Privacy notice – subject access request

North Somerset Council is registered with the Information Commissioner’s Office for the purposes of processing personal data.

The information you provide will be held and used in accordance with the requirements of UK and European data protection law.  The information will form part of your Subject Access request file, and held for six months from last activity on the file.

Unless otherwise agreed with you, we will only collect the minimum personal data required to deliver the service, which is limited to your name and contact details.  We are also required to collect enough information to satisfy the requestor’s and data subject’s identity, to ensure the information provided is only disclosed to the lawful recipient.  Any identification collected is destroyed as soon as identity has been verified.

We will not use your personal information in a way that may cause you unwarranted nuisance.  Failure to provide the information could result in the inability to process your request under the terms of the European General Data Protection Regulation.

The information will be used to respond to your Subject Access request; our statutory duty under the European General Data Regulation, Article 15.  We, therefore, consider the processing to be lawful in accordance with GDPR Article 6(1)(c) (processing is necessary for compliance with a legal obligation).  In the handling of your request, there is the possibility that we may come across special categories of personal data (sensitive personal data) and/or data relating to criminal convictions.  We consider this to be lawful in accordance with GDPR Article 9(2)(a) (you have given your explicit consent) and GDPR Recital 50 (further processing of personal data is based on Union or Member State law).

The information provided may be shared with the Information Commissioner’s Office, who have demonstrated that they have a lawful and legitimate interest in the information, for the purposes of investigating a complaint made by you in the handling of your request.  At no point is your data shared or processed outside of the UK.

We may lawfully disclose information to public sector agencies to prevent or detect fraud or other crime, or to support the national fraud initiatives and protect public funds under the Local Audit and Accountability Act 2014.  Under the conditions of the Digital Economy Act 2017, we may also share personal data provided to us with other public authorities as defined in the Act, for the purposes of fraud or crime detection or prevention, to recover monies owed to us, to improve public service delivery, or for statistical research.  We do not share the information with other organisations for commercial purposes.

You have the right to see the personal data we process about you, as well as the right of rectification and restriction (of destruction of records only). 

If you have any questions or concerns about the way we process your personal data, contact our Data Protection Officer at