The Data Protection Act 2018 came into force on 25th May 2018 in the UK. The Act implements the General Data Protection Regulation (now UK General Data Protection Act) in national law. The UK GDPR has 2 key objectives:
- To facilitate a free movement of data by creating a consistent data protection regime across the Union.
- To provide a framework that more accurately reflects how we use data today and therefore better protect the rights and freedoms of individuals.
Data protection and the GDPR – January 2021
As the UK transitional arrangements expired on 31 December 2020, there are some practical changes for Data Protection and GDPR.
To comply with the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019, please note that every policy, notice and procedural guide that refers to ‘GDPR’ shall now be read as ‘UK GDPR’.
The rights, responsibilities and data protection that the Data Protection Act 2018 and the GDPR are not changed. Our procedures and arrangements will not change.
If you have any queries, please contact TLP’s GDPR Lead on firstname.lastname@example.org
Data subject rights
At its core, the UK GDPR is about ensuring the privacy of the individual. The UK GDPR provides data subjects with 8 rights that they may exercise when their personal data is being processed; these rights support the individual’s overarching right to privacy in their private life. These rights include:
Right to be informed: Data subjects should expect to know the identify and contact details of the controller and their representative; why and how your data is being processed; if your data will be shared or passed on; how long your data will be stored; and what your rights are. This information is reflected in the Trust’s Privacy Notices.
Right to access: Data subjects have the right to obtain a copy of your personal data as well as to understand how and why your data is being used. This is commonly known as a Subject Access Request.
Right to object to automated decision making, including profiling: Where rights apply, data subjects can obtain human intervention; express your point of view; and obtain an explanation of the decision and challenge it. The right does not apply if the processing is required to fulfil a contract; has been authorised by member state law; or is based on explicit consent.
Right to object: Data subjects can object to us using your information in certain circumstances (please refer to the UK GDPR for the circumstances). This does not apply when we have lawful bases for processing your data, such as legal obligation or to protect the vital interests of a person.
Right to data portability: This right is not absolute. It allows data subjects to obtain/reuse your personal data for your own purposes across different services where data is processed by automated means; the right only applies to information you have provided to a controller. The processing has to be based on consent or where it is necessary to fulfil a contract.
Right to restriction: Data subjects can request that the processing of their data be restricted if one of the conditions set out in Article 18 applies (please refer to the UK GDPR for the conditions).
Right to erasure: Data subjects can request deletion of the data held about you, but only in certain circumstances, including if the data is no longer necessary for the purposes for which it was collected; if you withdraw consent on which the processing is based and where there is no other legal ground for the processing or you object to the processing and there are no overriding legitimate grounds for the processing; or if the data has been unlawfully processed, is to be erased for compliance with a legal obligation or has been collected in relation to the offer of information society services.
Right to rectification: Data subjects have the right to request that your information is updated to be made accurate, in the event where information held by us may no longer be accurate (such as your address). You also have the right to rectification when information we hold about you is incomplete, such as where the digit of a phone number is missing.
To exercise these rights, where they apply, please contact us through any of the means indicated on our Contact page.
Lawful basis for processing
The lawful bases Tarka Learning Partnership rely on when handling personal data include, but are not limited to:
- legal obligations;
- vital interests;
- public interests;
Right to withdraw consent
If the Trust has used consent as the lawful basis for processing your data, you have the right to withdraw this consent at any time. To exercise this right, please contact the GDPR Lead via any of the means indicated on our Contact page.
Use of the website
The Tarka Learning Partnership website exists to provide you with information about the Trust. You do not have to provide us with any personal information to access the website.
The vast majority of personal information we hold about you via the website will be obtained if you contact us by email, phone or post using the contact details given on our website. We will ensure that all personal data you supply to us is held in accordance with data protection law.
Data Protection Policy
The Tarka Learning Partnership is committed to a policy of protecting the rights and privacy of individuals in accordance with the Data Protection Act 2018. Our Data Protection Policy can be found on our Policies page.
The Tarka Learning Partnership is open and transparent about how personal data will be used. Please see our Privacy Notices for details via our Privacy Notices page.
Data Protection Officer (DPO)
The DPO is responsible for monitoring compliance with the UK General Data Protection Regulation. The DPO is also the central point of contact for the Information Commissioner’s Office (ICO) and all data subjects in relation to matters of data protection and subject access requests.
Tarka Learning Partnership’s Data Protection Officer is John Walker. John’s contact details are:
J A Walker, Solicitor
Office 7, The Courtyard
Telephone: 03337 729763
Data Protection Breach & Non Compliance Procedure
Tarka Learning Partnership’s data breach and non compliance procedure can be found here.
Our data breach management flowchart can be found here.
Subject Access Requests
For details of how to request information through a Subject Access Request, please refer to our Subject Access Requests page.
Freedom of Information Requests
For details of how to request information through a Freedom of Information request, please refer to our Freedom of Information page.
Right to lodge a complaint with the Information Commissioner’s Office (ICO) or another supervisory authority
If you believe the Trust has acted otherwise than in accordance with the UK GDPR, we would like to hear from you. You have the right to lodge a complaint with the Information Commissioner’s Officer (ICO) www.ico.org.uk / 0303 123 1113.
Tarka Learning Partnership’s ICO Registration Certificate is available on request.