We are committed to protecting your personal data and privacy and to complying with all the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and other privacy laws.
What is personal data?
Personal data is any information that can identify a living individual, so it could be a name, address, bank account details, or even IP address.
There are also 'special categories' of personal data, otherwise known as 'sensitive personal data'. These include; racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric and health data, sex life or sexual orientation.
What do we use personal data for?
We only process personal information for specific purposes, for the efficient and effective delivery of our services. ‘Processing’ includes the collection, use, storage, disclosure and deletion of information.
Our registration reference, as Data Controller, is Z6208207, with the Information Commissioner’s Office (ICO).
There may be instances where we share data with another party as Joint Data Controllers, or where we operate as a Data Processor for another party.
Data Protection Officer
We have a designated Data Protection Officer (DPO), who is our point of contact with the ICO. The DPO is responsible for advising the Council, its contractors and partners on their data protection responsibilities, for assigning responsibilities, monitoring compliance, ensuring appropriate awareness and training and for undertaking and complying with data protection audits.
Our Data Protection Officer is: Assistant Director Governance (Monitoring Officer)
The data protection principles
We will seek to comply with the GDPR data protection principles:
- Lawful, fair and transparent - process all personal information lawfully, fairly and in a transparent manner.
- Purpose limitation - collect personal information for a specified, explicit and legitimate purpose.
- Data minimisation - ensure the processing of personal information is adequate, relevant and limited to the purposes for which we collect it.
- Accuracy - ensure personal information is accurate and up to date.
- Storage limitation - keep personal information for no longer than is necessary for the purpose(s) for which it is collected.
- Integrity and confidentiality - keep personal information securely, using appropriate technical or organisational measures.
The lawful bases for processing personal data
The first data protection principle requires that whenever we process personal data, we do so lawfully. As a local authority, most of our processing is for; ‘the performance of a task carried out in the public interest or in the exercise of official authority,’ otherwise known as ‘public task.’ This means that in most circumstances, we do not require consent to process or share personal information with our contractors or partners.
There are a limited number of situations where we require an individual’s consent to process personal information, such as emailing newsletters to residents and businesses. Occasionally we may require consent when additional information (which is not essential to deliver a service to you) may provide further assistance in supporting an application you may make to the Council. Where this is the case, we will make it clear that consent is needed and you will have the right to withdraw consent at any time.
Sometimes we may process personal data for other reasons, such as for the performance of a contract, to comply with a legal obligation or in a person’s vital interests.
Whenever we collect personal data, we will aim to provide the particular lawful basis that applies in a privacy notice. So for example, if you are completing one of our forms to request a replacement green box for recycling, we will tell you that we are collecting personal data for the lawful basis known as ‘public task.’
We will aim to record all the circumstances where we process personal data and the lawful basis for the processing in each case, in a Record of Processing Activities (RoPA).
Purposes of processing personal data
As a local authority, we have a duty to deliver certain services to you. In order to do this in an effective way, we need to collect and use personal information. We process personal information to enable us to provide a range of services to local people and businesses, which include:
- maintaining our own accounts and records;
- supporting and managing our employees and Councillors;
- committee meetings, including virtual meetings;
- registering and maintaining online customer accounts;
- promoting the services we provide;
- marketing our local tourism;
- carrying out health and public awareness campaigns;
- managing our properties;
- providing leisure and cultural services;
- carrying out surveys;
- administering the assessment and collection of taxes and other revenue including benefits and grants;
- licensing and regulatory activities;
- local anti-fraud initiatives;
- crime prevention and prosecution of offenders including the use of CCTV;
- corporate administration and all activities we are required to carry out as a data controller and public authority;
- undertaking research;
- the provision of all commercial services including the administration and enforcement of parking regulations and restrictions;
- the provision of all non-commercial activities including refuse collections from residential properties;
- internal financial support and corporate functions;
- managing archived records for historical and research reasons; and
- data matching under local and national fraud initiatives.
Occasionally, we may use personal data for a different purpose, providing that to use it for that other purpose is in an individual’s interests and does not infringe with their privacy rights. In which case, we will issue a new privacy notice, setting out the purpose of the new use and lawful basis, in advance of any processing. Where relevant, we will seek consent for the new processing activity.
The categories of personal data we process
We shall only process personal data necessary to carry out the required task. We will not ask for information which is not required.
The categories of personal data we process include:
- personal details;
- family details;
- lifestyle and social circumstances;
- goods and services;
- financial details;
- employment and education details;
- housing needs;
- visual images, personal appearance and behaviour;
- licenses or permits held;
- business activities;
- case file information.
We also process some sensitive classes of information that may include:
- ethnic origin;
- trade union membership;
- sex life;
- sexual orientation.
The sources of personal data we process
We process personal information on:
- employees and persons contracted to provide a service;
- complainants, enquirers or their representatives;
- professional advisers and consultants;
- students and pupils;
- carers or representatives;
- recipients of benefits;
- offenders and suspected offenders;
- licence and permit holders;
- traders and others subject to inspection;
- people captured by CCTV images;
- speaking members of public at committee meetings, including virtual meetings; and
- representatives of other organisations.
In some of the above circumstances, individuals are under a statutory or contractual obligation to provide personal information to us. Where this is the case, we will aim to make it clear in our privacy notices, at the point of data collection and in relevant contract clauses.
To ensure we are able to provide efficient and effective services, we will sometimes share information within the Council. If you choose the option of setting up an online account (‘My Account’) with us , we will match your personal data held by our different services, so that you can access as much of it yourself. Your online account will record any changes (such as change of address), so that you do not have to change your details for each of the different services we provide to you.
We will sometimes share personal information with our contractors and partners who support the delivery of our services. For example, we may share personal information with other councils, the Department for Work and Pensions, the Police and the Fire Service.
We will only ever share personal information where it is lawful to do so and where we are satisfied that our contractors and partners have adequate measures in place to protect it.
When sharing personal information externally, we will aim to use encryption and access controls, Information Sharing Agreements and Data Protection Impact Assessments where appropriate, to keep personal information secure.
We will never share your personal information for marketing purposes, without your express consent.
The country of processing
Normally, personal data held and processed by the Council will be stored and processed on servers based in the UK. However, it may sometimes be necessary to transfer personal information overseas. If needed, we may transfer information to countries or territories around the world. Any transfers made will be in full compliance with the GDPR, Data Protection Act 2018 and other privacy laws.
Retention of personal data
We aim to keep personal information for only as long as it is required (the retention period). Once we no longer require it, we will securely and confidentially destroy it. The law, or us, dictate retention periods, or for business reasons.
We have a Retention Schedule, which sets out the retention periods for each type of information we hold. It also details any relevant legislation, guidance and policy. All retention periods are minimums only and our records are reviewed at the end of the stated time.
You have certain rights in relation to your data, these are:
- The right to be informed - using privacy policies and notices such as this;
- The right of access - to any personal information the Council holds about you. To request a copy of this information, you will need to make a subject access request. Please see our Access to Information Policy for more details on how to do this;
- The right to rectification - we must correct inaccurate or incomplete data within one month;
- The right to erasure - you have the right to have your personal data erased and to prevent processing, under certain circumstances;
- The right to restrict processing - you have the right to restrict our processing of your personal information if you believe it to be inaccurate,
unlawful, or it is the case that we longer require it, but you do for legal purposes;
- The right to data portability - in situations where we require your consent to process your information and where that processing is carried out by automated means, we will provide you with your personal data in a structured, commonly used, machine readable form, when asked;
- The right to object - you can object to your personal data being used to make decisions about you based solely on automated processes (including profiling), for direct marketing or research purposes; and
- The right to withdraw consent - in circumstances where we require your consent to process your personal data, you will have the right to withdraw consent at any time.
When someone visits our website, we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of our website. We collect this information in a way which does not identify any individuals. We do not make any attempt to find out the identities of those visiting our website.
Complaints about the way we process personal data
You have a right to complain to us about the way we process your personal data and to the supervisory authority, the Information Commissioner’s Office.
If you wish to make a complaint about the way we process your information, you can have your complaint considered under the Council’s Complaints Procedure. To do this you will need to contact the Assistant Director Governance (Monitoring Officer) in writing or by email.
If you are dissatisfied with the way we have handled your complaint, you may contact the Information Commissioner's Office.
This policy will be reviewed by April 2022 in line with any changes to legal and regulatory requirements, relevant guidance and best practice. The review will be undertaken by the Assistant Director Governance (Monitoring Officer) and Information Governance Manager.