Policy on Access to Information

Contents:: Chapter index for Policy on Access to Information
Updated:: 19 November 2025

Part 10

• 10 The right to restrict processing data

10 The right to restrict processing data

A data subject has the right to obtain from the data controller a restriction on processing data under Article 18 UK GDPR, where one of the following applies:

the accuracy of the data is contested, for a period enabling the controller to verify the accuracy
the processing is unlawful and the data subject opposes the erasure of the personal data and requests restriction of their use instead
the controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise or defence of legal claims
the data subject has objected to processing under Article 21(1) GDPR and we’re verifying whether the legitimate grounds of the controller override those of the data subject.

Where processing is restricted, apart from storing the data, the controller shall only process the data:

with the data subject’s consent
for the establishment, exercise or defence of legal claims
for the protection of the rights of another person
for reasons of important public interest of the Union or Member State

Processing includes obtaining personal information, retaining and using it, allowing it to be accessed, disclosing it and, finally, disposing of it. These UK GDPR rights request should responded to by the DPO. As part of dealing with the response, the IRO will also inform the Policy and Stakeholder Relations Manager so they can ensure the person is not invited to take part in any surveys.

Generally speaking, we are not required to comply with requests under Article 18 UK GDPR by complainants about casework material, because we have to process the personal data of Persons Affected to comply with our legal obligations under Part III of the Local Government Act. But we do need to ensure we comply with the requirement that information we hold (and particularly information we produce, e.g. in a decision statement) is accurate (see next section).

See the ICO’s website for the most up-to-date guidance. 11 The right to rectification

Under Article 16 UK GDPR, a data subject may ask the data controller to amend or delete personal data held about them if it is incorrect or incomplete.

To comply with the fourth data protection principle on accuracy (Article 5(1)(d) UK GDPR) we need to:

take reasonable steps to ensure the accuracy of any personal data we obtain;
ensure that the source of any personal data is clear;
carefully consider any challenges to the accuracy of information; and
consider whether it is necessary to update the information.

Where a data subject draws our attention to straightforward inaccurate information, such as an incorrect address or phone number, the investigator/case owner should rectify this as soon as possible and let the data subject know this has been done. They should consider whether there have been any consequences arising from the inaccurate information, such as post being sent to the wrong address, and report any data breach immediately.

If data is rectified, we must inform any recipient (including our employees, processors, and third parties) who we have disclosed the data to, about the rectification, unless this is impossible or involves disproportionate effort. The data subject is entitled to request to be informed about these recipients.

If an investigator is challenged about the accuracy of a piece of information in the investigation see the ‘Additional Advice for Caseworkers on the intranet [LINK] for what steps to take.

If we consider the data to be accurate, the DPO must inform the data subject we are not going to act in response to the request and the data subject can complain to the ICO or go to court.

See the ICO’s website for the most up-to-date guidance 12 The right to object to processing

Data subjects have the right to object to us processing their data, and we must comply with their request unless we can demonstrate our grounds for processing override the data subject’s interests, rights and freedoms. For complainants, this may mean we will continue to process their data to complete our investigation, if that is appropriate. If, however, we concede to their objection and stop processing their data, we must point out to them this means we cannot continue to investigate their complaint. 13 The right to erasure

The right to erasure (or ‘the right to be forgotten’) does not apply when information is being processed for the performance of a public interest task or exercise of official authority. As this is the lawful basis for our investigating complaints, this right is not available to complainants. It may apply to some staff data, and any such requests should be addressed to the Head of HR. 14 The right to data portability

This right only applies to data that is processed by automated means, and where processing is based on the data subject’s consent or the performance of a contract. So it does not apply to complaint data, but could, in theory, apply to some staff data (i.e. what staff enter themselves onto the HR system) but it seems unlikely. 15 Vexatious requests

We are not obliged to provide information under the FOIA if a request is ‘vexatious’ (s.14). This is where we believe the request is disproportionate or unjustified.

It is the request that must be vexatious, not the requester. The key question is whether the request is likely to cause a disproportionate or unjustified level of disruption, irritation or distress. The ICO’s guidance refers to indicators of vexatious requests including abusive or aggressive language, unreasonable burden on the authority, personal grudges, unreasonable persistence, unfounded accusations, deliberate intention to cause annoyance and no obvious intent to obtain information.

A request will not be vexatious just because it is difficult to see why the applicant would want the information requested, or because considerable effort is required to retrieve the information.

Where we have complied with a request for information, we do not have to comply with a subsequent identical or substantially similar request from the same person unless a reasonable interval has elapsed between the two requests.

There are no specific provisions in EIR for dealing with these but other exceptions may apply in such cases.

Cookie name	Description	Action
ASPSESSIONID	This helps the site to function smoothly during your visit. For example, remembering your display settings and online complaint form preferences.
CookieNotice.Analytics	Used to remember your choice for analytical cookies.
TH_TOOLBAR_SETTINGS	Stores an object containing user specific settings for the Browsealoud toolbar such as dialog positions and button states. No personally identifiable data is stored.
API_SETTINGS	Stores an object containing user specific API settings for the Browsealoud toolbar such as voice and language selection, user preferences set in the toolbar settings panel and selected styles for word highlighting. No personally identifiable data is stored.
audioalert	Stores a value ‘audioalert = true’ after the first Browsealoud audio alert.
__utma	Used to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
__utmt	Used to throttle request rate.	BrowseAloud v.3 documentation Privacy policy
__utmb	Used to determine new sessions/visits. The cookie is created when the javascript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
__utmc	Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the__utmbcookie to determine whether the user was in a new session/visit.	BrowseAloud v.3 documentation Privacy policy
__utmz	Stores the traffic source or campaign that explains how the user reached your site. The cookie is created when the javascript library executes and is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
_ga	Used to distinguish users. The ID is used only to identify the session for the statistics and is completely anonymous.	BrowseAloud v.3 documentation Privacy policy
_gat_UA-4669579-11	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_.	BrowseAloud v.3 documentation Privacy policy
_gid	Used to distinguish users.	BrowseAloud v.3 documentation Privacy policy

Company	Description	Action
Google Inc = _ga	Google Analytics tracking cookie. Helps us to know how many people visit our site by tracking if you've visited before.	Terms and conditions Privacy policy
Google Inc = _gid	Google Analytics tracking cookie. Helps us to know how many people visit our site by tracking if you've visited before.	Terms and conditions Privacy policy
Google Inc = _gat	Google Analytics tracking cookie. Used to manage the rate at which page view requests are made.	Terms and conditions Privacy policy

10 The right to restrict processing data

Review your privacy settings