General Data Protection Regulation (GDPR)

How Highways England maintains General Data Protection Regulation (GDPR) standards

General Data Protection Regulation (GDPR) is a European Union (EU) regulation that sets the standards for the handling of personal data across the EU.

It also applies to non-EU countries handling personal data of individuals who are based in the EU.

GDPR was adopted into UK law as part of the Data Protection Act 2018. It was introduced to ensure the continued protection of personal data for individuals as the technological world advances.

These requirements ensure that protection is maintained within Highways England.

In this section

Data incident
Right to be informed
Right of access
Data privacy impact assessment
Right of portability
Right to erasure
Right to rectification
Records of Processing Activities (ROPA)


Data incident

A data incident is defined by the Information Commissioner's Office (ICO) as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Requirement

Where a data incident occurs concerning personal data controlled, held or processed by or on our behalf, you must report it to our Data Protection Officer as soon as the incident is identified.

You must also complete a data incident notification form.

Specification

The data incident notification form must contain a description of the nature of the personal data incident including, where possible:

  • the categories of data (such as images, names, contact details) and approximate number of individuals concerned
  • the categories of data (such as images, names, contact details) and approximate number of personal data records concerned

The form should also contain:

  • the name and contact details of the accountable Data Protection Officer dataprotectionadvice@highwaysengland.co.uk
  • a description of the likely consequences of the personal data incident
  • a description of the measures taken, or proposed to be taken, to deal with the personal data incident. Where appropriate this should include measures taken to mitigate any possible adverse effects.

Right to be informed

The right to be informed is our obligation to provide fair processing information, typically through a privacy notice.

It describes how organisations use personal data and is called privacy information.

Requirement

Where personal data is collected or processed on our behalf, individuals have the right to be informed.

They must be provided with the following information through a privacy notice:

  • purposes for processing their personal data
  • retention periods for that personal data
  • who it will be shared with

Where we're the data controller, the privacy notice should be provided using our template.

If you're acting as the data controller on our behalf, you should supply the privacy notice. You should either use our template, or your own if you have one.

Specification

Information provided to individuals in the privacy notice must be:

  • concise
  • transparent
  • intelligible
  • easily accessible
  • written in clear and plain language.

You must also:

  • provide the information at the time their personal data is collected
  • provide the information by a written notice or a recorded verbal message
  • regularly review, and where necessary update, the privacy information
  • inform individuals of any new uses of their data before processing can begin

Privacy notices must provide individuals with all the following privacy information:

  • the name and contact details of our organisation
  • the name and contact details of our representative. This could be a member of the team that is issuing the privacy notice
  • the contact details of our data protection officer:  dataprotectionadvice@highwaysengland.co.uk
  • the purposes of the processing
  • the lawful basis for the processing
  • the legitimate interests for the processing (if applicable)
  • the categories of personal data obtained (if the personal data is not obtained from the individual it relates to)
  • the recipients or categories of recipients of the personal data
  • the details of transfers of the personal data to any third countries or international organisations (if applicable)
  • the retention periods for the personal data
  • the rights available to individuals in respect of the processing
  • the right to withdraw consent (if applicable)
  • the right to lodge a complaint with a supervisory authority. In the UK is the Information Commissioner's Office (ICO)
  • the source of the personal data (if the personal data is not obtained from the individual it relates to)
  • whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to)
  • details of automated decision-making, including profiling (if applicable) 

Right of access

Individuals have the right to access their personal data and supplementary information.

The right of access allows individuals to be aware of and verify the lawfulness of the processing.

Requirement

If you receive a subject access request, you must first contact our Data Protection Advice team

Bear in mind we have one calendar month to respond.

You must give the Data Protection Advice team any further information it requests from you.

If you're acting as a designated data controller on our behalf, you must:

  • process the request
  • inform the Data Protection Advice team of your actions

Specification

Under a subject access request, we must provide the individual with:

  • confirmation that an individual’s data is being processed
  • access to the individual’s personal data – where it's within scope of the legislation
  • other supplementary information. This usually corresponds to the information that should be provided in a privacy notice – see the following examples

Examples of supplementary information:

The purposes of processing

  • the categories of personal data concerned
  • the recipients or categories of recipient that the organisation may disclose the personal data to
  • the retention period for storing the personal data
  • the right to request rectification, erasure or restriction, or to object to such processing
  • the right to lodge a complaint with the ICO or another supervisory authority
  • information about the source of the data, where it was not obtained directly from the individual
  • details of automated decision-making (including profiling)
  • the safeguards provided, if personal data is transferred to a third country or international organisation 

Data privacy impact assessment

A Data Protection Impact Assessment (DPIA) helps you identify and minimise the data protection risks of a project.

The Information Commissioner's Office (ICO) can impose heavy fines if it finds that a DPIA has not been completed where it should have been.

Requirement

Before starting any new project or process involving personal data, you must:

The Data Protection team will decide if the processing is likely to result in a high risk to individuals and whether a full DPIA is required.

If it is, the Data Protection team will contact you with instructions on what you need to do next - usually helping to identify privacy risks and measures to mitigate them.

Specification

If you're asked to complete a full DPIA, the Data Protection team will help you to complete it.

A full DPIA will describe the nature, scope, context and purposes of the processing. The assessment will cover:

Necessity

How necessary is this project and associated processing of personal data? 

Proportionality

Is the level of personal data processing proportionate to what the project is trying to achieve?

Compliance measures

The measures in place to make sure we comply with the legislation (General Data Protection Regulation and Data Protection Act 2018) when processing the personal data.

The DPIA will also identify and assess:

Risks to individuals

The likelihood and the severity of any impact on individuals.

For example, high risk could result from either a high probability of some harm, or a lower possibility of serious harm.

Any additional measures to mitigate those risks

If you identify a high risk that you can't mitigate, you must consult the Data Protection team.

We must then consult the ICO before we start processing.

The ICO will give written advice within eight weeks, or 14 weeks in complex cases. 


Right of portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

Requirement

If you receive a request you must first contact our Data Protection Advice team

Bear in mind that we have one calendar month to respond.

When we formally request, you must provide the personal data you hold on a specified individual.

​​​​​​​This applies:

  • to personal data that an individual has given to a data controller
  • when the processing is carried out by automated means
  • where the processing is based on the individual’s consent, or for the performance or a contract

Specification

If we instruct you to do so, you must:

  • transmit personal data in structured, commonly used and machine-readable format
  • use a secure method to transmit personal data
  • respond to a request for data portability without undue delay 

Right to erasure

Individuals have the right to request to have personal data that we store about them erased. The right to erasure is also known as 'the right to be forgotten'.

Individuals can make a request for erasure verbally or in writing.

The right to erasure is not absolute and only applies in certain circumstances.

Requirement

If you receive a request you must, in the first instance, contact our Data Protection Advice team.

Bear in mind that we have one calendar month to respond.

The Data Protection team will consult the information owners before deciding to erase or retain the data.

If the right to erasure does apply, you must erase the personal data you hold on that individual when we formally ask you to do so.


Right to rectification

Individuals have the right to have inaccurate personal data rectified (corrected).

An individual may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

Requirement

If you receive a request you must, in the first instance, contact our Data Protection Advice team.

Bear in mind that we have one calendar month to respond.

When we formally ask you to do so, you must:

  • take reasonable steps to make sure that the personal data you hold on a specified individual is accurate
  • where necessary, correct any inaccuracies

Records of Processing Activities (RoPA)

We're required under the General Data Protection Regulation (GDPR) to keep a Record of Processing Activities (RoPA).

This is a record of all our personal data processing activities.

Requirement

If you hold, process or share any of our personal data you must contact our Data Protection Advice team to add the data to our RoPA.

If necessary, the Data Protection Advice team will ask you to complete our RoPA form.

Specification

Information you need to provide on the RoPA form includes:

  • the data you are processing
  • what type of personal data it is
  • who the personal data belongs to
  • the purpose of data processing and who is processing it
  • who will have access to the data
  • the retention period for the data  

 

Feedback