Under Data Protection laws, we are the data controller for the information you provide to us.
Information we collect from you
We are registered with the Information Commissioner’s Office (ICO) with registration number Z631608X.
Below, you’ll find our Privacy Notice for a variety of services we provide with further details about who we may share your information with and why.
We have a Data Protection Officer who makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please call our Data Protection Officer on 01438 242242. Alternatively, send an email to firstname.lastname@example.org.
Personal Data is information that relates to a living individual who can be identified directly from the information or indirectly when put together with other information. It also includes any expression of opinion or indication of intentions in respect of an individual.
Personal data will therefore cover basic details such as your name, address, telephone number, and date of birth.
This is often known as “sensitive personal data” as it needs more protection due to its sensitivity.
Examples of 'sensitive personal data' include:
- sexuality and sexual health
- religious or philosophical beliefs
- physical or mental health
- trade union membership
- political opinion
- genetic or biometric data
- criminal history
Your information and the Law
Data protection laws permit us to collect and use the information you provide us when:
- you, or your legal representative have given us consent
- you have entered into a contract with us
- it is necessary to perform our public functions and statutory duties
- it is necessary to protect you or someone in an emergency
- it is required by law
- it is necessary for employment purposes
- it is necessary to provide health or social care services
- you have made your information publicly available
- it is necessary for legal cases or to defend legal claims
- it is to the benefit of society as a whole
- it is necessary to protect public health
- it is necessary for archiving, research, or statistical purposes.
In any event, we will only ever ask for information that is absolutely necessary and does not constitute an invasion of your privacy.
If we have consent to use your personal information, you have the right to remove it at any time. If you want to remove your consent, please contact email@example.com and tell us which service you’re using so we can deal with your request.
Collecting and using your information
We collect and use your information to provide effective and efficient services.
We use your personal information within the rules set out in data protection laws, for the following reasons:
- To deliver services and support to you, e.g. using your benefit claim form information to process your benefit claim.
- To help investigate your concerns and respond to requests.
- Monitor our performance in responding to your queries or complaints to ensure we meet legal requirements.
- To allow us to communicate and provide services appropriate to your needs.
- Where we are legally obliged to process your information e.g. for licensing, planning enforcement, food safety, prevention and/or detection of fraud and crime.
- To manage all financial transactions to and from us, including payments, grants and benefits.
- To recover all monies due or owed to us using all available information at our disposal to protect public funds.
- To notify residents and service users of proposed or planned changes to services that may affect them.
- To assist us in responding to emergencies or major accidents. This allows us, in conjunction with the emergency services, to identify individuals who may need additional support.
- To inform you about our products and services and obtaining your opinions about them.
- To ensure that we meet our statutory obligations, including those related to diversity and equal opportunity.
Sharing your information with other Council services
To provide a co-ordinated and more responsive service we focus on making it easy for you to engage with us. Sharing your information with other Council services allows us to re-use information and minimise the time taken when you contact us in the future.
We aim to have a centralised system for containing your basic details, and information about your transactions. This will avoid us asking you to repeat basic information all the time. It will also help us to tailor our services to meet your needs, and ensure that your requests are being dealt with, and not lost in 'the system'. However, you always have the right to opt out of this or any other data sharing initiatives - by not providing us with your information.
Sharing your information with third parties
We use a range of organisations to either store personal information or help deliver our services to you. Where we have these arrangements there is always an agreement in in place to make sure that the organisation complies with data protection law.
We may disclose your information to third parties with your consent, or where it is necessary, either to comply with a legal obligation, or where permitted under data protection laws, (i.e. where sharing is necessary for the purposes of fraud and crime prevention), or where it is necessary to allow a third party to carry out work for or on behalf of us.
Organisations that we may share your information include:
Councillors, MPs, The Cabinet Office, the National Fraud Initiative, The Department for Work and Pensions, other Local Authorities, Her Majesty’s Revenues and Customs, the Police, the Fire Service, Ambulance Service, Health & Social Care providers and agencies, the Housing Ombudsman, credit reference agencies, service providers and contractors, partner agencies/bodies.
We’ll often complete a privacy impact assessment (PIA) before we share personal information to make sure we protect your privacy and comply with the law.
We will not use your personal data for third party marketing purposes without your prior express consent.
Where we seek to disclose your sensitive personal information, such as medical details, to third parties, we will do so only with your prior express consent or where we are legally required to do.
We may also share your personal information when we feel there’s a compelling reason that’s more important than protecting your privacy. This will not happen often, but we may share your information: in order to detect and prevent crime and fraud; or if there are serious risks to the public, our staff or to other professionals; to protect a child; or to protect vulnerable adults who are thought to be at risk.
If we’re are concerned about your physical safety or belief we need to take action to protect you harm in other ways, we’ll discuss this first with you and, if possible, get your permission to inform others about your situation before sharing any information. However, we may still disclose your information, if we believe the risk to others is serious enough to do so.
For all of these reasons the risk must be serious before we can override your right to privacy.
Location of your information
We will not normally transfer any of your information outside of the European Union. But on very rare occasions your information may leave the UK either in order to get to another organisation or if it’s stored in a system outside of the EU. We have additional protections to protect your information if it leaves the UK ranging from secure ways of transferring data to ensuring we have a robust contract in place with that particular third party.
We’ll take all practical steps to make sure your personal information is not sent to a country that is not seen as ‘safe’ either by the UK or EU Governments.
How long we keep your information
We will process the information you provide in a manner that is compatible with the Data Protection Act. We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary. In some instances the law sets the length of time information has to be kept, but in most cases we will use our discretion to ensure that we do not keep records outside of our normal business requirements - i.e. providing a service to you.
Please refer to our retention guidance (to follow) for further information.
All decisions made by us are based on assessments carried out by officers from our respective service teams and are not made solely by computers.
Only using what we need
Where we can, we’ll only collect and use personal information if we need it to deliver a service or meet a requirement.
If we don’t need your personal information we’ll either keep you anonymous, if we already have it for something else, or we won’t ask you for it. For example in a questionnaire or feedback survey we may not need your contact details and will only collect your survey responses.
If we use your personal information for research and analysis purposes, we’ll always keep you anonymous or use a different name unless you’ve agreed that your personal information can be used for that research.
We do not sell your personal information to anyone else.
The law gives you a number of rights to control what personal information is used by us and how it is used by us. You are legally entitled to request access to any of your information that is held by us, or to ask us to limit or stop the processing of your personal information in relation to any of our services. Further details about your rights are provided below, however in summary:
You also have the right to:
- object to processing of personal data that is likely to cause, or is causing you damage or distress
- prevent the processing of your information for the purposes of direct marketing
- object to decisions being taken by computers
- in certain circumstances, have inaccurate personal information amended, blocked, erased or destroyed
- claim compensation for damages caused by serious breaches of data protection rules
We will seek to comply with your request but there may be some situations where we will not be able to do this in full, for example:
- Where there is a legal requirement or where information held was given in confidence.
- Information a professional thinks will cause serious harm to you or someone else’s physical or mental well-being.
- If we think that giving you the information may stop us from preventing or detecting a crime.
This applies to personal information that is in both paper and electronic records. If you ask us, we’ll also let others see your record (except if one of the points above applies).
If you can’t ask for your records in writing, we’ll make sure there are other ways that you can. If you have any queries about access to your information please contact firstname.lastname@example.org or telephone 01438 242242.
Deleting your information
In some circumstances you can ask for your personal information to be deleted, for example:
- Where your personal information is no longer needed for the reason why it was collected in the first place.
- Where you have removed your consent for us to use your information (where there is no other legal reason us to use it).
- Where there is no legal reason for the use of your information.
- Where deleting the information is a legal requirement.
Where your personal information has been shared with others, we’ll do all we can to make sure those using your personal information also comply with your request for erasure.
Please note that we can’t delete information where:
- we’re required to retain it by law
- it is used for freedom of expression and information
- it is used for public health purposes
- it is for scientific or historical research, or statistical purposes where it would make information unusable
- it is necessary for defence or taking action regarding legal claims
You have the right to ask us to restrict what we use your personal information for where:
- You have identified inaccurate information, and have told us of it.
- Where we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether.
When information is restricted it cannot be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interest reasons.
Where restriction of use has been granted, we’ll inform you before we carry on using your personal information.
You have the right to ask us to stop using your personal information for any service. However, if this request is approved this may result in delays or prevent us delivering a service.
Where possible we’ll seek to comply with your request, but we may need to hold or use information due to legal obligations.
Moving your information to another provider
You have the right to ask for your personal information to be returned to you or another service provider of your choice in a commonly used computer format. This is called data portability.
However, this only applies if we’re using your personal information with your consent (and not if we’re required to by law) and if decisions were made only by a computer and not a person.
This particular right will be unlikely to apply to most of the services you receive from us.
Automated decision making and "profiling".
You have the right to question decisions made about you made by a computer, unless it’s required for any contract you have entered into, required by law, or you’ve consented to it.
You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information, e.g. your medical or health conditions.
If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer who will be able to advise you about how we use your information.
How we protect your information
We’ll take all possible steps to protect the information we hold records about you (on paper and electronically) in a secure way, and we’ll only make them available to those who have a right to see them. Examples of our security include:
- Secure emails - use of secure email networks to ensure that sensitive information is safely shared.
- Pseudonymisation - meaning that we’ll use a different name so we can hide parts of your personal information from view. This means that someone outside of our organisation could work on your information for us without knowing it was you.
- Controlling access to systems and networks - allows us to prevent people not permitted to view your personal information from gaining access to it.
- Staff Training - allows us to make all our staff aware of how to handle information and how to report incidents or issues regarding the use of information.
- Regular testing of our IT systems - ways of working including keeping up to date on the latest security updates and training all our staff on protecting and using information securely.
Making a complaint
We will always try to help you with queries and respond appropriately to all requests regarding the processing of your information.
If you have a concern about the way we are collecting or using your personal data or are not satisfied with the way we handle your requests please raise your concern with us in the first instance to allow us to investigate.
If you are still not satisfied with our internal review procedure, you can refer your concerns to the Information Commissioner’s Office on their website or write to:
Information Commissioner's Office
To request access to your personal information, or to report inaccuracies, or raise a complaint please email us at email@example.com or telephone us on 01438 242242.
EU General Data Protection Regulations (GDPR)
The EU General Data Protection Regulation law provides additional rights for all citizens within the European Union regarding the way organisations like us handle your personal information.
Data Protection Act 2018
This Data Protection Act 2018 makes requirements of the GDPR into UK legislation, ensuring that UK data protection rules are the same with EU law.