life Highland’s Data Protection Officer (contact
details below), describing the data that you wish to be restricted.
When processing is restricted, no processing may take place (other than storage) without your
permission unless the data is required for the defence of legal claims or the protection of the rights
and freedoms of other people or businesses. The data may also be processed where there is an
important public interest in doing so.
High Life Highland must inform you before it lifts the restriction on processing.
Where reasonable, High Life Highland must inform other organisations that it has disclosed the
relevant data to, that the processing of that data has been restricted.
Right to Data Portability
You have the right to request a copy of your personal data in a common electronic format. This right
only applies where:
1) you have provided the information to High Life Highland; and
2) High Life Highland is processing the data on the basis of your consent or to fulfil a contract; and
3) the information is processed automatically.
Therefore, this right applies to the information held on your Library Card and to information which is
recorded about your use of your card.
If you have an all-inclusive leisure membership, this right would apply to information about you held
on the Leisure Management System and details of your membership.
Data Portability also gives you the right to ask High Life Highland to transfer your data to another
organisation e.g. The Highland Council and the NHS.
Requests for portable data can be put in writing to the High Life Highland (contact details below),
describing the data that you wish to receive and giving details of any other organisation you would
like High Life Highland to transfer your data to.
The Right to Data Portability doesn’t apply to all personal data
The right to data portability doesn’t apply to paper records although there is a duty under the right
to access for this information to be provided to you in a common electronic format (e.g. pdf).
This right does not apply where High Life Highland is under a legal obligation to process your
personal data, where it carries out tasks under official authority or in the public interest.
If a set of electronic data contains information about more than one data subject High Life Highland
will have to consider if it is possible to provide the data requested without breaching the privacy of
other people. If this is not the case then we may have to refuse your request.
Right to Object to Processing
You have the right to object to some forms of processing carried out by High Life Highland. This
depends on the reason for processing the data that High Life Highland relies on.
You have the right to object to direct marketing and if you object to this then High Life Highland must
stop processing your data for that purpose. You also have the right to object to your data being used
for research or statistical analysis. If you object to this use of your data High Life Highland would
have to consider your objection in light of the reasons for carrying out the research or analysis. This
would involve considering the safeguards in place, the public interest in carrying out the research
and the impact of not including your data.
If High Life Highland processes your data in the exercise of its official authority or in the public
interest you may object to this processing. In this case, High Life Highland would either have to stop
processing the relevant data or explain to you the reasons why it believes it has compelling
legitimate grounds to continue processing despite your objection.
Right to Object to Automated Decisions and Profiling
You have the right to object to processing which involves automated decision making and profiling.
However, you can’t object if the processing is necessary for entering into a contract with High Life
Highland, if the processing is required by UK legislation or if you have given your explicit consent.
If you are dissatisfied by the outcome of automated decision making, you must be given a means to
express your opinion, you must be able to contest a decision and you can also request that
automated decisions are carried out by a person instead.
Making a Request
A Subject Access Request can be made online at:
https://www.highlifehighland.com/gdpr/subject-access-requests/
You can also contact High Life Highland by email: DPO@highlifehighland.com
Or in writing to:
Highland Archive Centre
Bught Road
Inverness
IV3 5SS
Contact the Data Protection Officer
Under GDPR High Life Highland are required to appoint a Data Protection Officer. This service is provided
by the Highland Council.
High Life Highland Data Protection Officer is available to assist you with any enquiries you have about
your rights under the GDPR. If you have any difficulty understanding the information above, please
contact the Data Protection Officer (see below) for further assistance. If you have contacted High Life
Highland about your personal data and are dissatisfied with the response received, the Data Protection
Officer will be able to look into these matters for you.
You can contact the Data Protection Officer in writing:
Data Protection Officer,
Highland Council,
Headquarters
Glenurquhart Road
IV3 5NX
By email: DPO@highlifehighland.com
By telephone: 01463 702029
Contact the Information Commissioner’s Office
If you are dissatisfied with the way in which the Council responds to your requests or if you are unhappy
with the way your personal data is being managed by the Council, you have the right to complain to the
Information Commissioner who is the Supervisory Authority for the UK.
You can contact the Information Commissioner’s Office in writing:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Your Data Protection Rights
Cheshire
SK9 5AF
Tel: 0303 123 1113
https://ico.org.uk/global/contact-us/
