Data Protection

Tees Valley Combined Authority will ensure that its policy upholds the rights and protects the interests of all those with whom the organisation has contact with, by protecting data and information in accordance with legislative and regulatory requirements and provisions. This will be achieved by ensuring that data processing and information exchange systems comply with the six principles of data protection.

The Combined Authority recognises that information relating to the activities of the organisation and its working practices should be made as widely available as possible in the interests of freedom of information. However whilst operating this policy, we must also recognise that some information may be sensitive or confidential and its release may prejudice the activities of the Combined Authority and the privacy of its employees. There are exceptions to Data Protection and exceptions to the rule when an individual exercises one of their “Rights”.

The Combined Authority will ensure that all staff are trained to a high standard to enable them to carry out all their duties in line with legislation and this policy.

Regulation and Legislation

The Data Protection Act 2018 is in place to protect the personal data that organisations hold on staff and other individuals. To comply with the Act, Tees Valley Combined Authority must act in accordance with six principles, which aim to ensure that personal information is:

  • Processed lawfully, fairly and in a transparent manner
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary
  • Accurate and, where necessary, kept up to date
  • Retained only for as long as necessary
  • Processed in an appropriate manner to maintain security

Under the Data Protection Act “personal data” means:
“Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller”.

For the majority of information that we hold, the Combined Authority acts as the “Data Controller”, i.e. we process information on behalf of staff and other individuals, and decide how best to process, store and secure that information. As a data controller we are registered with the ICO and our registration reference number is Z4969253. Further details can be accessed at

The Combined Authority may also instruct others to process data on our behalf. This is called a “Data Processor” and is any company acting on behalf of the Combined Authority to process information. Where this is the case, the Combined Authority will have a contract with the company which clearly sets out how we expect them to process the information.

Roles and Responsibilities

The below summarises the roles and responsibilities in relation to the Policy. It is important to note that the role of the Data Protection Officer is to provide advice to the organisation and to encourage effective processes. The responsibility for adhering to the regulations lies with each team, to ensure that they have full ownership of the data they process.

Senior Leadership Team is accountable for ensuring:

  • Adequate resource is available in the organisation to deal with the requirements of Data Protection and its procedures
  • This Policy is implemented effectively and adhered to
  • All staff are appropriately trained

Data Protection Officer is responsible for:

  • Providing advice to the organisation
  • Encouraging effective implementation of the policy and its procedures
  • Ensuring the processes are updated according with the law

All staff – should have an awareness of this Policy and act in accordance with the procedures.


Data Asset Register and Privacy Notices

In line with the regulations, the Combined Authority has produced an internal data asset register, and has used the information to produce and publish privacy notices, as appropriate. The information within the asset register and privacy notices has been developed by and is owned by each of the teams processing the data. They include the following information:

  • WHY the personal data is processed i.e. the reason we process
  • WHO the information is about
  • WHAT specific information we are processing
  • WHEN are we processing that information from, and how long for
  • WHERE we are storing that information
  • If the information is shared outside of the Combined Authority, who it is shared with

Data Subject Rights

Note that if information is stored outside of the European Economic Area (EEA), the location is checked against the countries that GDPR considers “adequate”, and if this is not the case, the issue is raised with the Data Protection Officer for consideration as to what information is stored, how sensitive it is and the risks considered.

The data asset register informs the risk register for the Combined Authority and is reviewed regularly.

Data Protection Impact Assessments (DPIAs)

Organisations are required to undertake DPIAs when undertaking any significant changes to the way it processes personal data or when it may be about to take on a new set of personal data. This ensures that it upholds the principles of “privacy by design” and any new project considers and implements the principles of data protection from the beginning. The approach should be proportionate and therefore the Combined Authority will carry out DPIAs as and when required.

Note that in some circumstances the change may be assessed as so significant that it requires the approval of the Information Commissioner’s Office. The Data Protection Officer will co-ordinate such discussions.

Subject Rights

Individuals have access to a set of “Subject Rights” and can exercise them at any time. However, the rights of data subjects differ depending upon the legal basis for the processing of the information. The specific rights will be set out clearly in the privacy notices that the Combined Authority publishes on its website separately to this policy. The full list of rights are as follows:

  • Right to be notified
  • Right to access
  • Right to rectification
  • Right to be forgotten
  • Right to restrict processing
  • Right to portability
  • Right to object
  • Right to restrict automated decision making including profiling

In line with the regulations, most of the Subject Rights will be completed within 30 days (one calendar month), and will be provided free of charge.

Those wishing to submit a data subject access request can do so by contacting:

Data Protection Officer
Tees Valley Combined Authority
Teesside Airport Business Suite,
Teesside International Airport,


[email protected]

Breach Management

There is a requirement under Data Protection to have a documented process to deal with a data breach. All breaches must be logged, and under certain circumstances, a breach must be reported to the Information Commissioner’s Officer with 72 hours of the Combined Authority becoming aware of the breach.

Having this process in place helps in the understanding, damage limitation, evidence gathering, resolution and communication of a breach.

Staff should communicate with the Data Protection Officer immediately if a breach has taken place.

Monitoring and Review

This Data Protection Policy will be reviewed every three years, or in line with legislation.

The accountability for this Policy lies with the Strategy Director and responsibility for providing advice on, and updating this Policy, lies with the Data Protection Officer.

This policy may be subject to an audit in line with the internal audit plan. Elements of Data Protection activities across the Combined Authority are subject to management review and audit at any time to ensure that the Policy is being adhered to.

Stay up to date

Sign up below to enter our mailing list for the Tees Valley Newsletter

Follow Us

Join us on social media for the latest news