Data Protection

This page sets out key data protection information and how the council aims to give you more control over your information. 
Data protection is about ensuring that you, as a data subject, are able to trust that we only use your data fairly and responsibly.

The UK data protection regime is set out in the Data Protection Act 2018, along with the retained EU law version of the General Data Protection Regulation (the “UK GPDR”). 

Whenever we process your personal data, we will ensure that this is only done in accordance with the seven key principles set out in the UK GDPR. Your data will be:

  • processed lawfully, fairly and in a transparent manner; 
  • obtained for a specified, explicit and legitimate purpose; 
  • adequate, relevant and limited;
  • accurate and, where necessary, kept up to date;
  • kept no longer than is necessary;
  • protected with appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction;
  • documented to demonstrate our accountability and compliance with these principles.

The UK GDPR gives you the following individual rights: 

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and 
  • rights in relation to automated decision making and profiling. 

If you would like to make a subject access request for your personal information, please visit our subject access request page
To find out more about your rights and how to enforce them, please see our corporate privacy notice and the Information Commissioner’s Officer page on your rights.  

Our corporate privacy notice sets out the Council's corporate privacy information, however, you may receive a separate privacy notice setting out more specifically what personal data we are seeking from you and why.


This privacy information may be made available to you through a form when you request a service or over the phone when you call us for example. For more information on how we process your personal data for our services please see below:

We are required to maintain an Appropriate Policy Document which outlines our compliance measures and retention for special category and criminal offence data. Our latest Appropriate Policy Document can be accessed here.

The Council's Retention schedule sets out a list of records for which pre-determined retention dates have been established. The Retention Schedule brings together the following information:

  • The name and purpose for processing of the Council's data processing activities; 
  • disposal, pseudonymisation or anonymisation of those records which have completed their retention period;
  • storage of records which have to be kept after their retention period insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Please see the East Herts Council - Retention Schedule in the documents section for more information. 

In some circumstances, the police and other authorised agencies can request access to personal information held by the Council for specified purposes. These types of requests may be permitted if an exemption under Schedule 2 Part 1 of the Data Protection Act 2018 applies. 

The Data Protection Act does not give an automatic right of access to information, however, it does allow the Council to assess the merits of requests and decide whether or not to apply an exemption. 

Please see the Information Commissioner's guidance on the Data Protection Act exemptions. To make a request under an exemption, please complete our data sharing request form. This form will be sent to the Council's Data Protection Officer for consideration. 

For more information or assistance, please contact the Council's Data Protection Officer by emailing data.protection@eastherts.gov.uk.