Privacy and Your Personal Information
The Council must look after your personal information by law. The main laws that applies to protecting your information are:
- General Data Protection Regulation (GDPR)
- Data Protection Act 2018 (DPA)
- Human Rights Act (Article 8) (HRA) .
Our information governance and information security policies are available below:
The Data Protection Officer for BCP Council is Vivien Bateman, Head of Information Governance. Contact: firstname.lastname@example.org.
If you have any queries or concerns about how your personal information please contact us via:
General Privacy Notice for the Council
This is our general Privacy Notice, which provides an overview of how we use and protect your personal information. For our service specific privacy notices, which provide additional information, please use the links from this webpage to the service or services you are interested in.
What is personal information and what do you hold?
Personal data only includes information relating to living people who:
- can be identified or who are identifiable directly from the information in question; or,
- who can be indirectly identified from that information, in combination with other information.
Personal information includes, for example:
- Date of Birth
- National Insurance Number
- Council Tax information
- Benefit entitlements
- Financial information, including bank details
- Housing information
- Licensing information
However, personal information must also relate to and concern an individual in some way; that is, it must be directly about and personal to the individual and their activities.
Special category information:
Some information is known as “special category” data and is given more protection by the law, because of its confidential or sensitive nature. It is information that is likely to be very personal to you and will include:
- ethnic origin
- political opinions or affiliation
- religious or other spiritual beliefs
- trade union membership
- biometrics (where used for ID purposes)
- physical or mental health
- sex life
- sexual orientation
- criminal offences, alleged offences or convictions
The categories or type of personal information we hold about you will vary according to the services you receive. You will provide a lot of this information to us yourself, but we will also obtain information from and share it with other individuals and public and private organisations (providers/contractors) that we work with.
What purposes do you use personal information for?
We collect and use your personal information to:
- deliver services and support to you and manage those services
- investigate concerns or complaints you may have
- process claims you may have made
- pay, manage and train our employees
- check the quality of our services, which may include conducting surveys
- prepare financial information and manage our spending
- prepare statistical information for reporting purposes
- undertake research to help to improve our services and plan future service delivery
The GDPR specifically says that we can use your personal information for the following additional purposes, because they are well-matched with the original purpose or purposes that we collected and used it for:
- archiving purposes in the public interest
- scientific and historical research purposes
- statistical purposes
What does the law say about using personal information?
We have a broad range of Acts and Regulations that require or allow us to deliver services to you. Some of the legislation covers the whole Council, for example Local Government Acts. Other legislation is specific to areas of service delivery, for example housing, planning, environment, education, children and adult social care Acts and Regulations.
This law gives us powers to collect and use your personal information.
As well as this law, we must also meet reasons or “conditions” that are in the GDPR/DPA 2018.
Conditions for personal information that is not “special category”:
The conditions that will most often apply to the Council are:
- Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law
- Contract: the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract with you
- Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations)
There are other conditions that we may also use. These are:
- Consent: you have given consent for us to process your personal data for a specific purpose, or purposes
- Vital interests: the processing is necessary to protect someone’s life.
- Extra conditions for “special category” information:
There are extra reasons or conditions that apply for this category of information. The conditions that will most often apply to the Council are:
- Health or social care: the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
- Employment, social security or social protection: the processing is necessary for the carrying out of obligations under employment, social security or social protection law
- Legal purposes: the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
- Public interest: the processing is necessary for reasons of substantial public interest
- Public health: the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices
There are other conditions we may also use. These are:
- Consent: you have given explicit consent to the processing of your personal information for one or more specified purposes
- Vital interests: the processing is necessary to protect your life or the life of any other person, where you are physically or legally incapable of giving consent
If you want to find out more about these reasons or conditions, please refer to the Information Commissioner’s website: https://ico.org.uk/your-data-matters/.
Do you always need consent to obtain and use personal information and can consent be withdrawn?
We do not often need to use consent, because we have other conditions or reasons that we can use that we have explained in this Notice. However, even if we do not use consent because we use other conditions, we will usually tell you about what we are doing with your personal information, which we will normally do through our Privacy Notices.
This does not mean we will never use consent. There will be times when it is necessary, or where we can still reasonably use consent and think it is best practice.
If we have obtained consent to use your personal information you have the right to withdraw it at any time. If a service delivery area is using consent as a condition to collect and use your information its Privacy Notice will tell you how you can withdraw your consent.
Who do you obtain information from and share it with?
A lot of the personal information we obtain and use we will get directly from you, but we also work with a broad range of other public, voluntary and private sector organisations. Our service area specific privacy notices will tell you which categories of organisations or agencies that information may be shared with by those areas, so their services can be delivered to you.
If we have obtained consent to use your personal information we may provide more detailed information about the organisations or agencies that we want to share information with.
Can you share my information without telling me?
Yes. There are some circumstances where we can lawfully share information and we are not obliged to tell you. These circumstances are known as “exemptions”. The exemptions we are most likely to use are for the purposes of:
- Crime prevention or detection (including fraud)
- Legal proceedings, or by Order of the courts
- Meeting an obligation by law; that is, we are obliged by law disclose information
- Regulatory functions that we are responsible for and which provide us with enforcement powers
- What rights do I have relating to my personal information?
- The law gives you rights relating to your personal information.
- The right to be informed (Privacy Notices)
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
Rights in relation to automated decision making and profiling
The rights that are most likely to apply to the relationship you have with the Council are briefly explained below, but to find out more about all of your rights and how to exercise them please refer to the Information Commissioner’s Office website: https://ico.org.uk/your-data-matters/
Access to your information
You have the right to ask for the personal information we hold about you, this is called a Subject Access request.
Correcting information you think is inaccurate (rectification)
You can challenge the accuracy of personal data held about you by us and ask for it to be corrected or deleted. If your data is incomplete, you can ask us to complete it by adding more details. You don’t have to ask a specific person – you can contact any part of the Council with your request.
Erasure (right to be forgotten)
You can ask for your personal information to be erased (deleted), but this is not an absolute right.
You have the right to ask us to restrict what we use your personal information for in certain circumstances, but again this is not an absolute right.
How long do you keep personal information for?
For some of the information we hold there is legislation that sets out how long we must keep it for; we have to keep some types of information for very long periods of time. Where there is no legislation, the length of time we keep information will be based on our business needs and best practice guidance.
Our service specific privacy notices provide more information about how long we retain information in the different areas of service delivery.
How do you keep personal information safe?
We must keep your information safe and secure. To find out more please refer to our Information Security policy.
Do you transfer personal information outside of the UK?
Most of your personal information is stored on systems in the UK, but there may be some occasions where your information leaves the UK. This may be because it is stored in a system outside of the European Economic Area (EEA), or we need to send it to an organisation that is outside of the EEA.
We must have additional protections on your information if it leaves the UK. These range from secure ways of transferring data, to making sure we have robust contracts in place with organisations who hold information for us.
National Fraud Initiative
BCP Council is engaged with the National Fraud Initiative which is an exercise that matches electronic data between public and private sector bodies to prevent and detect fraud. This is a government backed initiative to protect public funds. If you would like to know how your information is used in this initiative please go to NFI Privacy
Who can I make a complaint to, or get further advice from?
If you wish to make a formal complaint about how your personal information has been used, we would encourage you contact us first through our complaints procedure.
You can also seek independent advice and/or submit a complaint about data protection, privacy and data sharing issues directly to the Information Commissioner’s Office (ICO) at:
Information Commissioner's Office
Cheshire, SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)