UK General Data Protection Regulation (UK-GDPR)

How National Highways maintains UK General Data Protection Regulation (UK-GDPR) standards

General Data Protection Regulation (GDPR) is a European Union (EU) regulation that sets the standards for the handling of personal data across the EU.

It also applies to non-EU countries handling personal data of individuals who are based in the EU.

UK-GDPR was adopted into UK law as part of the Data Protection Act 2018. It was introduced to ensure the continued protection of personal data for individuals as the technological world advances.

These requirements ensure that protection is maintained within National Highways.

In this section

Data incident
Right to be informed
Right of access
Data privacy impact assessment
Right of portability
Right to erasure
Right to rectification
Records of Processing Activities (ROPA)

Data incident

A data incident is defined by the Information Commissioner's Office (ICO) as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Requirement

Where a data incident occurs concerning personal data controlled, held or processed by or National Highways behalf, the Supplier must report it to National Highways Data Protection Officer as soon as the incident is identified.

Suppliers must also complete a data incident notification form.

Specification

The data incident notification form must contain a description of the nature of the personal data incident including, where possible:

  • the categories of data (such as images, names, contact details) and approximate number of individuals concerned
  • the categories of data (such as images, names, contact details) and approximate number of personal data records concerned

The form also contains:

  • the name and contact details of the accountable Data Protection Officer dataprotectionadvice@highwaysengland.co.uk
  • a description of the likely consequences of the personal data incident
  • a description of the measures taken, or proposed to be taken, to deal with the personal data incident. Where appropriate this should include measures taken to mitigate any possible adverse effects.

Right to be informed

The right to be informed is National Highways obligation to provide fair processing information, typically through a privacy notice.

It describes how organisations use personal data and is called privacy information.

Requirement

Where personal data is collected or processed on National Highways' behalf, individuals have the right to be informed.

They must be provided with the following information through a privacy notice:

  • purposes for processing their personal data
  • retention periods for that personal data
  • who it will be shared with

Where National Highways is the data controller, the privacy notice is to be provided using its template.

If the Supplier is acting as the data controller on behalf of National Highways, then the Supplier is to supply the privacy notice. The Supplier is to  use a National Highways' template, or if the Supplier has one then this can be used instead.

Specification

Information provided to individuals in the privacy notice must be:

  • concise
  • transparent
  • intelligible
  • easily accessible
  • written in clear and plain language.

The Supplier must also:

  • provide the information at the time their personal data is collected
  • provide the information by a written notice or a recorded verbal message
  • regularly review, and where necessary update, the privacy information
  • inform individuals of any new uses of their data before processing can begin

Privacy notices must provide individuals with all the following privacy information:

  • the name and contact details of the organisation
  • the name and contact details of the representative. This could be a member of the team that is issuing the privacy notice
  • the contact details of our data protection officer:  dataprotectionadvice@highwaysengland.co.uk
  • the purposes of the processing
  • the lawful basis for the processing
  • the legitimate interests for the processing (if applicable)
  • the categories of personal data obtained (if the personal data is not obtained from the individual it relates to)
  • the recipients or categories of recipients of the personal data
  • the details of transfers of the personal data to any third countries or international organisations (if applicable)
  • the retention periods for the personal data
  • the rights available to individuals in respect of the processing
  • the right to withdraw consent (if applicable)
  • the right to lodge a complaint with a supervisory authority. In the UK is the Information Commissioner's Office (ICO)
  • the source of the personal data (if the personal data is not obtained from the individual it relates to)
  • whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to)
  • details of automated decision-making, including profiling (if applicable) 

Right of access

Individuals have the right to access their personal data and supplementary information.

The right of access allows individuals to be aware of and verify the lawfulness of the processing.

Requirement

If the Supplier receives a subject access request, then they must first contact National Highways' Data Protection Advice team

The Supplier is to work with National Highways to ensure that a response is provided within the deadline of one month.

The Supplier is to provide the Data Protection Advice team any further information requested.

If the Supplier is acting as a designated data controller on National Highways behalf, it must:

  • process the request
  • inform the Data Protection Advice team of your actions

Specification

Under a subject access request, National Highways must provide the individual with:

  • confirmation that an individual’s data is being processed
  • access to the individual’s personal data – where it's within scope of the legislation
  • other supplementary information. This usually corresponds to the information that should be provided in a privacy notice – see the following examples

Examples of supplementary information:

The purposes of processing

  • the categories of personal data concerned
  • the recipients or categories of recipient that the organisation may disclose the personal data to
  • the retention period for storing the personal data
  • the right to request rectification, erasure or restriction, or to object to such processing
  • the right to lodge a complaint with the ICO or another supervisory authority
  • information about the source of the data, where it was not obtained directly from the individual
  • details of automated decision-making (including profiling)
  • the safeguards provided, if personal data is transferred to a third country or international organisation 

Data privacy impact assessment

A Data Protection Impact Assessment (DPIA) helps the Supplier identify and minimise the data protection risks of a project.

The Information Commissioner's Office (ICO) can impose heavy fines if it finds that a DPIA has not been completed where it should have been.

Requirement

Before starting any new project or process involving personal data, the Supplier must:

The Data Protection team decides if the processing is likely to result in a high risk to individuals and whether a full DPIA is required.

If it is, the Data Protection team will contact the Supplier with instructions on what is required to be done next - usually helping to identify privacy risks and measures to mitigate them.

Specification

If the Supplier is asked to complete a full DPIA, the Data Protection team will help the Supplier to complete it.

A full DPIA describes the nature, scope, context and purposes of the processing. The assessment will cover:

Necessity

How necessary is this project and associated processing of personal data? 

Proportionality

Is the level of personal data processing proportionate to what the project is trying to achieve?

Compliance measures

The measures in place to make sure that National Highways and its Suppliers comply with the legislation (General Data Protection Regulation and Data Protection Act 2018) when processing the personal data.

The DPIA will also identify and assess:

Risks to individuals

The likelihood and the severity of any impact on individuals.

For example, high risk could result from either a high probability of some harm, or a lower possibility of serious harm.

Any additional measures to mitigate those risks

If the Supplier identifies a high risk that they can't mitigate, the Supplier must consult the Data Protection team.

The Supplier must enable National Highways to consult the ICO before processing commences.

The ICO will give written advice within eight weeks, or 14 weeks in complex cases. 

Right of portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

Requirement

If the Supplier receive a request they must first contact National Highways Data Protection Advice team

The Supplier is to ensure that it works with National Highways to provide a response within the deadline of one month.

When instructed by National Highways the Supplier provides the personal data held by the Supplier on a specified individual.

​​​​​​​This applies:

  • to personal data that an individual has given to a data controller
  • when the processing is carried out by automated means
  • where the processing is based on the individual’s consent, or for the performance or a contract

Specification

If instructed by National Highways, the Supplier must:

  • transmit personal data in structured, commonly used and machine-readable format
  • use a secure method to transmit personal data
  • respond to a request for data portability without undue delay 

Right to erasure

Individuals have the right to request to have their personal data that is stored by National Highways and its Supplier erased. The right to erasure is also known as 'the right to be forgotten'.

Individuals can make a request for erasure verbally or in writing.

The right to erasure is not absolute and only applies in certain circumstances.

Requirement

If the Supplier receives a request it must, in the first instance, contact National Highways' Data Protection Advice team.

The Supplier is to ensure that it works with National Highways to provide a response within the deadline of one month.

The Data Protection team will consult the information owners before deciding to erase or retain the data.

If the right to erasure does apply, the Supplier must erase the personal data they hold on that individual when formally instructed by National Highways.

Right to rectification

Individuals have the right to have inaccurate personal data rectified (corrected).

An individual may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

Requirement

If the Supplier receives a request it must, in the first instance, contact National Highways' Data Protection Advice team.

The Supplier is to ensure that it works with National Highways to provide a response within the deadline of one month.

When instructed by National Highways the Supplier ensures it:

  • takes reasonable steps to make sure that the personal data held on a specified individual is accurate
  • where necessary, corrects any inaccuracies

Records of Processing Activities (RoPA)

National Highways is required under the UK General Data Protection Regulation (UK-GDPR) to keep a Record of Processing Activities (RoPA).

This is a record of all its personal data processing activities.

Requirement

If the Supplier holds, processes or shares any of National Highways personal data it must contact National Highways Data Protection Advice team to add the data to National Highways' RoPA.

If necessary, the Data Protection Advice team will ask the Supplier to complete National Highways' RoPA form.

Specification

Information that Suppliers need to provide on the RoPA form includes:

  • the data they are processing
  • what type of personal data it is
  • who the personal data belongs to
  • the purpose of data processing and who is processing it
  • who will have access to the data
  • the retention period for the data  

 

Feedback