Data Protection Act

The act regulates how we manage personal information related to living individuals. It applies to computer and manual records, lays down principles for the way in which we process personal information. It gives you rights to access the information we hold about you, or someone you represent, and to have inaccurate data corrected or erased.

How we manage personal information

We collect, record, hold and process personal information to deliver appropriate services.

We are required by law to protect the public funds we administer. To prevent and detect fraud, we may share personal information:

  • internally
  • with other government agencies 
  • with bodies responsible for auditing or administering public funds 

We may also share personal information:

  • with appropriate staff involved in meeting your needs
  • with agencies such as health, contracted agencies and other local authorities
  • where there is a concern that a child or adult is at risk of harm
  • where we have information that a serious crime is planned or has been committed
  • where we have been told to by a court
  • for training purposes, including observations and assessments undertaken by external providers of staff and student social workers and occupational therapists in practice 

In adult social care we also apply the Caldicott Principles to ensure:

  • your personal information will always be treated in a confidential manner, with care and discretion
  • staff are made aware of the importance of treating sensitive and personal information with care
  • information is only shared to assist in planning and providing the best possible service
  • if you are receiving support from adult social care then the NHS may share your NHS number with us. For more information about this, please read the personal demographic service and NHS numbers page  

The Dorset Care Record (DCR)

Your information may also be shared via the DCR, an electronic record linking health and social care information from Dorset General Practices (doctors’ surgeries), Borough of Poole Council, Bournemouth Borough Council, Dorset County Council, Dorset County Hospital, Dorset Healthcare University NHS Foundation Trust, NHS Dorset Clinical Commissioning Group, Poole Hospital, and Royal Bournemouth and Christchurch Hospitals to improve care in Dorset.

Having the ability under the Dorset Care Record to access the same information and share it more readily will allow medical and social care professionals to decide more quickly what treatment you may need and the best way to help and care for you. This will help provide you with better healthcare. At the same time we do recognise the importance of protecting personal confidential information in all that we do and take care to meet our legal requirements. How we will use and look after your information is explained in the Dorset Care Record privacy notice

Data protection principles

We process personal information about you in a way which is:

  • fair and lawful
  • only for specified and lawful purposes
  • adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed
  • accurate and where necessary, we keep it up to date
  • not kept longer than is necessary
  • processed in accordance with your rights under the act
  • secure
  • not transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection 

You can read more about the principles in our Data Protection policy and the Information Commissioner's Office website.

The Caldicott principles are based on the act and we must:

  • justify the purpose for which the information is needed
  • only use personal information when absolutely necessary
  • use the minimum personal information possible
  • ensure that access to the information is on a strict 'need to know' basis
  • ensure that everyone is aware of their responsibilities to respect clients confidentiality
  • understand and comply with the law
  • have confidence to share information in the best interests of clients when there is a need to 

Further information is available from:

The Information Management Officer
Commissioning and Improvement
People Services
Civic Centre
BH15 2RU


Accessing your personal information (subject access request)

You have the right to ask for a copy of the information we hold about you. This is known as a subject access request.

To make a subject access request you must write to us:

To help us deal with your subject access request, please tell us:

  • the type of information you want; for example, emails, letters, records about services you receive
  • the section or department of the council that holds your information, if you know it
  • any relevant dates 

We cannot insist that you complete the subject access request form but it might help with your request if you do. 

We may ask you to produce proof of ID if we cannot identify you from any records we may hold.

We cannot charge a fee to provide this information to you unless you request copies of information already provided.

Once we have enough information to process your request, we have 1 month (30 calendar days) in which to respond to your request. If we need more time, we will contact you to let you know.

The act has some exemptions which means we may not, in some circumstances be able to provide information. An example of this might include employment references or details of a complaint. If you make a subject access request and we consider that information is exempt we will explain why.

Accessing personal information about someone you represent

If you are acting on someone's behalf, for example as an attorney, legal representative, or guardian, you need to send us proof of your authority in addition to the instructions above.

What to do if your personal information is not correct

You must write to inform us and ask for it to be corrected. We must tell you within 21 days what we have done about it. If we do not agree that the information is incorrect, you may ask us to record your disagreement. You can also appeal to the Information Commissioner's Office or apply to a court for an order to correct, block, erase or destroy the inaccurate information.

How we handle complaints about data protection

Please let us know if you are not happy about the way we:

  • are using your personal information
  • you believe the personal information we hold about you is wrong 

We will deal with your complaint under our feedback policy.

If you are not satisfied after we have responded to your complaint, you may make a further complaint to the Information Commissioner's Office.

If you are not satisfied with how we have dealt with a subject access request, you can complain to the Information Commissioner direct.

Page last updated: 07 February 2019
Help us improve
This is just for feedback on our website, not comments or questions about our services. Feedback on services will not be passed on. To tell us anything else, contact us.

Please don't include any personal or financial information.