General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

How we process and handle data, with the key aim of giving greater protection and rights to individuals.

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation which came into force on 25 May 2018. It changes how organisations process and handle data, with the key aim of giving greater protection and rights to individuals.

The GDPR replaces the Data Protection Act 1998.

The UK is in the process of implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small differences, but once the Bill has passed through Parliament and becomes an Act, UK law on data protection will largely be the same as that of the GDPR.

Main principles

The GDPR states that personal data must be:

  • processed lawfully, fairly and in a transparent manner
  • collected only for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary
  • accurate and kept up to date
  • held only for the absolute time necessary and no longer
  • processed in a manner that ensures appropriate security of the personal data

For more information on the GDPR visit Information Commissioner's Office.

Individuals' rights under the General Data Protection Regulation (GDPR)

Individuals have eight rights under GDPR, which reinforce those already in place under the Data Protection Act. These are:

  1. lawful, fair and transparent
  2. purpose limited – specified, explicit, legitimate purposes not incompatible
  3. data minimisation - adequate, relevant and limited to what is necessary
  4. accurate – accurate and kept-up-to-date where necessary
  5. storage limitation – kept in a form which permits identification for no longer than necessary
  6. integrity and confidentiality – appropriate security and protection against loss etc

Make a data protection request

Please refer to our page make a Data Protection Request

How we use your information

We are committed to protecting your privacy when you use our services. Read more about privacy at how we use your information

Information sharing

Increasingly, public authorities need to share information in order to provide efficient and effective services. By linking up information resources, both internally and with other organisations and partners, we can deliver effective services. The Council works with a number of partners including but not limited to the following:

  • Central and Local Government
  • health and social care providers
  • commercial organisations
  • research institutions
  • schools and other education providers
  • voluntary and community establishments

Data Protection legislation is not an automatic barrier to information sharing. The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 allows organisations to share information for a variety of reasons including safeguarding vulnerable individuals and for the purpose of preventing and detecting crime.

Sharing personal information presents risks and opportunities that need to be managed correctly. The Council has processes and policies in place to manage sharing of personal data. These comply with Data Protection principles including:

  • the purposes for sharing data, including the data protection lawful bases and, where relevant, special category conditions
  • ensuring all parties involved comply with individual rights and have appropriate technical and organisational measures to secure the information
  • establishing that the information shared is relevant, accurate, and only retained for as long as necessary

For routine information sharing, where appropriate, this is accomplished through formal Information Sharing Agreements and in compliance with the Council’s Data Protection, Information Sharing, and Information Security policies.

More information on how the Council uses and shares personal information can be found on our Privacy Statement.

Access to IT systems by third parties

All access to Worcestershire County Council (WCC) and Worcestershire Children First (WCF) IT systems and services by 3rd Parties need either a Contract or an Information Sharing Agreement, to ensure that all requirements, including Data Protection, are in place. 

If you are a member of a third party organisation and you have been sponsored by a WCC or WCF member of staff to access a system for a particular purpose aligned with Data Protection Legislation, you will need to personally sign a Third Party Access Agreement.

Please ensure that you attach the completed, signed form, to the email you received asking you to sign this form, so that access can be set up for you.  Access will not be granted until this agreement has been signed and returned.


GDPR terminology


The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the DPA 1998 this was a 'Data Controller'.

Data Protection Officer (DPO)

GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities. A DPO is an independent expert on data protection who works to ensure an organisation is adhering to the requirements of GDPR.

Information Commissioner's Office (ICO)

UK’s independent supervisory authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Personal Data

Any information relating to an individual (‘data subject’); who can be identified, directly or indirectly, from the information. In particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.


Any operation, or set of operations, which is performed on personal data or on sets of personal data, whether or not by automated means. Examples include: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. In the DPA 1998 this was a 'Data Processor'.

Was this page useful?