Corporate privacy notice
Privacy notices explain how we collect, use and share your information, how we keep it safe, how long we keep it and how we will dispose of it when we no longer need it.
The council must collect and share your personal information in order to provide the services you require. The council is required to hold certain data by law in line with the Data Protection Act and General Data Protection Regulations.
What is a data controller and who are they?
A data controller is a person or organisation who processes personal data about other data subjects (individuals like you, as a service user or member of staff of the council). They are responsible for keeping it safe and only using it as the law allows.
All data controllers in the UK must register with the Information Commissioners Office (ICO). They must keep records of what data they process, what allows them to do so, how it is used, if it is shared (and with who), how it is stored, how long legally they can keep it and how and when it will be securely destroyed.
This information is usually kept in a document called a record of processing activities or ROPA (sometimes referred to as an information asset register). The council’s ROPA can be requested; contact the Data Protection Officer. West Northamptonshire Council is registered as a data controller with the ICO under the current data protection legislation because we collect and process personal information about you.
What is personal data?
Personal data is defined in the General Data Protection Regulations (GDPR) as any information which can be used to identify a living individual. If we can identify someone, directly or indirectly, ie you could combine it with other data to determine who it’s about, then it’s personal data.
It includes things like your name, email address, contact details, photographs, location and IP address data, financial information, social media profiles, cookie identifiers, and any other data that may be used to identify you. As an organisation, we don’t process all of these, but they are all classed as personal data.
What is special category data?
In addition to personal data like the types shown above, there is a more sensitive grouping known as special category data.
This includes information about your medical history and concerning your health, trade union membership, information about your sexual life, genetics data and biometrics (where used to identify you), and information that reveals your racial or ethnic origin, your political opinions, and your religious or philosophical beliefs.
Again, as an organisation, we don’t process all of these but they are all classed as special category data.
It applies to all personal data and special category data that we hold and process, including data held and processed on our behalf by processors we have specifically chosen to carry out particular tasks for us using personal data. It includes all electronic and paper records and relates to current and archived data.
The council has chosen to use a tiered approach to providing information to customers and staff about how we use your data. This policy outlines our overall approach to privacy and managing personal data. Each individual service will have a specific privacy notice which will give details of how data is processed in delivering that service. They will also be provided to you when you first make contact with that service or team.
These principles are there to protect you and they make sure that we:
- process all personal information lawfully, fairly and in a transparent manner
- collect personal information for a specified, explicit and legitimate purpose
- ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected, or compatible with this purpose
- ensure the personal information is kept accurate and up to date
- keep your personal information for no longer than is necessary for the purpose(s) that we collected it for
- keep your personal information secure using appropriate technical and/or organisational measures
We use this information to:
- deliver public services and confirm your identity to help us deliver some of those services
- contact you by phone, text, post or email
- understand your needs so we can provide the services you request
- understand what we can do for you, and with your consent, inform you of other services which may be relevant (this activity may include the use of profiling and automated decision making)
- obtain your opinion about our services and our development plans
- maintain an accurate customer record for you
- help us to understand our performance and ensure we are delivering services well and to meet the needs of our customers
- prevent and detect fraud and corruption in the use of public funds
- undertake statutory functions effectively and efficiently
Further information can be found about what each service does with the data they hold in the service privacy notices.
This may include information about you and other members of your household, your address and contact information, and where appropriate (ie for council tax or benefit claims) financial and banking details.
If you give us permission, we may also collect location data, cookies and online identifiers and other relevant information that allows us to provide you with details of other services that may be useful to you.
We may process more sensitive information, also known as special categories of personal data, about you. This may include information which may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.
This data will only be used where we can show we meet the necessary conditions for processing set out in the GDPR/Data Protection Act 2018 and will only be processed to meet a defined need. For further information on our processing of Special Category data, please see the Appropriate Policy Document on our policies page, and our individual service privacy notices.
This information is collected online, via emails that you send to us, in the letters you write to us, or when you phone us or visit our offices/outreach locations, including images captured on council CCTV systems (NB: CCTV also covers body worn cameras and other recording equipment).
Your information might also be provided to us by another organisation or partner. Sometimes this is because you have contacted them when it should have been sent to us, or it may be because you have asked them to act on your behalf (like your Councillor). We may also receive your information from our partners if they feel you need our support/intervention and the law allows them to do so.
We may receive your data from agencies who we work with to prevent and detect fraud and crime, where the law permits us to do so.
We may collect information from social media, where information has been made public, where you have given us permission to do so, where the law allows, or if you post on one of our social media pages.
If you have an online account with us, you will be able to see the questions, comments and issues you have raised with us:
- via our online form or email to customer services
- through our customer service staff who answer our phones and manage our customer service centres or outreach locations
Generally, we collect and use personal information where:
- you have requested a service from us
- it is necessary to meet our legal obligations
- you have entered into a contract with us
- it is necessary to protect public health
- it is required for the defence of legal cases
- it is needed for employment purposes
- you, or your legal representative, have given us your consent
- you have made your information publicly available
- it is necessary for law enforcement reasons and to prevent, and detect fraud or crime
- we need to protect individuals from harm (in an emergency), or
- it is necessary for archiving, research, or statistical purposes - for these purposes your data would be used in a pseudonymised format (name and other identifying information replaced with a unique number)
- we need to manage meetings, appointments, and attendance
If you have given us your consent we may contact you about other services appropriate to your needs (this type of processing may involve profiling/automated processing).
We may also use your personal information to monitor/improve our performance in responding to your request and to assist in service planning to ensure our services meet our customers' needs.
Web statistics about your visit to our site are collected automatically. This information is used to help us follow browsing preferences so that we can regularly improve our website. These statistics do not contain personal data.
If your experience would be improved by our website knowing your location, we will ask permission to obtain your current location from your device. This can include coordinates, direction of travel and the time the data was recorded. This location data is not tracked and is used in providing specific service requests.
If we rely on your consent to use your personal information, you have the right to remove it at any time. If you want to remove your consent, please contact the Data Protection Officer and tell us which service you are using so we can deal with your request.
Where the council is legally required to retain your information we may not be able to delete your data and we will advise you of what is being retained and why.
We may also be legally required to share your personal data with law enforcement bodies such as the police, government authorities and other organisations, for the prevention and detection of crime or fraud.
If you do not wish certain information about you to be exchanged within the Council, you can request that this does not happen; contact our Data Protection Officer, although this may affect our ability to provide some services.
We do not share your personal information with any third parties other than those who deliver services on our behalf, who have been carefully selected to do so, or where the law requires us to.
We will only share the minimum necessary information and will always consider your rights before we decide to share your information.
We will always ensure we keep your information safe and secure while it is in our care, and while in transit to our service providing partners or other agencies we are required to share it with.
We carry out checks to ensure our partners and service providers apply the same level of care and security to the data we pass to them. We are explicit with our partners/service providers that they may only use your data to provide the services you requested. However, we may provide your personal information to partners/other organisations where it is necessary, either to comply with the law, or where data protection law permits us to (for example to prevent or detect crime or to protect you).
We will not disclose any information you provide to us “in confidence” without your permission unless we are required to by law or if we have good reason to believe that not sharing the information would put you or someone else at risk.
If we need to share your sensitive personal information including medical details or other confidential information we will only do this with your express consent or where we are legally required to do so. We may disclose information to prevent harm to an individual.
We will never share your information with third parties for marketing or sales purposes or for any commercial use without your express consent unless the law requires us to do so.
We do not buy or sell any personal data, unless the law requires us to.
Staff are encouraged to ensure we keep your data up to date and accurate.
We also encourage you to contact us to let us know if your information has changed.
We are obliged to do this on request and will only do this to verified agencies or where we have a contract and relevant information sharing agreement in place.
We will only share necessary information and will always do this using secure channels.
We know you need to give us your information for us to provide you with services, and often because you are required by law to give it to us. That makes it even more important that we treat it with the utmost of care and respect and data security is a key part of this.
We keep our systems secure so you can be confident in our ability to look after it. We are subject to regular testing to ensure we meet government minimum standards of security and we strive to exceed these standards where possible. We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, or use or disclosure of your personal information.
Electronic data is stored on secure systems and we control who has access to information (using both physical and electronic means).
We ensure all of our contractors who need access to your data to deliver services are meeting the same standards as we do as a minimum. We regularly review our arrangements with them to ensure they keep us up to date on any changes or improvements to their systems and processes. They are also obliged by law to let us know if they have a breach involving the personal information of our staff or customers.
When we do share your data, we do it via secure channels and will not share more than is necessary for the task.
If we are collecting sensitive personal information about you, we will take extra care to ensure your personal information and privacy rights are protected.
Our staff all attend regular data protection training and are all aware of their role in keeping your data secure. We employ a Data Protection Officer (DPO). It is their role to ensure the organisation are provided with the right information and advice on complying with the laws around data protection, they are also there to support you in engaging your rights and addressing your concerns. All staff and customers are actively encouraged to contact the Data Protection Officer for advice if needed.
We have a breach management procedure to ensure if something does go wrong we manage the situation appropriately and contact you to explain what has gone wrong, what we are doing to fix it, and your rights.
All electronic forms that request financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.
If you use a credit card to pay we will pass your credit card details securely to our payment provider. Other payment methods are handled in a similar manner. The Council complies with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council, and will never store card details.
We cannot guarantee the security of your home computer or the internet, and any online communications (eg information provided by email or via our website) are at the user’s own risk.
This process means that our staff and partners consider your privacy from the outset of any new piece of work and continue to review its likely impact throughout the life of the project.
Data Protection impact assessments for major projects where there is significant potential impact on data privacy are also provided to our council committees for consideration, to allow effective decision making around council policy and new work.
For example, some of our systems use Microsoft products. As an American company, it may be that using their products result in personal data being transferred to or accessible from the USA. However, we will allow this as we are certain personal data will still be adequately protected.
Our Data Protection Officer is employed to support members of the public in understanding and exercising their rights.
While we would prefer to receive your request in writing you can also contact us in person, by phone, email or social media channels. If you have any queries about access to your information, please contact the Data Protection Officer.
Please be aware we may require additional identification to verify who you are or evidence you have the appropriate authority to make the request.
We will answer your request within one calendar month of acknowledgement (we may need further information from you to clarify your request, expectations and confirm your identity to ensure we provide what you need and only to you or a third party you have authorised). We can extend the deadline for up to three calendar months for more complex requests. We will let you know if this is the case.
There is usually no charge for accessing your information and where possible we will provide it to you in an electronic format unless your request another format.
What are my ‘rights’?
15.1. Your right to be informed
We will keep you informed about how your personal information is used by us via privacy notices like this one. It would be impossible for us to put all the information about how we use your data across the various teams and services the council operates in one document.
The council have adopted a tiered approach to privacy. This means that in addition to this notice, which explains broadly how we will use your data, when you contact the council for the first time about a new service we will provide you with information about how we use your data to provide that specific service. This may be done electronically (on an e-form, by response email), on the phone (verbally, using a pre-recorded message) or in writing (on a paper form or letter). All service privacy notices are also held in this section of the website for your information.
15.2. You can ask for access to the information we hold on you (right to see)
You have the right to ask the council for the information we have about you. When we receive a request from you, we must give you access to everything you have asked for, if we hold it. This applies to personal information that is in both paper and electronic records.
However, we cannot let you see any parts of your record which contain:
- confidential information about other people
- data likely to cause serious harm to your or someone else’s physical or mental wellbeing
- information that, if provided, may stop the prevention or detection of a crime
If you have any queries about access to your information, please contact the Data Protection Officer.
We will answer your request within one calendar month of acknowledgement (we may need further information from you to clarify your request, expectations and identity to ensure we provide what you need and only to you or a third party you have authorised).
There is no charge for accessing a single copy of your information and where possible we will provide it to you in an electronic format unless your request another format.
15.3. You can ask to change information you think is inaccurate
You should let us know if you disagree with something written on your file.
We may not always be able to change or remove that information, but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with it.
Please contact the Data Protection Officer to inform us of any inaccuracies.
15.4. You can ask to delete information (right to erasure)
In some circumstances you can ask for your personal information to be deleted, for example:
where there is no current legal reason for the use of your information;
- where your personal information is no longer needed for the reason it was collected in the first place
- where you have removed your consent for us to use your information (and we have no other legal reason to use it)
- where deleting the information is a legal requirement
Where your personal information has been shared with others, we will take steps to make sure those using your personal information comply with your request for erasure.
Please note that we cannot delete your information where:
- we are required to have it by law
- it is there for public health purposes
- it is for, scientific or historical research, or statistical purposes where it would make information unusable
- it is necessary for legal claims
15.5. You can ask to limit what we use your personal data for
You have the right to ask us to restrict what we use your personal information for where you have identified inaccurate information, and have told us about it.
When information is restricted, it cannot be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it is for important public safety in the UK.
Where restriction of use has been granted, we will inform you before we carry on using your personal information.
You have the right to ask us to stop using your personal information for any council service. However, if this request is approved, this may cause delays or prevent us delivering that service.
Where possible we will seek to comply with your request, but we may need to hold or use information because we are required to by law.
15.6. You can ask to have your information moved to another provider (data portability)
You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.
However, this only applies if we are using your personal information with consent or as part of the performance of a contract we have with you (not if we are required to use your data by law). It is likely that data portability will not apply to most of the services you receive from us.
15.7. Your right to object and your rights around automated decisions and profiling
You can object to your personal data being used for profiling, direct marketing or research purposes.
You can ask to have any computer made decisions explained to you, and details of how we may have 'risk profiled' you.
You have the right to question decisions made about you by a computer, unless it is required by law, or you have consented to it.
You also have the right to object if you are being 'profiled'. We only use your personal information to profile you with your express consent, in order to deliver the most appropriate services to you.
If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer.
Who to contact
If you would like further information about how we use your personal information, or you wish to exercise one of your data rights or you wish to complain about the use of your personal information please contact the Data Protection Officer.