We are committed to protecting your personal data and privacy and to complying with all the requirements of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and other privacy laws.
Personal data is any information that can identify a living individual, so it could be your name, address, bank account details, or even your IP address. There are also ‘special categories’ of personal data, otherwise known as ‘sensitive personal data.’ These include; racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric and health data, sex life or sexual orientation.
We only process personal information for specific purposes, for the efficient and effective delivery of our services. ‘Processing’ includes the collection, use, storage, disclosure and deletion of information.
Eden District Council is registered as a Data Controller with the Information Commissioner’s Office (ICO). Our registration reference: Z6208207
There may be instances where data is shared with another party as Joint Data Controllers, or where the Council is operating as a Data Processor for another party.
Data Protection Officer
We have a designated Data Protection Officer (DPO), who is our point of contact with the ICO. The DPO is responsible for advising the Council, its contractors and partners on their data protection responsibilities, for assigning responsibilities, monitoring compliance, ensuring appropriate awareness and training and for undertaking and complying with data protection audits.
Our Data Protection Officer is:
Deputy Chief Executive
Eden District Council
Cumbria CA11 7QF
The data protection principles
We will seek to comply with the GDPR data protection principles:
- Lawful, fair and transparent - process all personal information lawfully, fairly and in a transparent manner.
- Purpose limitation - collect personal information for a specified, explicit and legitimate purpose.
- Data minimisation - ensure the processing of personal information is adequate, relevant and limited to the purposes for which it was collected.
- Accuracy - ensure personal information is accurate and up to date.
- Storage limitation - keep personal information for no longer than is necessary for the purpose(s) for which it was collected.
- Integrity and confidentiality - keep personal information securely, using appropriate technical or organisational measures.
The lawful basis for processing personal data
The first data protection principle requires us whenever we process personal data to do so lawfully. As a local authority, most of our processing is for; ‘the performance of a task carried out in the public interest or in the exercise of official authority,’ otherwise known as ‘public task.’ This means that in most circumstances, we do not require consent to process and share your personal data with our contractors or partners.
There are a limited number of situations where we require your consent, such as emailing newsletters to residents and businesses. Occasionally we may require consent when additional information (which is not essential to deliver a service to you) may provide further assistance in supporting an application you may make to the Council. Where this is the case, we will make it clear that consent is needed and you will have the right to withdraw consent at any time.
Sometimes we will process personal data for other reasons, such as for the performance of a contract, to comply with a legal obligation or in a person’s vital interests.
Whenever we collect your personal data, we will aim to inform you of the particular lawful basis that applies in a privacy notice. So for example, if you are completing one of our forms to request a replacement green box for recycling, we will tell you that we are collecting your personal data for the lawful basis known as ‘public task.’
We will aim to record all the circumstances where we process personal data and the lawful basis for the processing in each case, in a Record of Processing Activities (RoPA).
Purposes of processing personal data
As a local authority, we have a duty to deliver services to you. In order to do this in an effective way, we need to collect and use personal information about you. We process personal information to enable us to provide a range of services to local people and businesses, which include:
- maintaining our own accounts and records;
- supporting and managing our employees;
- promoting the services we provide;
- marketing our local tourism;
- carrying out health and public awareness campaigns;
- managing our properties;
- providing leisure and cultural services;
- carrying out surveys;
- administering the assessment and collection of taxes and other revenue including benefits and grants;
- licensing and regulatory activities;
- local anti-fraud initiatives;
- crime prevention and prosecution offenders including the use of CCTV;
- corporate administration and all activities we are required to carry out as a data controller and public authority;
- undertaking research;
- the provision of all commercial services including the administration and enforcement of parking regulations and restrictions;
- the provision of all non-commercial activities including refuse collections from residential properties;
- internal financial support and corporate functions;
- managing archived records for historical and research reasons; and
- data matching under local and national fraud initiatives.
Occasionally, we may use your personal data for a different purpose, providing that to use it for that other purpose is in your interests and does not infringe with your privacy rights. In which case, we will issue a new privacy notice, setting out the purpose of the new use and lawful basis, in advance of any processing. Where relevant, we will seek consent for the new processing activity.
The categories of personal data we process
We shall only process data which is required to carry out the required task. We will not ask for information which is not required.
The categories of personal data we process include:
- personal details;
- family details;
- lifestyle and social circumstances;
- goods and services;
- financial details;
- employment and education details;
- housing needs;
- visual images, personal appearance and behaviour;
- licenses or permits held;
- business activities; and
- case file information.
We also process sensitive classes of information that may include:
- ethnic origin
- trade union membership
- sex life
- sexual orientation
The sources of personal data we process
We process personal information on:
- staff and persons contracted to provide a service;
- complainants, enquirers or their representatives;
- professional advisers and consultants;
- students and pupils;
- carers or representatives;
- recipients of benefits;
- offenders and suspected offenders;
- licence and permit holders;
- traders and others subject to inspection;
- people captured by CCTV images; and
- representatives of other organisations.
In some of the above circumstances, individuals are under a statutory or contractual obligation to provide personal information to us. Where this is the case, we will make it clear in our privacy notices, at the point of data collection and in relevant contract clauses.
To ensure we can provide you with efficient and effective services, we will sometimes share your information within the Council. If you choose the option of setting up an online ‘My Eden Account’ with us (under our Contact Eden scheme), we will match your personal data held by our different services, so that you can access as much of it yourself. Your online account will record any changes (such as change of address), so that you don’t have to change your details for each of the different services we provide to you.
We will sometimes share your personal information with our contractors and partners who support the delivery of our services. For example, we may share your personal information with; other councils, the Department for Work and Pensions, the Police and the Fire Service.
We will only ever share your information where it is lawful to do so and where we are satisfied that our contractors and partners have adequate measures in place to protect your personal information.
When sharing your information externally, we will use encryption and access controls, Information Sharing Agreements and Data Protection Impact Assessments where appropriate, to keep your personal information secure.
We will never share your information for marketing purposes, without your express consent.
The country of processing
Normally, personal data held and processed by the Council will be stored and processed on servers based in the UK. However, it may sometimes be necessary to transfer personal information overseas. When this is needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with the GDPR and other privacy laws.
Retention of personal data
We will only keep your information for as long as it is required to be retained (the retention period). Once your personal information is no longer required, it will be securely and confidentially destroyed. Retention periods are either dictated by law or at our discretion, for business reasons.
We have a Retention Schedule, which sets out the retention periods for each type of information we hold. It also details any relevant legislation, guidance and policy. All retention periods are minimums only and our records are reviewed at the end of the stated time.
You have certain rights in relation to your data, these are:
- The right to be informed - using Privacy Policies and Notices such as this;
- The right of access - to any personal information the Council holds about you. To request a copy of this information, you will need to make a subject access request. Please see our Access to Information Policy for more details on how to do this;
- The right to rectification - we must correct inaccurate or incomplete data within one month;
- The right to erasure - you have the right to have your personal data erased and to prevent processing, unless we have a legal obligation to process your personal information;
- The right to restrict processing - you have the right to restrict our processing of your personal information if you believe it to be inaccurate, unlawful, or it is the case that we longer require it, but you do for legal purposes;
- The right to data portability - in situations where we require your consent to process your information and where that processing is carried out by automated means, we will provide you with your personal data in a structured, commonly used, machine readable form, when asked;
- The right to object - you can object to your personal data being used to make decisions about you based solely on automated processes (including profiling), for direct marketing or research purposes; and
- The right to withdraw consent - in circumstances where we require your consent to process your personal data, you will have the right to withdraw consent at any time.
Complaints about the way we process personal data
You have a right to complain to us about the way we process your personal data and to the supervisory authority, the Information Commissioner’s Office.
If you wish to make a complaint about the way we process your information, you can have your complaint considered under the Council’s Complaints Procedure. To do this you will need to contact the Deputy Chief Executive in writing or by email:
Deputy Chief Executive
Eden District Council
Cumbria CA11 7QF
If you are dissatisfied with the way we have handled your complaint, you may contact the Information Commissioner's Office:
Information Commissioner’s Office
Cheshire SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
When someone visits our website we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of our website. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website.