Search site

Data Protection and GDPR

In order to deliver services to the citizens and communities in West Lothian, it is necessary for the council to collect, gather and process personal data about residents, staff and other individuals. This article includes Privacy Notices.

The new Data Protection Act (2018) and General Data Protection Regulation (GDPR) came into effect in May 2018. Data Protection Law regulates the way we handle and process personal data within the council. The law includes new definitions of personal data that is in keeping with changing technology and has strengthened the rights of individuals.

Personal data is information which relates to a living person who can be identified from the information itself, or by linking it with other information. For example, it could be your name and address, a school pupil's record or a client's health information.

Processing personal data is the name given to anything that we do with your personal data that we hold. For example, entering your details into our computer systems or storing a completed form in a filing cabinet.

The sections below explain the arrangements we have in place to protect the information entrusted to the council.

Changes to Data Protection Law

Why change data protection law?

When the current Data Protection Act was introduced in 1998, the internet was very new and people didn't understand the full implications of how it could be used - especially when collecting personal information.

As technology continues to develop, new definitions of personal data are being introduced such as your IP computer address or your mobile phone location setting. Your IP address is a label which is used to identify one or more devices on a computer network such as the internet. It is similar to your postal address and is a series of long numbers.

This reform to the Data Protection Act (1998) was brought about by the General Data Protection Regulation (GDPR).  The GDPR is a European regulation that sets out new arrangements for the handling of personal data of EU citizens.  The new data protection law was introduced on 25 May 2018 and forms the basis of a new Data Protection Act.

This new Act replaced the existing Data Protection Act and aims to give more rights and control over how personal data is handled by organisations.

The new data protection law creates one set of rules for everyone in the European Union establishing a unified approach to protecting personal data for all EU individuals.

What changes has the new data protection law introduced?

For customers:

The new Data Protection Act introduced more safety measures about how personal data is used by organisations. It takes account of new mobile technology which captures personal data - to establish trust in how it is processed and shared.

As a council we have:

  • updated our procedures in relation to the processing of personal data

  • strengthened our rules for deleting and removing personal data

  • published our privacy notices that tell you what we do with your data

  • conducted privacy assessments for certain processing activities

  • minimised the amount of personal data that we need to deliver a service to you

  • responded to any any requests or enquiries about our processing of personal data

Under the new rules, as a public body we have a Data Protection Officer. This is a dedicated senior officer who will enforce how we collect and process personal data in line with the new data protection law.

Who we are

In compliance with Data Protection Law, the council has registered as a Data Controller with the Information Commissioners Office (ICO). This registration can be viewed on the ICO WebsiteRegistration Number Z6925127.

As a Data Controller, the council determines the purpose and methods for processing information and ensures safeguards over any personal and/or sensitive information it handles.

Contact Details for the council:

Customer Services
West Lothian Council
West Lothian Civic Centre
Howden South Road
West Lothian
EH54 6FF

Telephone: 01506 280000

Data Protection Officer: The council's Data Protection Officer is the Head of Corporate Services, Julie Whitelaw and can be contacted by email:

Why we process your data

In order to deliver essential services to the citizens and communities of West Lothian, we need access to personal information about clients, customers and staff.  This information can be sensitive in nature so we put safeguards in place to ensure that:

  • we only gather as much information as we need, and no more
  • the information is accurate and up-to-date
  • the information is only used for the purpose intended
  • we only keep the information only as long as we need to    

We will not disclose personal information to third parties for marketing purposes or use personal data in a way that may cause unwarranted detriment.

However there are circumstances where the council is legally required to disclose information: 

  • for the purpose of performing statutory enforcement duties 
  • disclosures required by law
  • for the purposes of detecting/preventing fraud
  • auditing/administering public funds

Information is processed by the council in the UK.  However, we will inform you in our 'Privacy Notices' of any instance where this may not be the case. 

Sharing and protecting your information

The council will only share your information where it is required to do so, such as, where services are delivered jointly with other organisations. We will tell you who these other organisations are when we gather your information. This is detailed further in each of the specific 'Privacy Notices' in the section below.

Where information is shared with other organisations or processed on our behalf, we will ensure adequate protection by ensuring contracts and sharing agreements are in place.  These will define the minimum amount of data to be shared, how your information is to be used and will enforce security controls to protect your information. 

The council has a pdf icon Information Governance Policy [345kb] . This policy is regularly reviewed by the Data Protection Officer to ensure that the council complies with the requirements of the Data Protection Act.

All council officers are required to undertake data protection and information security training to ensure that personal data is processed in accordance with the data protection principles.

How long we keep your information

We will only keep your information for the minimum period necessary. After this time, information is deleted/destroyed in accordance with council approved retention schedules.  Please see our 'retention schedule' links below that provide some detail on how long we keep information for:

 Retention Schedules

pdf icon Finance Retention Policy [121kb]

pdf icon Adult Care Services - Records Retention Schedule [83kb]

pdf icon Children Family Services - Records Retention Schedule [102kb]

pdf icon Criminal Justice - Records Retention Schedule [167kb]

pdf icon HCBS Record Retention Policy [66kb]


Privacy Notices

To learn more about how we use information in specific circumstances click the relevant link below:

Arts, Leisure and Countryside

Business and Trade

Council Information

Council Property

Council Tax and Benefits



In your Community

Jobs and Employment

Libraries and Museums

Planning and Building Standards

Recycling and Waste

Roads, Streets and Parking

Schools, Education and Learning

Social Care and Health

Travel and Transport


How to make an enquiry or lodge a complaint

Depending on why we need to process your information, you will have rights to how your information is used.  These will be detailed in the Privacy Notices in the section above. 

The council has a legal basis for gathering and processing of information necessary for the delivery of critical services.  You have the right to request that the council stop processing your personal data in relation to any council service. However, this may cause delays or prevent us delivering a service to you.  Where possible, we will seek to comply with such requests but this may not be possible where the council is required to do so by law, to safeguard public safety, where there is a risk of harm and/or in emergency situations.

Please submit an enquiry to us if you would like to:      

  • View your information, please submit a request (Subject Access Request)
  • Verify, correct or update your information
  • Understand of how we have arrived at a decision about you  
  • If you have a concern, complaint, objection or request a restriction on how we process your information  

We will endeavour to respond to all enquiries within one calendar month of their submission.

Contact details for enquiries:

Customer Services
West Lothian Council
West Lothian Civic Centre
Howden South Road
West Lothian
EH54 6FF

Telephone: 01506 280000


For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO) at:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit  Information Commissioner's Office or email

Making A Subject Access Request and/or Enquiry

How do I make a request?

Where you are seeking a copy of your personal information please:

  • submit your request to West Lothian Council at the address below



For all other requests please contact:

Customer Services
West Lothian Council
West Lothian Civic Centre
Howden South Road
West Lothian
EH54 6FF

Telephone: 01506 280000


For all requests, we will need:

  • documentary proof that you are who you say you are (this is for security reasons to ensure we are dealing with you and that none of your personal information is accessed or interfered with by anyone else falsely claiming to be you);
  • information about the request you are making and your dealings with us to help identify the information in question and to your request.

Please ensure you provide at least two forms of identification in the form of [copies of passport, driving licence, utility bills or similar] bearing your full name and current postal address.

On receipt of your request, we will always send you a written acknowledgement and may need to ask you for:

  • proof of identification if you have not supplied this already;
  • information about the nature of your request and your dealings with us so we can understand, identify and locate information that is relevant where this is not already clear from your request. 

If we do not hear back from you with confirmation of your identity and/or sufficient information to respond to your request in one month,we will not be able to process your request and it will be treated as lapsed for accounting  purposes.


Can someone else make a request for me?

A friend, relative, advocate or solicitor may act on your behalf. However, this person must supply written authority from you to confirm that they are acting for you and we will still require identification for you.


What if a data subject 'lacks mental capacity'?

A person with a lasting power of attorney appointed directly by the data subject or a Deputy appointed by the Court of Protection may exercise these rights.


What about requests involving children?

A child aged 12 or above are automatically able to exercise data protection rights.

As a general rule a child must have sufficient understanding and maturity to exercise their own rights and a common sense approach will be adopted in the event a child or young person submits a request.

For children aged under 12, it will generally be expected that a request is made by a person with parental responsibility with whom the child normally resides and 'best interest' considerations will be taken into account.


When can I expect your response?

We aim to respond to your request without undue delay and no later than 1 calendar month counted from the first working day after we are in receipt of your request, and:

  • proof of your identity, and
  • any further information (where we have requested this from you) we need to process your request and/or locate and retrieve your personal information.

Where it is not possible to respond sooner and the last day before expiry of 1 calendar month, falls over a weekend or on a bank holiday, the latest due date will be treated as the first working day after the weekend or bank holiday.

If your request is complex, we may need to extend the length of time required to respond.

If this applies, we will let you know before the latest due date on which you would be expecting to hear back from us.

The law says we can extend the length of time to respond by a maximum of a further 2 calendar months.

Where it is not possible to respond sooner and the last day before expiry of the 2nd calendar month, falls over a weekend or on a bank holiday, the latest due date will be treated as the first working day after the weekend or bank holiday.

We will always endeavour to respond as quickly as we can.


Will I have to pay a charge?

Ordinarily we will not charge a fee for fulfilling a request from you.

The only exception is where you make repeat requests for the same of similar information. In these cases, we reserve the right to charge a reasonable fee based on the administrative costs of supplying further copies if we consider a reasonable time period has not intervened since fulfilling a previous request.


Will I get all of the information I am requesting?

Normally this is likely to be the case.

But it is important to note that the right of access to your own information does not extend to information about other people who may be identified in the information that also refers to you.

We may therefore redact personal information about other persons (including third parties) where we are satisfied it is reasonable in the circumstances to do so.

In some cases information may be so interlinked that it is not possible to fulfil your request without breaching another person's privacy rights.

The names of professional staff (whether directly employed by us or not) involved in decision-making about your care and education will often be disclosable and their identities will not be automatically redacted, unless this is warranted in a particular case.

The law recognises that there are occasions when it may be appropriate to withhold certain information and provides exemptions in specified circumstances. 

If we withhold information on the basis that it is exempt from disclosure, where it is possible to do so, we will explain the exemption(s) we are relying on and the reasons why one or more are necessary.


Can I choose the format in which my information is supplied?

Where you have submitted your request electronically or asked us to respond in a particular format, we will try to do so wherever this is reasonably practicable.  


Can you refuse my request?

In certain circumstances we may refuse to act on your request if we consider that your request is unfounded, excessive or repetitive in nature.