Privacy

We use the personal information we collect to:

• deliver services to you
• manage those services we provide to you
• recruit, train and manage the employment of our staff who deliver those services
• help investigate any worries or complaints you have about your services
• keep track of spending on services
• check the quality of services
• help with research and planning of new services

Where we can, we will only collect and use personal information if we need it for a specific reason, such as to deliver a service or meet a requirement. For example, in a survey we may not need your contact details, so we’ll only collect your survey responses.

If we use your personal information for research and analysis, we’ll always keep you anonymous, unless you’ve agreed that your personal information can be used for that research.

For the majority of the services we provide, the lawful basis for us holding and using the personal information we collect, is in order to carry out a Public Task. These are often tasks that are set out by legislation, which instruct Local Authorities on how and what services they must deliver. For example, if you are a resident in Hart then we may collect your personal details to assist you to access housing and wider support services as part of a Public Task.

There are some services we provide where you will have different rights about the information you provide. We will make these exceptions clear, but one example is signing up for e-mail alerts for planning applications, where we will ask for your consent. Further detail is provided about such exceptions in this Privacy Notice.

If you would like to find out more about the different lawful bases for use of your information, the Information Commissioner’s Office provides further detail.

To help with some of the wording of GDPR please see our UK GDPR terminology guide.

There are a number of legal reasons why we need to collect and use your personal information. Data protection law calls this the ‘lawful basis’ for processing.

Generally, we collect and use personal information where:

• you, or your legal representative, have given consent
• you have entered into a contract with us
• it is necessary to perform our statutory duties or to exercise our ‘official authority’
• it is necessary to protect someone in an emergency
• it is required by law
• it is necessary for employment purposes
• you have made your information publicly available
• it is necessary for legal cases or enforcement action
• it is in the public interest
• it is necessary to protect public health
• it is necessary for archiving, research, or statistical purposes

If we have consent to use your personal information, you have the right to remove it at any time.

As a Public Body we will often be processing your data to perform our statutory duties or to exercise our ‘official authority’, so consent will not be required in this instance and therefore cannot be withdrawn.

The law gives you a number of rights to control what personal information is used by us and how it is used. For full detail about all of the rights you have, view our guide to what you can do with your information.

1.    You can ask to be informed about the collection and use of your personal data 
2.    You can ask for access to the information we hold on you
3.    You can ask to change information you think is inaccurate
4.    You can ask to delete information (right to be forgotten)
5.    You can ask to limit what we use your personal data for
6.    You can ask to have your information moved to another provider (data portability)
7.    You can object to how your information is being used 
8.    You have rights in relation to automated decision making and profiling

We use a range of organisations to store personal information or help deliver our services to you. This means that we need to share your personal information to make sure that you can get access to the services you need. Where we have these arrangements there is always an agreement in place to make sure that the organisation complies with data protection law.

Where necessary we may complete a Data Protection Impact Assessment (DPIA) before we share personal information to make sure we protect your privacy and comply with the law.

We may also share your personal information:

• when there is a legal duty to do so
• in order to find and stop crime and fraud
• if there are serious risks to the public, our staff or to other professionals
• to safeguard the protection of a child to protect adults who are thought to be at risk

For all of these reasons the risk must be serious before we can override your right to privacy.

There may also be rare occasions when the risk to others is so great that we need to share information straight away. If this is the case, we’ll make sure that we record what information we share and our reasons for doing so. We’ll let you know what we have done and why, if we think it is safe to do so.

We’ll do what we can to make sure we hold records about you (on paper and electronically) in a secure way, and we’ll only make them available to those who have a right to see them. Examples of security measures include:

• Encryption, meaning that information is hidden so that it cannot be read without special knowledge such as a password
• Pseudonymisation, meaning that we’ll use a different reference number or code so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was you
• Controlling access to systems and networks, for example by using password protection and secure firewalls. This allows us to stop people who are not allowed to view your personal information from getting access to it
• Regular testing of our technology and ways of working, including keeping up to date on the latest security updates
• Training for our staff allows us to make them aware of how to handle information and how to report when something goes wrong

The majority of personal information is stored on systems within the UK.

We’ll take all practical steps to make sure your personal information is not sent to an unsecure third country. A secure third country is one for which the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision.

There’s often a legal reason for keeping your personal information for a set period of time; we try to include all of these in our Retention and Disposal Schedule.

For each service the schedule lists how long your information may be kept for. This ranges from months for some records to decades, for more sensitive records. When data and information reaches the end of its retention period it will either be reviewed, securely disposed of or the personal data anonymised.