Read about our information rights policy.
This policy formalises Torbay Council’s (the Council) approach in promoting and facilitating our citizen’s information rights. In particular, it sets out the Council’s commitment to the following principles:
The Chief Executive and the Senior Leadership Team have ultimate responsibility for ensuring all departments across the Council comply with the requirements of access to information legislation, and must ensure an effective Council-wide information management approach.
The Caldicott Guardian is a senior officer responsible for protecting the confidentiality of information about our customers as well as enabling appropriate information sharing specifically in relation to information processed by social care services.
The SIRO has ownership of the risks associated with the information assets we hold and should act as an advocate for the organisation's information risk.
This is a mandatory requirement for all public authorities, therefore we must have in place a Data Protection Officer who is responsible for monitoring our compliance to data protection law and advising the senior leadership team and all staff of their roles and responsibilities.
The Information Governance Team supports the Data Protection Officer in ensuring that the Council complies with access to information legislation. They support the whole Council in ensuring that requests made for information are carried out in accordance with the legislation and local policies.
The GDPR provides the following rights for individuals in respect of the personal information an organisations holds and processes:
Individuals have the right to be informed about the collection and use of their personal data. The Council is committed to ensuring that we are transparent and open about how we use the information we hold about our customers and our staff.
We will:
There may be some instances where we are not able to provide a privacy notice, these instances could include:
Individuals have the right to access their personal data and further information. The right of access also allows individuals to be aware of and verify the lawfulness of the processing. Individuals have the right to:
The right to access personal data can be exercised by anyone through a subject access request submitted to the Council. In order to process a request under this right, The Council will require the following:
Although a request can be made to the Council verbally, we will only accept requests made in writing that clearly set out the information being requested.
The Council will provide you with a response to your subject access request via either secure email or in the post via special delivery. Where any exemptions have been applied to the request these will be communicated to you as part of the response.
Individuals have the right to request that information about them be corrected (rectified) where it has been established that it is inaccurate, or incomplete.
Although a request can be made to the Council verbally, we will only accept requests made in writing that clearly set out the information to be rectified and why. This ensures the Council has an audit trail of any changes which are made to personal data. If a request is received verbally, we will confirm to you the changes being requested, in writing, before the request is processed.
There may be times at which we will request that you provide identification before any changes are made to your personal data, for example, to request changes to children’s social care files, or for historical data / information.
Upon receipt of a valid request we will:
The GDPR has introduced a right for individuals to have personal data erased. This is also known as the right to be forgotten.
Although a request can be made to the Council verbally, we will only accept requests made in writing that clearly set out your request. If a request is received verbally, we will confirm to you the information you have requested be erased, in writing, before the request is processed.
This right only applies in certain circumstances:
Where the processing of personal information for any of the following purposes is necessary, this right will not apply:
Upon receipt of a valid request we will provide you with a unique reference number which, should your request be completed, be the only means of auditing that a request has been complied with as all other data will be erased.
Individuals have the right to request that a data controller restricts or suppresses the processing of their personal data. This means that you can request that an organisation limits the way personal data concerning you is used, where you have a particular reason for wanting the restriction. This may be because you feel there are issues with the content of the information held or how it has been processed.
Although a request can be made to the Council verbally, only requests made in writing that clearly set out your request will be accepted. If a request is received verbally, we will confirm to you the processing you have requested be restricted, in writing before the request is processed, unless we stop processing immediately as is the case with right of objection under direct marketing.
This right only applies in certain circumstances:
Upon receipt of a valid request, which meets the criteria set out above, we will:
The GDPR gives individuals the right to obtain and reuse their personal data for their own purposes across different services and organisations. This means that you can request personal data concerning yourself, previously provided by you and receive it in a commonly used and machine readable format. You also have the right to the transmission of that data via one service or organisation to another (data controller) without hindrance.
This right only applies in certain circumstances:
Upon receipt of a valid request we will provide you with your personal data in a structured, commonly used and machine-readable format, this may include a CSV file.
If requested by you, we will securely transmit the personal data to another organisation if this is technically possible.
Where the personal data concerned may include the personal data of other individuals, the Council will always consider whether complying with the request would impact on the rights of the other individuals.
The right to object allows individuals to object to an organisation processing their personal data in the following circumstances:
In exercising this right, you as an individual must have an objection on ‘grounds relating to his or her particular situation’. The Council must comply with a request, unless:
Where personal data is processed for direct marketing, the Council will stop the processing activity as soon as it receives a request and will dealt with free of charge.
In order to exercise the right to object to processing for research purposes, you must have set out what the ‘grounds relating to his or her particular situation’ are. Where the processing for research is necessary for the performance of a public interest task, the Council is not required to comply with the request.
Individuals have the right not to be subject to a decision based solely on automated means, including profiling, where the automated process produces a legal effect for that individual or would significantly affect that individual.
This right does not apply if the decision:
Where a decision is based on the above points, we will ensure that you are able to request that human intervention is taken in respect of the decision and provide the opportunity for you to challenge a decision.
The Council will review systems regularly to ensure they are working as intended. Any new processes which include automated decision making will always be subject to a Data Protection Impact Assessment.
Where a request is manifestly unfounded or excessive Torbay Council reserves the right to charge a reasonable fee in order to provide a response. Any fee charged will be based on the administrative costs to process the request. In circumstances where a fee is charged, the individual will be informed promptly and the Council will not comply with the request until the fee has been received.
Torbay Council also reserves the right, in cases where a request is manifestly unfounded or excessive, to refuse response to a request. Where a request is refused the Council will provide an explanation and will inform the individual of their right to complain and how to properly do so.
For requests made under the right of access (subject access requests) the Council will always ask for two forms of identification as to be assured that information is being disclosed to the correct individual.
In considering requests made in respect of any of the other rights outlined in this policy, the Council reserves the right to request identification as to be assured that the individual making the request is an individual who can exercise these rights.
If you are acting as a representative on behalf of an individual; the Council will always require proof that the representative can legally act in the interests on behalf of the individual, i.e. form of authority demonstrating consent.
Upon receiving requests the Council will:
Where a request is complex or a number of requests have been received from a single individual, the Council may need to extend the timeframe by a further two months. We will always keep you informed if and when an extension is applied, providing the reason and clear expectation of when you should receive the response.
In relation to subject access requests, the Council may need to extend the timescales by where this is a significant amount of information to be reviewed, we may extend the timeframe by a further two months (62 calendar days). We will always keep you informed if and when we apply this extension.
Example: if the Council receives a request on 30 March, the time limit starts from 31 March. As there is no equivalent date in April the Council has to respond by 30 April.
If the 30 April falls on a weekend or a Bank Holiday, the Council has until the end of the next working day to comply with the request.
The Freedom of Information Act 2000 (FOI) and Environmental Information Regulations 2004 (EIR) provides individuals with a right of access to non-personal information held by the Council creating openness and transparency, unless an exemption applies.
The legislation applies to all recorded information held by the Council where it is:
If information is requested and is held by the Council, then it must be disclosed unless there is an exemption to restrict/prevent its release.
The Council is obliged under FOI and EIR to:
Torbay Council is required to publish and maintain a Publication Scheme approved by the ICO. The Publication Scheme is both a public commitment to make certain information available and a guide as to how that information can be obtained. The Council’s Publication Scheme can be found on our website.
As part of its Publication Scheme and in accordance with ICO good practice, the Council also produces and maintains a log of requests called "the Disclosure Log". The Disclosure Log provides details of responses to information requests which have been received and are deemed to be of public interest. In order to maintain our commitment to the public; these logs are depersonalised in accordance with Data Protection Law.
To make a request under FOI you must:
Under Section 8(1) of the Act, in order for a request to be valid, an applicant must supply what is deemed to be a “real name”. Therefore your title and/or first name along with your surname is required.
For example Mr Arthur Thomas Roberts could satisfy Section 8(1)(b) of the Act by stating his name in a request for information as “Arthur Roberts”, “A. T. Roberts”, or “Mr Roberts”, but not by stating his name as “Arthur” or “A.T.R”.
An EIR request can be made verbally or in writing, however we will require your contact details as we are required to respond to an EIR request in writing.
On receipt of a valid request, the Council will:
Under FOI and EIR there are a number of exemptions that remove the right of access, these are:
| Exemption | Description | |
|---|---|---|
| Section 21 | Information accessible by other means (including where a fee is payable) | Absolute |
| Section 22 | Information intended for future publication | Qualified |
| Section 23 | Information supplied by, or relating to, bodies dealing with security matters | Absolute |
| Section 24 | Safeguarding national security | Qualified |
| Section 26 | Prejudice to defence | Qualified |
| Section 27 | Prejudice to international relations | Qualified |
| Section 28 | Prejudice to relations within the UK | Qualified |
| Section 29 | Prejudice to the economy | Qualified |
| Section 30 | Investigations and proceedings conducted by public bodies | Qualified |
| Section 31 | Prejudice to law enforcement | Qualified |
| Section 32 | Court records (including tribunals) | Absolute |
| Section 33 | Audits of Accounts / Audit functions | Qualified |
| Section 34 | Parliamentary privilege | Absolute |
| Section 35 | Formulation of Government Policy | Qualified |
| Section 36 | Prejudice to effective conduct of public affairs | Both |
| Section 37 | Communications with Her Majesty etc. and Honours | Qualified |
| Section 38 | Health and Safety | Qualified |
| Section 39 | Environmental Information | Qualified |
| Section 40 | Personal Information | Both |
| Section 41 | Information provided in confidence | Absolute |
| Section 42 | Legal professional privilege | Qualified |
| Section 43 | Commercial Interests | Qualified |
| Section 44 | Disclosure prohibited under another Statute; prohibitions on disclosure | Absolute |
| Exception | Description |
|---|---|
| Regulation 12(3) | Personal Information |
| Regulation 12(4)(a) | Information not held when request received |
| Regulation 12(4)(b) | Manifestly unreasonable |
| Regulation 12(4)(c) | Request is too general |
| Regulation 12(4)(d) | Information which is unfinished or in the course of being completed |
| Regulation 12(4)(e) | Internal communications |
| Regulation 12(5)(a) | Adverse affect on international relations, defence, national security and public safety |
| Regulation 12(5)(b) | Adverse affect on course of justice, ability to obtain fair trial or ability to conduct an inquiry or a criminal or disciplinary nature |
| Regulation 12(5)(c) | Intellectual property rights |
| Regulation 12(5)(d) | Confidential proceedings as provided by law |
| Regulation 12(5)(e) | Commercial or industrial confidentiality as provided by law |
| Regulation 12(5)(f) | Commercial Interests |
| Regulation 12(5)(g) | Protection of the Environment |
| Regulation 12(6) and 12(7) | Neither Confirm nor Deny |
| Regulation 12(9) | Emissions |
Where an exemption is used to withhold information we will issue a refusal notice in response to a request.
Where the Council is applying an exemption to any information requested and the exemption is qualified, it is required to consider the public interest test. The public interest test determines whether the public interest is best served by, withholding or releasing the information.
When the cost of providing information rises above the appropriate limit the Council is not obliged, under the Freedom of Information Act 2000, to respond to your request under Section 12(1) of the legislation.
The appropriate limit is specified in regulations for local government as £450 which represents the estimated cost of spending eighteen hours in determining whether the Council holds the information, locating, retrieving and extracting it.
The Council has discretion whether to proceed with a request which exceeds the appropriate limit. If so, there is no requirement to issue a fees notice as there is no obligation to comply with the request.
Under EIR there is no “cost limit” for dealing with requests. However, requests that cost a disproportionate amount can be refused on the basis they are manifestly unreasonable or too general, subject to the public interest test (Regulation 12). We may also charge a fee for providing information in a certain format as detailed in the Council’s published Charging Policy.
If a customer is unhappy with the Council’s response to a request they have made, they have a right to make a complaint. These complaints will be processed as Internal Reviews in line with this policy.
Although the Council only has a statutory duty to have an Internal Review Procedure in place for use with complaints about requests made under the Environmental Information Regulations 2004, the Council also adopts these procedures for complaints about Freedom of Information Act Requests and requests made under the Data Protection Law.
To request an internal review, the customer must contact the Council in writing within 40 working days after the date on which the response is sent or when the request was due. The customer must set out the reasons why they are requesting a review.
The Information Governance Team considers an internal review will be where a customer advising us that they are unhappy about the Council’s decision to withhold information or about the way in which their request has been dealt including where the customer considers that the Council has:
Where a complaint does not fall under the examples given above, we may deal with the complaint under the Council’s Corporate Complaint Procedures. Visit our website for more information about our Corporate procedures.
If possible, the Information Governance Team will try to resolve your complaint informally and provide you with a response within 15 working days. We will consider whether we can handle a complaint informally based on the information requested, the exemptions applied, or any other related circumstances. If we consider we cannot handle the complaint informally we will carry out an Internal Review and will:
The appointed officer will:
* In exceptional circumstances it may be necessary to extend the response time by a further 20 working days. If this is the case you will be notified as soon as possible with the reasons why alongside a revised response date.
If, after going through the Council’s Internal Review Procedure, you remain unhappy with our decision you can contact the Information Commissioner’s Office, whose contact details are available on their website www.ico.org.uk
FOIA, EIR and DPA are enforced by the Information Commissioner. The Information Commissioner is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Complaints about decisions made by the Council relating to any of the Access to Information legislation can be made to the Information Commissioner who will make a decision as to whether the Council has dealt with the request in accordance with the relevant legislation.
The Information Commissioner can however refuse to investigate a complaint where a customer has not been through the Council’s own Internal Review Procedure.
For more information about the Information Commissioner please visit www.ico.org.uk.
This policy and those policies which sit underneath this framework will be reviewed every two years and updated accordingly.
For further information please contact Infocompliance@torbay.gov.uk
| Version Number | Originator | Date of Change | Change description |
|---|---|---|---|
| 1.1 | Jo Beer | April 2018 | Policy creation |
| 1.2 | Jo Beer | August 2018 | Policy review |
| 1.3 | Jo Beer | October 2021 | Policy review |
| 1.4 | Jo Beer | May 2023 | Policy review and update |