Putting our residents first
Top menu
Search our website: Search

Data protection policies

Hillingdon Council's Cabinet approved a range of policies on 24 May 2018, which are designed to ensure that the council continues to take proper care of residents' personal data.

Privacy notice

The council is required by law to publish a Privacy Notice [124KB].  Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. The council is therefore required to provide individuals with the type of information contained within this Notice and this is known as 'privacy information'.

Service specific privacy notices 

Data Protection Policy

Our Data Protection Policy [134KB] provides important information about how we keep data safe and secure and other responsibilities necessary to meet the requirements of the DPA and the GDPR.

Individual Rights Policy

The GDPR introduces the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated decision making including profiling

Read more about your rights [174KB] 

Please see below to find out more information about how to make a request.

Subject Access Policy and Procedure

The Data Protection Act 2018 gives individuals the right to request copies of all their personal data processed by Hillingdon Council.

More information [120KB] 

Subject Access form [85KB]

Information Governance Policy

Our  Information Governance Policy [118KB] sets out the framework by which the council handles information. It applies to sensitive and personal information of residents and employees and also to information related to the business of the council.

The 'Lawful basis for processing'

Your personal data may only be used by us if there is a clear lawful basis [149KB] for doing so.  

There are six types of lawful basis under GDPR:

  1. Consent
  2. Contract
  3. Legal obligation
  4. Necessary to protect the vital interests of the individual or of another person
  5. Necessary to perform a public task or to exercise official authority
  6. Necessary because of legitimate interests

Managing an information security breach

Any suspected breach of personal data must be investigated immediately and, if sufficiently serious, must be reported to the Information Commissioner's Office within 72 hours.  

Read more details in the policy [211KB]

Data protection impact assessments

When the council makes changes to services which might affect the control of personal data it must carry out a  Data Protection Impact Assessment [161KB].

Retention and Destruction of personal data

Personal data should not be kept any longer than is necessary.

Document retention and destruction policy, item 7 [289KB]

Is there anything wrong with this page?

* What would you like to report?
Broken link
Out of date information
Missing information
Report a problem with a service

* Please provide further details:


Please include your email in case we need further details (optional):

This feedback tool is for improving our pages. To report a problem with a service, please email: contact@hillingdon.gov.uk

Your feedback could not be sent - please ensure you have completed all fields.

Thank you for your feedback.

Article utilities:  Bookmark and Share Print Print this page Last updated: 11 Dec 2018 at 09:15