Data protection

We may hold some of your personal information if you've provided it when using our services. We comply with the data protection law to protect your details.

Dumfries and Galloway Council ('the Council') is a data controller, as registered with the Information Commissioner's Office, of your personal data.

Privacy Statement

Our Privacy Statement outlines the ways in which we process your personal information as a Council. It also explains what rights you have in relation your personal information and how you can access these:

Data Protection Act

The Data Protection Act 2018 replaced the Data Protection Act 1998 on 23 May 2018. The data protection law emphasises protecting your personal information and gives you with more rights and control over how organisations such as the Council handle and process your personal information.

Personal information is information, which relates to a living person who could be identified from the information itself, or by linking it with other information. For example, it could be:

  • Name and address
  • A school pupil's record
  • Health information

Processing personal information is the name given to anything the Council does with your personal information that they hold. For example, this could be:

  • Entering your details into our computer systems
  • Storing a completed form in a filing cabinet

Six Data Protection Principles

The Council will comply with the six data protection principles to ensure the protection of your personal information. The Council will ensure your personal information is:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and for legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and where necessary, kept up to date
  • Kept for no longer than is necessary for the purpose
  • Protected by appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction

Making a Subject Access Request

Under Data Protection legislation, you have the right to ask to see information held by the Council that is about you. Asking for your information is called the right of access and is commonly known as making a Subject Access Request or SAR.

Once the Council receives a SAR, all efforts will be made to fully comply within one month of receipt of your request. If we are unable to comply with your request within one month, we will inform you and explain why the extension is necessary.  We can extend the time to respond by a further two months. SARs can be made verbally but we recommend you put it in writing if possible because this gives you a record of your request.

Using our Subject Access Request Form can help capture all of the details we need to locate your information.

You can make a SAR by:

Data Protection Officer
Dumfries and Galloway Council Headquarters
English Street

Proof of ID

For your own protection we must make sure that the request is genuinely from you to protect your personal data. We do this in various ways:

  • If you are currently in communication with a Local Authority Officer, such as a Social Worker, or a teacher, then they can confirm your identity.  Either ask them to confirm you are the named person making the request by emailing from their work email account or advise us of their name when making your request.
  • If you do not have current contact with a Local Authority Officer, please provide proof of identification (ID) when submitting your request. We will need two forms of identification to be sent along with your request. These should include something that identifies you, for example a passport, driving licence or birth certificate and something that confirms your address such as a utility bill. This list is not exhaustive and other forms of identification may be acceptable.
    • If making your application by post or email, please send photocopies rather than originals. Copies of your documentation must be certified. Certified means a professional person such as a doctor, dentist, police officer, teacher, social worker, bank official has signed and dated the documents to prove you are who you say you are.
    • Or you can take proof of ID, along with your SAR, to a Council building, so that a member of Council staff can confirm your ID. If you are a parent or carer wishing to make a SAR, you can get your ID authorised at your child's school.

If you do not have any of these forms of ID, please contact us. If we are unable to verify your identity with the information provided, we may need to ask for further information. The timescale for responding begins once you have completed the verificaton.

Making a request on behalf of someone

You may prefer a third party (e.g. a relative, friend or solicitor) to make a SAR on your behalf. To allow another person to access your information on your behalf we need to be satisfied that the third party is entitled to act on your behalf.

If you are asking for someone else's personal information, we will need a signed letter, or email from them confirming they want you to access this information, or provide other evidence that you are entitled to the information (e.g. proof of parental responsibility for a young child (under 12) or power of attorney).

You can make a SAR on behalf of a child only if they are your child and are too young to make the request themselves (under 12 years of age); you have their written permission to do so; or you have a power of attorney for the person concerned.

If you are making the request on behalf of another person, you and the person who the information is about will both need to provide proof of ID. Please see above section on Proof of ID. We won't be able to process your request until we have received proof of who you are.


There is no fee for making a subject access request, however we may charge if:

  • you want more copies of the same information
  • we think your request is excessive

We will tell you there will be a charge before we send you the information.

Your individual rights

You have the right to:

  • Be informed of why and what we will do with your personal data
  • Have access to your personal information
  • Have your personal data deleted
  • Restrict or object to processing of your personal data
  • Have personal data corrected
  • Have personal data moved from one IT environment to another securely and without hindrance
  • Withdraw your consent

To exercise these rights contact the Council's Data Protection Officer: 

How to raise a concern

If you are not satisfied with how we have answered your request or have concerns about how we handled your personal information, you should email our Data Protection Officer to raise a concern in the first instance. When you contact our Data Protection Officer we will consider your concerns and will respond within one calendar month. If we can't respond within that timescale, we will let you know when we will be able to respond.

If you are unhappy with our response to your concern, you are entitled to raise your concern with the regulator of data protection, which is the UK Information Commissioner (ICO) and you contact their office by writing to:

UK Information Commissioner's Office
Wycliffe House
Water Lane
Tel:  0303 123 1113

Page last updated: 20/10/2023
email icon print icon