Skip to content

Data Protection and FOI

Data Protection

The GMCA is a Public Authority and we have a number of legal responsibilities to provide services to you.  These services include the Fire Service, waste collection and disposal and commissioning of services for victims.

To do this we collect, hold and process a large amount of information including personal information about you. Holding this information about you makes us a 'data controller' under Article 4(7) of the General Data Protection Regulation (GDPR).  The GDPR works together with the Data Protection Act 2018 to make sure that your information is collected, stored and shared appropriately.

We will collect your information in many forms dependant on how you are accessing our services.  This may include using paper or online forms, by telephone, email or in person. This information is important and we make sure that it is stored safely and in accordance with current Data Protection Legislation.

You should expect that we will keep a record of any contact you make with us and that we will only hold the information we need.

More details about what the Data Protection Act 2018 and the General Data Protection Regulations are and what they mean for you can be found on the Information Commissioner’s Website.

The legislation requires us to appoint a Data Protection Officer who is responsible for protecting individuals’ personal data according to current legislation.  You can contact the GMCA Data Protection Officer via email at

Types of Information that we process

To allow us to deliver our required services we may process different types of information. This includes the information shown below:

Personal data

  • Personal details
  • Family details
  • Lifestyle and social circumstances
  • Financial details
  • Employment and education details
  • Housing needs
  • Visual images, personal appearance and behaviour
  • CCTV footage
  • Licenses or permits held
  • Student and pupil records
  • Business activities
  • Service user case file information
  • Birth, death and other data processed by the registrars

Special classes of personal data

  • Physical or mental health information
  • Racial or ethnic origin
  • Trade union membership
  • Political affiliation
  • Political opinions
  • Religious or other beliefs of a similar nature
  • Sexual life or sexual orientation
  • Criminal offences (including alleged offences)
  • Criminal proceedings, outcomes and sentences

Using your personal information

In deciding what personal data we need, we will:

  • Only collect, hold and use your personal information where it is necessary for us to do so to ensure we can deliver you the best service.
  • Securely delete or destroy your personal information when we no longer need it
  • Keep your personal information safe and secure.
  • Take into account your privacy when planning to use or hold your personal information in new ways, such as using new systems or improving the way we work.
  • Be open with you about how we use your information and who we share it with.
  • Make it easy for you to see and correct your personal information.

What do we do with your information?

We may use your personal information to:

  • Communicate with you and provide services and information appropriate to your needs.
  • Check our performance in responding to you.
  • Ensure that we meet all our legal obligations.
  • Enforce the law such as licensing, planning enforcement, trading standards and food safety.
  • Process financial transactions including grants, payments and benefits or we are acting on behalf of other government bodies, for example the Department for Works and Pensions.
  • Protect you or others from harm or injury

We may also use your information or pass it to external organisations for other purposes allowed under relevant Data Protection and other legislation or where you have consented for it to be used for a particular purpose.

We may also use your information to calculate statistical information to prioritise activities, target and plan the provision of services. We make sure that you cannot be identified when we use your information like this.

Specifically this means that we may use your information to:

  • Maintain our own accounts and records
  • Support and manage our employees
  • Manage our property
  • Enable licensing and regulatory activities
  • Provide services required by us as a public service
  • Prevent crime and prosecute offenders including the use of CCTV
  • Administer any corporate activities we are required to carry out as a data controller and public authority
  • Undertake research
  • Provide commercial and non-commercial activities that we undertake as a public body
  • Support internal financial and corporate functions
  • Manage archived records for historical and research reasons
  • Undertake data matching for local and national fraud initiatives
  • Improve public health
  • Assist in disputes or potential cases of malpractice
  • Investigate complaints

We may also use your information to help to target some of our services and let you know what information or activities may be available to help you. This may include:

  • Promoting the services we provide
  • Marketing our local tourism
  • Carrying out health and public awareness campaigns
  • Providing leisure and cultural services
  • Local fraud initiatives
  • Carrying out surveys

Who do we share your information with?

We sometimes share your information with service providers. This could include Hospitals, GPs or other Health and Care services along with other groups like Housing Associations, Voluntary and Charitable Societies, and the Greater Manchester Police. This will make it easier for you to get the services you need when you need them and will reduce the number of times you have provide the same information.

We may also share information for research and evaluation purposes. This helps us to make sure we are providing the right services, in the right areas, in the right way.

We will always make sure we have a legal basis for processing or sharing your personal information and that we comply with current GDPR and Data Protection legislation.  Anyone working with us must follow the same strict rules we do when using your personal information.

Legal Basis for Processing

As a Public Authority we have legal responsibilities to provide services to residents.  As a result of these responsibilities we can use your information to support us in providing these services.  This makes us a 'data processor' under Article 4(8) of the General Data Protection Regulation.  Processing includes collection, recording, storing, changing, sharing or destroying your information.

We have listed below some of the legal acts and regulations that detail the responsibilities and powers we have to provide our services to you:

  • Localism Act 2011
  • Health and Social Care (Safety and Quality) Act 2015
  • Children Act 2004
  • Health and Social Care Act 2001
  • Health and Social Care (Community Health and Standards) Act 2003
  • National Health Service Act 2006
  • Social Security (Claims and Information) Regulations 1999
  • Care Act 2014
  • Crime and Disorder Act 1998
  • Housing Act 1996
  • Homelessness Act 2002
  • Education Act 2011
  • Education and Skills Act 2008
  • Fire and Rescue Services Act 2004
  • Regulatory Reform (Fire Safety) Order 2005
  • Environmental Protection Act 1990
  • Environment Act 1995
  • Police Reform and Social Responsibility Act 2011

We will use this and other legislation to make sure that what we do with your information is lawful.

When we are sure that the way we want to use your information is lawful, we will only process it in line with the General Data Protection Regulations (GDPR) and current Data Protection Legislation.

According to Article 6 of the GDPR, at least one of the conditions below must apply whenever we process your personal data:           

  1. Consent: you have given clear consent for us to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract we have with you.
  3. Legal obligation: the processing is necessary for us to comply with the law.
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of someone else unless there is a good reason to protect your personal information

More sensitive information or ‘special categories’ of information have stricter rules for processing according to Article 9 of the GDPR. These categories include:

  • Race
  • Ethnic origin
  • Politics
  • Religion
  • Trade union membership
  • Genetics
  • Biometrics (where used for ID purposes)
  • Health
  • Sex life
  • Sexual orientation.

Information on criminal offences is also considered a special category and must be processed according to Article 10 of the GDPR.

Research and Evaluation

In addition to sharing information to improve the delivery of services, we may also share information with other public organisations to create statistical and anonymised data to:

  • Better plan how we provide services to our community;
  • Help improve services and to make sure they are effective;
  • Be published in various reports that will be publically available;
  • Improve the health of the population as a whole

By anonymising the data we can make sure that it will not contain any personal information. So you, your family or any individual person cannot be identified.

The personal information we use may include name, contact details, family details, lifestyle and social circumstances, financial details and information about services that have been provided or offered and not accepted.

We may also share ‘special categories’ of information which may include physical or mental health details, racial or ethnic origin and religious or other beliefs.

Your information may be shared with service providers, survey and research organisations.  Information will be anonymised before any research is used or made public.  This means that any information that identifies you as a person or your family or carers will be removed before the information or results of any research or evaluation are made public.

When we use your information for research and evaluation reasons we still comply with current Data Protection legislation and the General Data Protection Regulation.  

Detect and prevent fraud or crime

By law we have to protect the public funds we are responsible for. This means we may use the information you provide to prevent and detect fraud. This may involve sharing your information with organisations responsible for auditing or administering public funds including the Audit Commission, the Department for Work and Pensions, other public bodies, HM Revenue and Customs, and the Police.

Data matching may also be used to identify errors and potential frauds. This means that we take information from different places and put it together to give a better picture of what is happening.  We may also take part in national data matching exercises undertaken by the Audit Commission.

Information may be shared with organisations such as the Police to prevent or detect crime, apprehend or prosecute offenders or prevent harm to an individual.

What we do before we share information

Whenever we want to share your information with anyone we will carry out a Data Protection Impact Assessment and record the results.  These include but are not limited to:

  • What specific information is to be shared
  • The purpose of the sharing
  • The lawful basis for the sharing
  • An evaluation of the potential risks that the sharing would create and how we lessen them
  • How the information will be kept secure

The Information Commissioner’s Office have issued a Code of Practice, that explains the process we must go through when we do a Data Protection Impact Assessment

Find out more about how and when it is appropriate to share your information from the Information Commissioner’s website.

We may also pass your information to other people and organisations providing a service on our behalf. These providers are legally obliged to keep your details securely and use them only to provide the service to you in accordance with our instructions.

Additional Information processing

Your information may also be shared with other people and organisations where the organisations are required by law to do so or with appropriate justification under the Data Protection Act 2018, for example where a crime is being investigated we may share your information with the police without your knowledge or consent.

What do we do to make sure your information is secure?

The information you provide will be subject to rigorous procedures to make sure it can’t be seen, accessed or shared with anyone who shouldn’t see it. 
These include

  • All staff receive specific information security training.
  • All staff comply with Information Security policies and procedures. These set out how your information is protected and what happens if the security of the information is breached
  • All the laptops used by staff are encrypted and need a unique logon password and ID to access the computer systems.
  • All desktop computers need a unique logon password and ID to access the computer systems.
  • Staff only have access to the information they need to do their job.  This means if they are not the right person in the right team, they will not be able to see your information.
  • Staff with access to the most sensitive information may need to have a Disclosure and Barring Service (DBS) check.   This check will show any criminal convictions which may mean the staff member cannot be trusted with your information

We also have responsibilities to keep our computer systems secure and take steps to stop outside malicious access also known as hacking. This requires us to comply with requirements specified by Central Government, along with requirements specified by NHS Digital.

How long will you hold onto my information?

There is legislation to tell us how long we must keep some of your information. This can vary from 1 year up to 100 years depending on what the information relates to

Your information will be held for no longer than this legislation says it must be held for.  Not all of the information we hold has its retention stated in law and in these cases we use recommendations from legal advisors and other specialists to decide how long to keep it. 

All decisions that are not based on legal requirements have good, solid reasoning to make sure information is not kept too long.

All of these legal requirements and formal decisions are recorded in our retention schedule which should be available on our website.  If you cannot find the retention schedule please contact us on

What are my rights of access to my information?

The GDPR gives you the following rights over your information

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erase
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

For more information on the GDPR and your rights go to the Information Commissioners Website.

How can I exercise these rights?

To find out what information we hold about you, you need to make a Subject Access Request in writing.  If you wish to exercise any of your other information rights please contact us on

If you are not satisfied with the response from us you can complain to the Information Commissioner’s Office. For further details on this and your information rights please visit the Information Commissioner’s Website.

Who we process information about

We will process information about:

  • Citizens
  • Suppliers
  • Staff, people contracted to provide a service
  • Complainants, enquirers or their representatives
  • Professional advisers and consultants
  • Students and pupils
  • Carers or representatives
  • Landlords
  • Victims
  • Witnesses
  • Offenders and suspected offenders
  • Licence and permit holders
  • Traders and others subject to inspection
  • People captured by CCTV images
  • Representatives of other organisations


Like most websites we use 'cookies' to collect anonymous statistics about how people use the site, and to help us keep it relevant for the user. Cookies 'remember' bits of information from your visit to the site.

A cookie is a simple text file that's stored on your computer or mobile device by a website's server. Only that server can retrieve or read the contents of that cookie. Each cookie is unique to your web browser. So if we put a cookie on your computer, it can't be read by any other website.

Like most websites we use 'cookies' to collect anonymous statistics about how people use the site, and to help us keep it relevant for the user. Cookies 'remember' bits of information from your visit to the site.

A cookie is a simple text file that's stored on your computer or mobile device by a website's server. Only that server can retrieve or read the contents of that cookie. Each cookie is unique to your web browser. So if we put a cookie on your computer, it can't be read by any other website.
We use two types of cookie:

  • 'session cookies' last as long as your current visit to the site, or for up to a limited amount of time if you keep the site open without using it. They mean you don't have to keep re-submitting information as you move through the site or carry out transactions.
  • 'persistent cookies' remember information from previous visits, for example names and details for online forms. They are used to collect anonymous statistics about how many people use the site, and to maintain any settings (such as accessibility) you have changed.

How we use cookies to collect statistics

To improve our service we collect anonymous web statistics using programmes called Google Analytics and SiteImprove.

They store several cookies on users' computers or mobiles devices to tell us how many people have visited each web page, how they got there, and where they navigated to from there. The data collected is completely anonymous and does not store any personal details.

Changing your cookie settings

You can change your computer settings at any time to accept all cookies, to notify you when a cookie is issued, or not to receive cookies. How you do this depends on your web browser.

Freedom of Information (FOI)

The Freedom of Information Act (FOIA) gives you the right to access recorded information held by public sector organisations. Anyone can request information – there are no restrictions on your age, nationality or where you live.

1. Introduction

The Greater Manchester Combined Authority ("the Authority") is committed to open government and the proactive release of the information it holds.

2. What is the Freedom of Information Act 2000?

The Freedom of Information Act 2000 ("the Act") grants a right of access to information held by public authorities. It promotes openness and accountability among public sector organisations so that everyone can understand how authorities make decisions, carry out their duties and spend public money.

As such, any person who makes a request for information to the Authority is entitled to be informed, subject to any exemptions, whether the Authority holds that information and, if so, to be supplied with that information.

There are some exemptions to this general right of access. These are known as 'absolute exemptions' and 'qualified exemptions'. If a qualified exemption applies, then it is subject to the public interest test.

This means the Authority must decide whether in each case it serves the public interests better to withhold or disclose the information requested.

3. What is a Publication Scheme?

Every public authority subject to the Freedom of Information Act is required to adopt and maintain a publication scheme setting out what information will routinely be made available, how the information can be accessed and whether or not the information is free of charge.

The idea of a publication scheme is to try and make sure as much information as possible is freely available and easy to access so you do not need to make a specific request.

The Authority has adopted the Information Commissioner's Office's (ICO's) model publication scheme. The scheme consists of information already published and held by the Authority or information which is to be published in the future.

All information in our publication scheme is either available for you on our website to download and print off, or is available in traditional document form. Information within the publication scheme will be available either free, or at a charge.

Some information may not be made available when:

  • We do not hold the information.
  • The information is exempt from disclosure.
  • We cannot easily access the information.

4. Classes of information published by the Authority

The ICO's model publication scheme identifies 7 "classes" of information as follows:

The Authority is required to specify the information which it holds and which falls within those categories of information and has produced a simple guide which lists the specific information it publishes within each of the above classes.

5. How to make a request for information not contained in the Publication Scheme

The Authority includes as much information in the scheme as it can. However, if you cannot find what you are looking for you can make a request for information.

The Act gives you the right to express a preference for information to be provided in a particular way and we will do our best to help with this so far as reasonably practicable. In order for us to ensure your application is dealt with promptly you must provide:

  • your name and address so we can respond to your request;
  • a clear and understandable written request with enough detail to locate the information;
  • an indication about the form in which you would like the information.

Some documents may include exempt information; in this case you will only be furnished with the information which is not exempt.

The Authority is obliged to disclose the information you request within 20 working days unless a fees notice is applicable or the Authority requires a reasonable extension of time to consider the public interest test.

Where the information is exempt, the Authority will state so and explain its decision. You have the right to request an internal review of the Authority's decision and if you are still not satisfied, to complain to the Information Commissioner.

Our Integrated Support Team administers Freedom of Information on behalf of the GMCA. If you wish to provide feedback about our publication scheme or if you require further assistance, please contact:

Greater Manchester Combined Authority,
Church Gate House,
56 Oxford Street,
M1 6EU 

6. Making a complaint

If you are dissatisfied with the handling of a Freedom of Information request, you have the right to ask for an internal review. Internal review requests should be submitted within two months of the date of receipt of the response to your original letter and should be addressed to:

Greater Manchester Combined Authority,
Church Gate House, 
56 Oxford Street, 
M1 6EU 

If you are not content with the outcome of the internal review, you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at:

Information Commissioner's Office,
Wycliffe House,
Water Lane,

7. Comments/feedback about our Publication Scheme

Our Integrated Support Team administers Freedom of Information on behalf of the GMCA.

If you wish to provide feedback about our publication scheme or if you require further assistance, please contact the Greater Manchester Integrated Support Team:

Greater Manchester Combined Authority,
Churchgate House,
56 Oxford Street,
M1 6EU

8. Fees and cost of compliance

Material which is published and accessed on the website can be downloaded free of charge.
The Authority does not make charges for reasonable requests for hard copy information. However, if a charge for information is applicable, this will be in respect of:

  • reproducing any document containing the information e.g. printing or photocopying
  • postage and other forms of transmitting the information.

Where a charge is applicable, you will be sent a fees notice specifying the fee and the requirement to pay within 3 months of the fees notice being issued. If the Authority does not receive payment within that period, it is no longer obliged to respond to your request.

Under the Act, a public authority does not have to comply with a request for information if the cost of compliance exceeds the appropriate limit set by the Fees Regulations. However, the Authority will inform you if the limit will be exceeded and will try to let you know what can be provided within the limit.

Despite not being obliged to provide the information which exceeds the limit, the Authority will still be under a duty to provide advice and assistance.

9. Review of Publication Scheme

The Authority will review its publication scheme on an annual basis. However, material contained within the classes of information will be updated as required and any out-of-date information will be removed.

The publication scheme is maintained by the Information Officer whose details are set out in Section 5 above.