Privacy Policy

What information do we collect from you?

Under Data Protection laws, the Council is the data controller for the information you provide to us and is registered with the Information Commissioner’s Office (ICO) with registration number Z631608X. 

To the left of this webpage you’ll find a list of services we provide with further details about who we may share your information with and why - to follow.

We have a Data Protection Officer who makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact our Data Protection Officer, Dumi Williams, at dpa@stevenage.gov.uk or by calling 01438 242242 and asking to speak to the Data Protection Officer.

Personal Data

What is Personal Data?

Personal Data is information that relates to a living individual who can be identified directly from the information or indirectly when put together with other information. It also includes any expression of opinion or indication of intentions in respect of an individual.

Personal data will therefore cover basic details such as your name, address, telephone number, and date of birth.

Special categories of personal information

This is often known as “sensitive personal data” as it needs more protection due to its sensitivity.

Examples of 'sensitive personal data' include:

  • sexuality and sexual health
  • religious or philosophical beliefs
  • ethnicity
  • physical or mental health
  • trade union membership
  • political opinion
  • genetic or biometric data
  • criminal history

How the law allows the Council to use your information

Data protection laws permits the Council to collect and use the information you provide us when:

  • you, or your legal representative, have given us consent
  • you have entered into a contract with us
  • it is necessary to perform our public functions and statutory duties
  • it is necessary to protect you or someone in an emergency
  • it is required by law
  • it is necessary for employment purposes
  • it is necessary to provide health or social care services
  • you have made your information publicly available
  • it is necessary for legal cases or to defend legal claims
  • it is to the benefit of society as a whole
  • it is necessary to protect public health
  • it is necessary for archiving, research, or statistical purposes.

In any event, we will only ever ask for information that is absolutely necessary and does not constitute an invasion of your privacy.

If we have consent to use your personal information, you have the right to remove it at any time. If you want to remove your consent, please contact dpa@stevenage.gov.uk and tell us which service you’re using so we can deal with your request.

How and why we collect and use your information?

We collect and use your information to provide effective and efficient services.

We use your personal information within the rules set out in data protection laws, for the following reasons:

  • To deliver services and support to you, e.g. using your benefit claim form information to process your benefit claim.
  • To help investigate your concerns and respond to requests.
  • Monitor the Council’s performance in responding to your queries or complaints to ensure we meet legal requirements.
  • To allow us to communicate and provide services appropriate to your needs.
  • Where we are legally obliged to process your information e.g. for licensing, planning enforcement, food safety, prevention and/or detection of fraud and crime.
  • To manage all financial transactions to and from the Council, including payments, grants and benefits.
  • To recover all monies due or owed to the Council using all available information at our disposal to protect public funds.
  • To notify residents and service users of proposed or planned changes to services that may affect them.
  • To assist the council in responding to emergencies or major accidents. This allows the council, in conjunction with the emergency services, to identify individuals who may need additional support.
  • To inform you about our products and services and obtaining your opinions about them.
  • To ensure the Council meets its statutory obligations, including those related to diversity and equal opportunity

What do we do with your information?

Share with other council services

To provide a co-ordinated and more responsive service we focus on making it easy for you to engage with the Council. Sharing your information with other council services, allows us to re-use information and minimise the time taken when you contact us in the future.

We aim to have a centralised system for containing your basic details, and information about your transactions. This will avoid us asking you to repeat basic information all the time. It will also help us to tailor our services to meet your needs, and ensure that your requests are being dealt with, and not lost in 'the system'. However, you always have the right to opt out of this or any other data sharing initiatives - by not providing us with your information.

Share with third parties

We use a range of organisations to either store personal information or help deliver our services to you. Where we have these arrangements there is always an agreement in in place to make sure that the organisation complies with data protection law.

We may disclose your information to third parties with your consent, or where it is necessary, either to comply with a legal obligation, or where permitted under data protection laws, (i.e. where sharing is necessary for the purposes of fraud and crime prevention), or where it is necessary to allow a third party to carry out work for or on behalf of the Council.

Organisations that we may share your information include; Councillors, MPs, The Cabinet Office, The Department for Work and Pensions, other local Councils, Her Majesty’s Revenues and Customs, the Police, the Fire Service, Ambulance Service, Health & Social Care providers and agencies, the Housing Ombudsmen, credit reference agencies, service providers and contractors and partner agencies/bodies.

We’ll often complete a privacy impact assessment (PIA) before we share personal information to make sure we protect your privacy and comply with the law.

We will not use your personal data for third party marketing purposes without your prior express consent.

Where we seek to disclose your sensitive personal information, such as medical details, to third parties, we will do so only with your prior express consent or where we are legally required to do.

We may also share your personal information when we feel there’s a compelling reason that’s more important than protecting your privacy. This will not happen often, but we may share your information: in order to detect and prevent crime and fraud; or if there are serious risks to the public, our staff or to other professionals; to protect a child; or to protect vulnerable adults who are thought to be at risk.

If we’re are concerned about your physical safety or belief we need to take action to protect you harm in other ways, we’ll discuss this first with you and, if possible, get your permission to inform others about your situation before sharing any information. However, we may still disclose your information, if we believe the risk to others is serious enough to do so. 

For all of these reasons the risk must be serious before we can override your right to privacy.

Location of your information

We will not normally transfer any of your information outside of the European Union. But on very rare occasions your information may leave the UK either in order to get to another organisation or if it’s stored in a system outside of the EU. We have additional protections to protect your information if it leaves the UK ranging from secure ways of transferring data to ensuring we have a robust contract in place with that particular third party.

We’ll take all practical steps to make sure your personal information is not sent to a country that is not seen as ‘safe’ either by the UK or EU Governments.

How long we keep your information?

The Council will process the information you provide in a manner that is compatible with the Data Protection Act. We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary. In some instances the law sets the length of time information has to be kept, but in most cases the Council will use its discretion to ensure that we do not keep records outside of our normal business requirements - i.e. providing a service to you.

Please refer to our retention guidance for further information.

Automated decision-making

All decisions made by the Council are based on assessments carried out by officers from the Council’s respective service teams and are not made solely by computers.

Only using what we need

Where we can, we’ll only collect and use personal information if we need it to deliver a service or meet a requirement.

If we don’t need your personal information we’ll either keep you anonymous, if we already have it for something else, or we won’t ask you for it. For example in a questionnaire or feedback survey we may not need your contact details and will only collect your survey responses.

If we use your personal information for research and analysis purposes, we’ll always keep you anonymous or use a different name unless you’ve agreed that your personal information can be used for that research.

We do not sell your personal information to anyone else.

Your Rights

The law gives you a number of rights to control what personal information is used by us and how it is used by us. You are legally entitled to request access to any of your information that is held by us, or to ask us to limit or stop the processing of your personal information in relation to any Council service. Further details about your rights are provided below, however in summary:

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing you damage or distress
  • prevent the processing of your information for the purposes of direct marketing
  • object to decisions being taken by computers
  • in certain circumstances, have inaccurate personal information amended, blocked, erased or destroyed; and
  • claim compensation for damages caused by serious breaches of data protection rules

We will seek to comply with your request but there may be some situations where we will not be able to do this in full for example;

  • where there is a legal requirement or where information held was given in confidence;
  • information a professional thinks will cause serious harm to you or someone else’s physical or mental wellbeing; or
  • if we think that giving you the information may stop us from preventing or detecting a crime

This applies to personal information that is in both paper and electronic records. If you ask us, we’ll also let others see your record (except if one of the points above applies).

If you can’t ask for your records in writing, we’ll make sure there are other ways that you can. If you have any queries about access to your information please contact dpa@stevenage.gov.uk or telephone 01438 242242.

Deleting your information (right to be “forgotten”)

In some circumstances you can ask for your personal information to be deleted, for example:

  • Where your personal information is no longer needed for the reason why it was collected in the first place
  • Where you have removed your consent for us to use your information (where there is no other legal reason us to use it)
  • Where there is no legal reason for the use of your information
  • Where deleting the information is a legal requirement

Where your personal information has been shared with others, we’ll do all we can to make sure those using your personal information also comply with your request for erasure.

Please note that we can’t delete information where:

  • we’re required to retain it by law
  • it is used for freedom of expression and information
  • it is used for public health purposes
  • it is for, scientific or historical research, or statistical purposes where it would make information unusable
  • it is necessary for defence or taking action regarding legal claims

Limiting what we use your personal data for

  • You have the right to ask us to restrict what we use your personal information for where:
  • you have identified inaccurate information, and have told us of it
  • where we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether

When information is restricted it cannot be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interest reasons.

Where restriction of use has been granted, we’ll inform you before we carry on using your personal information.

You have the right to ask us to stop using your personal information for any council service. However, if this request is approved this may result in delays or prevent us delivering a service.
 
Where possible we’ll seek to comply with your request, but we may need to hold or use information due to legal obligations.

Moving your information to another provider (“data portability”)

You have the right to ask for your personal information to be returned to you or another service provider of your choice in a commonly used computer format. This is called data portability.

However, this only applies if we’re using your personal information with your consent (and not if we’re required to by law) and if decisions were made only by a computer and not a person.

This particular right will be unlikely to apply to most of the services you receive from the Council.

Requesting information and about any computer made decisions to you, and details about how we may have ‘risk profiled’ you.

You have the right to question decisions made about you made by a computer, unless it’s required for any contract you have entered into, required by law, or you’ve consented to it.

You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information, e.g. your medical or health conditions.

If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer who will be able to advise you about how we use your information. 

How do we protect your information?

We’ll take all possible steps to protect the information we hold records about you (on paper and electronically) in a secure way, and we’ll only make them available to those who have a right to see them. Examples of our security include:

  • Secure emails:  Use of secure email networks to ensure that sensitive information is safely shared.
  • Pseudonymisation: meaning that we’ll use a different name so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without knowing it was you.
  • Controlling access to systems and networks: Allows us to prevent people not permitted to view your personal information from gaining access to it.
  • Staff Training: Allows us to make all our staff aware of how to handle information and how to report incidents or issues regarding the use of information
  • Regular testing of our IT systems: and ways of working including keeping up to date on the latest security updates and training all our staff on protecting and using information securely.

Making a complaint

We will always try to help you with queries and respond appropriately to all requests regarding the processing of your information.

If you have a concern about the way we are collecting or using your personal data or are not satisfied with the way we handle your requests please raise your concern with us in the first instance to allow us to investigate.

If you are still not satisfied with the council’s internal review procedure, you can refer your concerns to the Information Commissioner’s Office on their website or write to:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

To request access to your personal information, or to report inaccuracies, or raise a complaint please email us at dpa@stevenage.gov.uk or telephone us on 01438 242242.

EU General Data Protection Regulations (GDPR)

This new data protection law comes into force on 25 May 2018, and provides additional rights for all citizens within the European Union regarding the way organisations, like the Council handle your personal information.

Data Protection Act 2018

Currently this new data protection law is expected to come into force later this year and replace the current data protection act. This new law will make requirements of the GDPR into UK legislation, ensuring that UK data protection rules are the same with EU law.

We are currently preparing for these new pieces of legislation and will provide further details on how we aim to meet the new requirements. For further details about the GDPR please visit the ICO’s website