Corporate Privacy Statement
In order to meet our responsibilities as a local authority, we collect, hold and process considerable amounts of personal data. The personal data you supply to us is processed in accordance with the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA).
We understand the importance of ensuring that personal data is always treated lawfully and appropriately and that the rights of individuals are upheld.
This corporate privacy statement summarises our approach to ensuring personal data is collected and processed fairly, lawfully, securely and with respect for individuals' rights.
What we mean by personal data
Personal data is information that relates to a natural living individual who can be either:
- identified from that data or
- can be identified from the information combined with any other information that is in the possession of the person or organisation holding the information
Basic personal data includes name, address, date of birth, telephone numbers, and bank account details.
Special category personal data (sensitive personal data) includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, physical or mental health conditions, sex life or sexual orientation.
Our Data Processing Registration
All organisations that collect and then use (process) the personal data defined above must register with the Information Commissioner's Office (ICO). We have had a continuous registration since the first Data Protection Act in 1984.
Our current registration number is Z5256045. See our full registration. Here you can see the reasons why we collect data, the types of personal data we collect and from whom, and the partners and other organisations with whom we share the data.
Below is a summary of the main areas of data collection at the council. See more detailed links to specific departmental privacy notices that go into much more detail about the personal data they collect and process.
We are required to collect, use and hold personal data about individuals. Data is required for the purposes of carrying out our statutory obligations, delivering services and meeting the needs of individuals that we deal with. This includes current, past and prospective employees, service users, members of the public, members of the council, our business partners and other local authorities or public bodies.
We may collect personal information from you, in all of the following ways:
- paper, electronic or online forms
- body worn cameras
- use of audio monitoring equipment
- website, or
- face to face, with one of our employees, or one of our partners
Sharing your personal data
To ensure that we provide you with an efficient and effective service we will sometimes need to share your information between teams, as well as with our partner organisations.
We may disclose your information to others, but only where this is necessary, either to comply with our legal obligations or, as permitted by the GDPR, other data protection legislation or statutory guidance. This includes for the purpose of the prevention and/or detection of crime, or where it is necessary to allow a third party working for or acting on our behalf, to provide a service.
This authority is required by law to protect the public funds it administers. We may share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud, such as national data matching exercises like the National Fraud Initiative (NFI).
We will never share your information for marketing purposes or sell your information to a third party.
You have the following rights in respect of the personal data we hold and process about you:
- You have the right to be informed via privacy notices such as this.
- You have the right to request access to and to receive a copy of any information we hold about you (including in an electronic format) - to request a copy of this information you must make a subject access request in writing to the DPO.
- You have the right to rectification if you find that the data we hold about you is no longer accurate.
- You have the right to be told if your personal data is subject to automated decision making or profiling.
- You may request that we stop processing your personal data in relation to any council service (this may delay or prevent us delivering a service to you; we will seek to comply with your request but may be required to hold or process information to comply with our legal duties).
- You also have rights to object, portability, erasure (under certain conditions) and restrict processing.
- You have the right to be told if your personal data has been subject to a data breach, loss or misuse.
To exercise any of these rights please contact the Data Protection Officer.
You also have the right to make a complaint to the Information Commissioner's Office (ICO). This is an independent body responsible for making sure that organisations comply with Data Protection legislation. The ICO will always expect you to have raised your concerns with us before submitting a complaint.
Using your personal data
We will only use your personal information when we have a legitimate basis for doing so and will process it in a fair and lawful way, including in the following circumstances:
- to allow us to communicate with you and provide services that are appropriate for your needs
- to plan, monitor and improve the performance of those services
- where we exercise our enforcement functions; for example, licensing, planning, private sector landlords and health and safety.
- when undertaking legal proceedings, including prosecutions by us
- to process financial transactions such as payments and benefits, including where we are acting on behalf of other government bodies, e.g. the Department for Work and Pensions
- to prevent and detect fraud and other crimes including but not limited to CCTV surveillance, whistleblowing and data matching
- in order to protect individuals from harm or injury
- to ensure that we fulfil our duties under the general law including those imposed under the Equalities Act 2010, the Health and Safety Acts, the Local Government Act 2000 and Public Sector Internal Audit Standards
Our employees and members will have access to personal data only where it is required in order to fulfil their role. In the main personal data will be held on secure computer networks with appropriate layers of security. Access is controlled by authorised username and passwords and where appropriate 3rd level authentication into separate systems.
Where there is a suspected breach of security, data loss or cyber attack our Data Protection Officer (DPO) will investigate and manage any follow up actions necessary to report the incident and coordinate our response.
- Council employees and members must report any suspected data breaches to the DPO.
- Council employees and members must use appropriate levels of security to store or share personal data. Passwords must not be shared and any personal data not held on our computer network must be encrypted.
- When new projects involving personal data are being developed, Data Privacy Impact Assessments (DPIAs) will be carried out by the project manager and reviewed by the DPO in order to assess and mitigate any privacy risks.
A personal data asset register and personal data process maps will be maintained by the DPO identifying:
- all personal data held
- where it is held
- security measures used to restrict access
- how the data is processed
- what teams or individuals have access to it
- who has overall responsibility for the data
Departmental privacy notices
We will shortly publish a full list of the departments that have published a specific privacy notice because they process significant amounts of personal data.
Consultation Data Privacy Notice
Most consultations and surveys are completely anonymous and do not ask for any personal data (e.g. name, contact details). Where personal data is asked for (for example to help us to analyse the responses to the consultation) it will be anonymised before any public use.
Your data will be retained only for as long as necessary, after which it will be securely destroyed and/or permanently deleted. In most cases this is no more than 2 years however there are a few exceptions such as Community Governance Reviews and local plan consultations.
We will not use any information to identify or contact you unless this is clearly specified. You will always be given the option to opt in or out of the current and future consultations.
The Data Protection Officer
For more information about how we manage your personal data please contact the Data Protection Officer.
By phone: 01604 83 8536
By post: The Data Protection Officer, Northampton Borough Council, The Guildhall, St Giles Square, Northampton, NN1 1DE.