As a data controller we're committed to making sure we're transparent about how we use your personal information and we have the right controls in place to make sure it's used responsibly and kept safe from inappropriate access, theft or misuse. Being a data controller means that we're responsible for how your personal information is used and protected.
We collect, hold and process a large amount of information, including personal information about our customers. We do this to allow us to provide public services effectively. This notice explains how we use your personal information and tells you about your privacy rights and how the law protects you. Our service specific privacy notices have more detailed information about what personal information is collected, how it's used and the legal reasons for collecting it.
What personal information we collect
Personal information is any data relating to a person who can be directly or indirectly identified by that data. It's a wide definition and includes a number of things. Sensitive personal information is any information that relates directly to you. You should expect we'll keep a record of any contact you have with us.
The following is a list of personal information we might collect:
- Date of birth
- Physical description
- Identification number for example National Insurance number
- Location data or online identifier for example user name
- Internet Protocol (IP) address, a number that identifies each computer using the Internet
- Email address
The following is a list sensitive personal information we might collect:
- Ethnic origin
- Political opinions
- Trade union membership
- Sex life or sexual orientation
- Health data
Where a service area has specific information they collect the full list will be available in our service specific privacy notices.
We collect your information in both physical and digital formats through the following means:
- Face to face by a member of staff
- Online forms
Once you've given us your information we're responsible for what happens to it. We take our responsibilities seriously and make sure any personal information we collect and use is done proportionately, correctly, safely and in line with the law including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
How we use your personal information
We collect and use your personal information so we can provide services, regulatory functions and administrative activities. Which of those services or activities your personal information is used for depends on the reason you contact us but may include:
- Providing a service you have asked for
- Communicating and providing services and information appropriate to your needs
- Delivering health or social care services and protecting public health
- Preventing fraud and the protecting public funds
- Protecting you from harm or injury
- For law enforcement when we're legally obliged to undertake such processing, for example licensing, planning enforcement, trading standards and food safety
- The purpose you provided the information and monitoring our performance in responding to you and the quality of our services
- Helping to investigate any concerns or complaints and answering enquiries under access legislation
- Improving your customer experience and the experience of visitors to our websites
- Delivering services and providing support to you by ensuring other statutory, voluntary agencies or suppliers with whom we're working, are able to deliver ‘joined up’ services to you
- Where there is a substantial public interest and this is authorised by law
- Managing our employment relationships and duties including recruitment and ensuring the health and safety of our staff
- When it's in our legitimate interests or the interest of a third party who could be providing a service to you
- Making sure that the council meets all its legal duties and statutory functions and where it's necessary for exercising or defending legal rights
- Processing and monitoring financial transactions including collecting taxes, administering grants and welfare benefits
- Archiving, research and statistical purposes. This helps us to prioritise activities, target and plan when to provide services
Where we store your personal information
We store the majority of your information on secure servers within the European Economic Area (EEA). Some service areas may have contracts in place that require your information to be stored outside of the EEA. If this is the case then the details of whether your information will be transferred outside of the EEA will be outlined in our service specific privacy notices.
How long we store your personal information
We use a ‘corporate retention schedule’ outlining how long we keep certain types of information. Unless stated otherwise we only keep your personal information for as long as it takes to complete the job we needed your information for. We'll let you know in our area specific privacy notices if we're legally required to keep your information for any other length of time.
How we keep your personal information secure
We're committed to making sure your personal information is safe and protected from accidental loss or alteration, inappropriate access, misuse or theft. As well as technical, physical and organisational measures, we make sure our staff are well-trained, informed and security aware to minimise privacy risks from human error and threats from unauthorised access to your data.
We require the people we work with to implement appropriate security measures and only allow them to process your personal information for specific purposes under our instructions.
We're required to comply with the Data Protection Act 2018 to make sure information is managed securely and we review this every year as part of our Data Protection and Security Toolkit. The toolkit ensures that we're operating at an adequate standard in relation to data protection, confidentiality and security.
When we transfer your information beyond the European Economic Area (EEA)
We do not routinely share data with any organisation outside the UK, but our website is available across the internet and we communicate with applicants and stakeholders wherever they are.
If we do transfer your information beyond the EEA, we'll make sure that it's protected in the same way as if it was being used in the EEA. We'll only send your data outside the EEA:
- With your consent
- To comply with a lawful and legitimate request
- If we use service providers or contractors in non EEA countries
The reasons we share your personal information
We may disclose your personal information to other organisations who assist us in providing services or technical operations like storing data and hosting on our behalf.
These practical arrangements and the laws governing the sharing and disclosure of personal information often differ from one service to another. Because of this, each of our service specific areas provides additional information about how we collect and use your information.
When we use or share you information more widely, we ensure that you can't be identified when it's not necessary. We do this by anonymising and de-personalising your information by removing personal details as soon as possible.
When we make an automated decision about your personal information
Sometimes we make decisions using computerised systems or programmes that don't involve a human being. We call these automated decisions. If we process your personal information using an automated decision then our service specific privacy notices will contain the information about which decisions are automated. If you wish to have an automated decision reviewed by an appropriate officer then you can contact us.
What happens if you don’t want to provide your information?
If you decide not to provide the information we ask you for, we may not be able to perform the service you have asked us for such as paying you or providing a benefit. Alternatively we may be prevented from carrying out our legal duties such as ensuring the health and safety of our workers.
How to request your personal information
Under GDPR, you have certain rights when it comes to the use of your personal information. To make use of these rights you need to make a Personal Information Request.
How to request your personal information and your rights.
How to raise a concern about our use of your personal information
If you're not satisfied with how we have answered your request or have concerns about how we handled your personal information, please contact our Data Protection Officer (DPO) using the contact details at the top of this page. Also included is our Information Commissioner's Office registration number. When you contact our DPO we can consider your concerns as quickly as possible.
You also have the right to raise a concern on Information Commissioner's Office website
Changes to this privacy notice
We'll continually review and update this privacy notice to reflect changes in our services and feedback from customers, as well as to keep up with changes in the law. We keep a record of all changes to the privacy notice.