Data protection

In order to provide services to local residents and businesses, we collect, use and share considerable amounts of personal data. We are committed to protecting your privacy when we use your personal data. When we process personal data we must comply with our obligations under data protection legislation.

Personal data refers to any information that can identify a living individual, such as their name, address, health conditions or CCTV footage of them.

The EU-wide General Data Protection Regulation and the Data Protection Act 2018 set requirements on how organisations, including councils, can process personal data. Through six principles, the legislation establishes that personal data shall be:

  • processed lawfully, fairly and in a transparent manner
  • collected and processed for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary for those purposes
  • kept accurate, and where necessary, up to date
  • kept in a form that identifies the person for no longer than is necessary
  • processed in a manner ensuring its security

In order to uphold these principles, we have adopted and adhere to a Data Protection Policy, which applies to all staff and Elected Members.

We have also appointed a Data Protection Officer who makes sure we follow the law and respect your rights. If you have any concerns or questions about how we look after your personal information, please contact us.


Post to: Gareth John, Data Protection Officer, Woking Borough Council, Civic Offices, Gloucester Square, Woking GU21 6YL

Why do we need your personal data?

We may need to use your personal data in order to:

  • deliver services to you and manage the delivery of those services
  • train and manage the employment of our workers who deliver those services
  • help investigate any worries or complaints you have about your services
  • keep track of spending on and the quality of services
  • help with research and planning of new services

We are required to identify an explicit, specific purpose for processing any given personal data. Unless the law either allows us or requires us to do otherwise, we will not process your personal data in a way that is incompatible with that original purpose. We will tell you when we collect your personal data what the identified purpose is.

How the law allows us to use your personal data

When we process your personal data, we draw on a legal basis from the legislation. In most cases, we process your personal data in order to carry out duties and powers already laid down in other legislation, or to fulfil the terms of contracts it has with others. In some instances, we may require your consent. In these cases, you can withdraw your consent by contacting us. We will tell you when we collect your personal data what the relevant legal basis is.

How your personal data is handled securely

We keep your personal data secure through a number of technical and organisational measures, such as staff training, password protection and locked storage. We will notify you if your personal data is accidently or unlawfully destroyed, lost, altered or disclosed and that breach presents a high risk to your rights and freedoms.

Personal data is retained according to our document retention schedule. After the prescribed period has elapsed, the personal data is destroyed appropriately, for example, by shredding or, in the case of digital records, secure deletion.

How your personal data is shared

We may share your personal data with other organisations such as private companies, other local authorities and not-for-profit organisations as part of contractual arrangements to provide services. This may include:

  • Mountjoy, which manages the repair and maintenance of our housing stock
  • Freedom Leisure, which provide leisure services in the borough
  • Joint Waste Solutions, which collects waste in the borough
  • Thameswey Group, a housing and energy company owned by us

In cases like these we have arrangements in place with these organisations which ensure that your personal data is protected.

Sometimes we may share your personal data with other organisations without asking your permission. This will only happen when there is a good reason more important than keeping your personal data private, such as fulfilling a statutory duty or responding to a serious risk. For example, we may share your personal data in order to:

  • prevent and detect criminal acts such as fraud
  • safeguard children and vulnerable adults
  • comply with court orders which request personal data
  • protect public funds we administer
  • ensure the security of our ICT infrastructure

We may also receive personal data about you from trusted third parties:

  • other local authorities, such as Surrey County Council and neighbouring district authorities
  • central government and its agencies, such as the Government Digital Service, the Department for Work and Pensions (DWP), the DVLA and HM Revenue and Customs
  • the Police and the Fire and Rescue Service
  • the NHS, including your GP
  • trusted providers of social care
  • if you are a resident of Thameswey Group
  • if you are a customer of Freedom Leisure

Transfer of personal data outside the UK

Data protection legislation requires us to take extra care when your personal data is transferred to another country outside the EU. The vast majority of personal data held by us is stored in the UK. However, there are some occasions where your personal data may leave the UK and the EU either in order to get to another organisation or if its stored in a system outside of this area. If this is the case, it will be transferred in accordance with our statutory obligations including the appropriate safeguards and security measures.

Your data rights

The legislation gives you control over your personal data through a number of data rights, including access to, correction of and deletion of personal data. You can find out more about them and how to exercise them on the data rights page.


When you use our website and other online Council services we sometimes place a small file on your device called a cookie.

The Information Commissioner's Office

For more information about data protection and information law in the UK please visit the Information Commissioner's Office (ICO).

Woking Borough Council is registered with the ICO under registration Z5956782.

You have the right to submit a complaint against Woking Borough Council with the ICO by contacting:

Phone: 0303 123 1113