Translation disclaimer (Translation disclaimer)

This content has been translated by a computer program and may not be 100% accurate.

(This content has been translated by a computer program and may not be 100% accurate.)

Data protection

How we use your information and your data protection rights, including how to make a subject access request.

Updated: 8th July 2025

Your rights under the UK General Data Protection Regulations (GDPR)

  1. The right to be informed about the collection and use of your data.
  2. The right of access to personal information (by making a subject access request as below).
  3. The right to have inaccurate personal data rectified, or completed if it is incomplete.
  4. The right to have your personal information erased in certain circumstances (sometimes known as the right to be forgotten).
  5. The right to restrict use of your personal information in certain circumstances.
  6. The right to have a copy of your personal information provided to you in a commonly used machine-readable format (to allow easy transfer to another data controller).
  7. The right to object to the use of personal information where it is based on specific legal bases.
  8. The right to object to the use of automated decision making, including profiling.

Requesting information

The UK General Data Protection Regulation (GDPR) gives you the right to access data that we hold about you. You can do this by making a subject access request.

Complete this form:

Return the form by:

Please read the information below before making your request. 

What information do I need to provide?

1. A clear, specific request

We cannot deal with your subject access request until you have provided enough information for us to find the personal data.

For example, a request for ‘all of the personal data held on me’ is not specific enough for us to find your data.

The Council processes personal information for many reasons, for example:

  • Social care information.
  • Council tax information.
  • Employment records.

You will need to state in your request which Council departments you would like information from.

If you are requesting social care information, then please provide details of any family members who were also involved with social care. This will allow us to conduct a more thorough search of our social care records and allow us to provide you with more information.

2. Current identification

To ensure that we only disclose personal data to those who are authorised to access it, you must provide copies of two current forms of ID, one from each list below:

  1. Examples of acceptable name identification:
    • Driver’s licence.
    • Passport.
    • Birth certificate.
  2. Examples of acceptable proof of address:
    • Utility bill.
    • Bank statement.
    • Council Tax bill.

How long will it take to receive a response?

We will respond to you within one month of receiving your written request. We can extend this to three months if your request is complex. For example when there is a large amount of records to collate and review. We will advise you if this is the case.

The time period starts from when we receive sufficient information plus proof that you are who you say you are to progress your request. We will contact you if we need more information.

If we don't receive the information or identification required within one month of contacting you, your request will be closed.

What information will I receive?

Dependent upon the format in which your data is held, the information may be supplied to you in the form of:

  • Copy documents.
  • Correspondence that we hold.
  • An extracted summary of the information about you. 

In some circumstances we cannot give you information as it is exempt from release under the GDPR. For example information which could prejudice a criminal investigation, or information subject to legal professional privilege. 

We may also not be able to release information that was provided to us about you by another organisation without that organisation's authority.

You only have a right of access to your own information. If your records also contain someone else’s information (known as third-party data), it will be redacted (i.e. blacked out or removed) from the information you receive.

We will send the information you have requested by email to you if you have provided your email address. If you prefer to receive it in a different way, please let us know when you make your request.

Can I access someone else's data on their behalf?

You can obtain information on behalf of another individual if you supply a form of authority clearly setting out what can be released to you. This needs to be addressed specifically to the council and signed by the data subject or their legal representative. You will also need to provide satisfactory proof of identity for both you and the data subject.

If the request is on behalf of an adult who lacks mental capacity

You must provide official paperwork naming you as legal guardian of the data subject along with your proof of identity.

Children’s information

A parent or legal guardian can request information on behalf of their child, as long as proof of parental responsibility can be confirmed. However, once a child reaches an age where they can understand the implications of their data being shared their consent will be required. (This is generally from the age of 13 onwards).

Please see our further guidance regarding making requests for information about children below.

Requests for information about children

Whatever the age of the child, data about them is still their personal data and does not belong to anyone else such as a parent or guardian. It is the child who has a right of access to the information held about them. 

The Council will assess:

  • If the child is able to understand (in broad terms) what it means to make a subject access request (SAR).
  • How to interpret the information they receive as a result of doing this.
  • The potential impact on them from having access to the records.

When responding to requests made by or on behalf of children the following is taken into consideration:

  • Where possible, the child's level of maturity and their ability to make a SAR. This includes the complexities involved in that decision and the possible consequences of their decision.
  • The nature of the personal data.
  • Any court orders relating to parental access or responsibility that may apply.
  • Any duty of confidence owed to the child or young person.
  • Any consequences of allowing those with parental responsibility access to the child's or young person's information. This is particularly important if there have been allegations of abuse or ill treatment.
  • Any detriment to the child or young person if individuals with parental responsibility cannot access this information.
  • Any views the child or young person has on whether their parents should have access to information about them.

When it is determined that a child or young person's views should be sought regarding a request made on their behalf, we will notify you of our intention to do so and our subsequent decision in writing.

Schools, Calderdale Council, the Department for Education and other bodies that process personal data about children. Staff are required by the DPA 2018 to issue a Privacy Notice to parents, children, young people and staff to inform them of the purposes of holding the personal data and what it will be used for.

For details about privacy notices, what data is used for and who uses it, see: Accessing information about your child.

School records

A child, or someone acting on their behalf, may make a SAR in respect of personal data held by a school about the child. Such SARs will be dealt with by the school involved in line with their own policy and procedure. 

If you would like to access a child's school record, please contact the school directly.  For school contact details, please see: Search for schools.

For more on how to see school records, visit: Information Commissioner's Office.

Exercising your data protection rights

If you wish to exercise any of your rights under the GDPR, including if you have a complaint about how we have used or looked after your data, please contact our Data Protection Officer.

GDPR key principles

The UK General Data Protection Regulations (GDPR) sets out seven key principles which lie at the heart of our data protection practice:

  1. Lawfulness, fairness, and transparency:  Data must be processed legally and fairly, with transparency.
  2. Purpose limitation: Personal data should only be used for the purposes we have communicated to you.
  3. Data minimisation: We must collect and use only the necessary personal data.
  4. Accuracy: We must ensure data is accurate and up-to-date.
  5. Storage limitation: We retain data only for as long as necessary.
  6. Security: We must protect data from unauthorised access or loss.
  7. Accountability: We are responsible for compliance with data protection principles and have appropriate measure and records in place to show this.

Contact us

Suzanne Prescott, Corporate Information Manager and Data Protection Officer:

Webpage feedback

Was this page helpful? Rate this page helpful Rate this page unhelpful