Bath and North East Somerset Council is registered as a Data Controller with the Information Commissioner’s Office (ICO). This includes general information about the types of personal data we process, what we use it for, and who we share it with.
The processing of personal data in the United Kingdom is governed by legislation including the the Data Protection Acts (1998 and 2018), General Data Protection Regulation (the “GDPR”), and other legislation relating to personal data and rights such as the Human Rights Act.
Under the GDPR we are required to provide Privacy Notices to inform people about the personal data we will use, how we use it and for what purposes. There are exceptions to the data protection laws which require us to share personal data wherever necessary for the purposes of safeguarding, law enforcement and prevention of fraud.
“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address). Identification can be directly using the data itself or by combining it with other information.
The personal data processed by the council in order to perform its official tasks includes:
- Names, titles, aliases, and photographs
- Contact details such as telephone numbers, addresses, and email addresses
- Gender, age, marital status, nationality, education/work history, academic/professional qualifications, hobbies, family composition, and dependants
- Social care records for adults and children in our care
- Financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers
The personal data we process also includes sensitive or other special categories of personal data such as criminal convictions, racial or ethnic origin, mental and physical health records, details of injuries, medication/treatment received, political beliefs, trade union affiliation, genetic data, biometric data, data concerning and sexual life or orientation.
These types of data are described in the GDPR as “Special categories of data” and require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.
We process special categories of personal data in the following circumstances:
- For the provision of social care to children and adults
- Where it is needed in order to carry out our specific legal obligations.
- Where it is needed for a matter of substantial public interest (such as in the case of a threat to public health)
Sometimes we may process this type of personal data in relation to legal claims or to protect your vital interests (or someone else’s vital interests), and you are not capable of giving your consent. This also applies where you have already made the information public.
The Council currently uses personal data for the following purposes:
- To deliver public services including to understand your needs, to provide the services that you request, and to understand what we can do for you and inform you of other relevant services
- To confirm your identity
- To contact you
- To help us to build up a picture of how we are performing
- To prevent and detect fraud and corruption in the use of public funds and, where necessary, for the law enforcement functions
- To enable us to meet all legal and statutory obligations and powers including any delegated functions
- To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice, from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments, and as necessary to protect individuals from harm or injury
- To protect the use of public funds
- To maintain our own accounts and records
- To seek your views, opinions or comments
- To notify you of changes to our facilities, services, events and staff, councillors and other role holders
- To send you communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other new projects or initiatives
- To process relevant financial transactions including grants and payments for goods and services supplied to the council
- To allow the statistical analysis of data so we can plan the provision of services
The Council will only retain and store your data for as long as it is needed for the purpose for which it was collected, or as required by the law, or as dictated by best practice as recommended by the Information and Records Management Society (IRMS).
We will keep some records permanently if we are legally required to do so. We may keep some other records for an extended period of time. For example, it is currently best practice to keep financial records for a minimum period of 8 years to support HMRC audits or provide tax information. We may have legal obligations to retain some data in connection with our statutory obligations as a public authority. The council is permitted to retain data in order to defend or pursue claims. In some cases the law imposes a time limit for such claims (for example, 3 years for personal injury claims or 6 years for contract claims). We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim. We will endeavour to keep data only for as long as we need it, and this means that we will delete it when it is no longer needed.
The council is a public authority and has certain powers and obligations. Most of your personal data is processed under our “official authority”. This means that it relates to local government responsibilities which have been established in legislation. When exercising these powers or duties, it is necessary that we process personal data of residents or people using the council’s services. We will always take into account your privacy interests and rights.
We may process personal data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract. An example of this would be processing your data in connection with the use of sports facilities, or the acceptance of an allotment garden tenancy. This also includes the use of your data if you are a council member of staff.
When you are asked to consent to a data controller’s use of your personal data this implies the controller is relying on “consent” as the legal basis for such use. The GDPR introduces new rules about relying on consent.
Consent may not be used as the legal basis for processing your personal data if:
- You do not have a free choice
- You have not been provided relevant privacy information (what personal data may be used, how, and why)
- Refusing consent may have a negative impact on you (this is the case where consent is a condition of receiving the service you want)
- There is an imbalance of power between the person and the organisation requesting the consent. This is likely when the organisation is a public authority (such as the council)
- The GDPR provides a more appropriate basis for processing (such as for processing by public authorities in the exercise of their tasks).
The Council does not generally request consent for using your personal data as, in accordance with the rules above, it is not a valid legal basis for processing involved in carrying out our official functions and tasks.
We will request your consent for us to provide the actual support service we may be offering you. This choice should be informed with relevant privacy information and we will always tell you about how and why we will use your information to provide the service before you decide whether you agree to receive it.
As part of the council’s statutory functions and official tasks, we may share personal data with other public authorities such as the police, health authorities, government departments and schools.
In order to deliver support and services to you we also work with:
- Community groups and volunteers
- Other not for profit entities
We may share personal data with other local authorities or not for profit bodies with which we are carrying out joint ventures e.g. in relation to facilities or events for the community.
We only share sensitive personal data in limited circumstances, where we are required to do so by law or where it is necessary to fulfil our statutory obligations. This includes providing a range of public sector services for your health and social care, and the safeguarding of vulnerable children and adults. The sharing of personal data will include the linking of data sets held by the council, the NHS, and other public sector partners to comply with our statutory duties and to provide joined up services.
Your personal information may be shared with external service providers, contracted to act on our behalf, in order to provide the public services and support you have requested from us. We will only share information which is relevant and necessary for the provision of the service.
The council relies on various suppliers and service providers who process data on our behalf. These companies are “data processors” for the council. This means we instruct them, under contract, on their use and treatment of the personal data we are responsible for.
We must also ensure they have adequate security measures in place to keep the information safe. We will not pass personal data to third parties for marketing, sales or any other commercial purposes without your prior and explicit consent.
We must protect public funds and may use personal information and data-matching techniques to detect and prevent fraud, to ensure public money is targeted and spent in the most appropriate and cost-effective way. To achieve this information may be shared with other bodies responsible for auditing or administering public funds including the Audit Commission, the Department for Work and Pensions, other local authorities, HM Revenue and Customs, and the police.
We may also use personal information to identify and assist individuals whose vital interests are threatened, and /or who need additional support during emergencies or major incidents, for example emergency evacuation.
The council is committed to adhering to the principles established in data protection law in its use of personal data. This means the use of your data should be:
- Lawful and transparent
- Used for the specified purpose (collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes)
- Accurate and up to date
- Kept only as long as necessary for the purposes we have told you about and any other legal requirements we have
- Secure from unauthorised access, misuse or loss
We reserve the right to monitor and record electronic communications (website, email and phone conversations). There are a number of reasons why we may do this including staff training, and recording conversations for detection, investigation and prevention of crime. We will inform you if your call is being recorded or monitored.
Any email sent to us, including any attachments, may be monitored for security reasons and making sure they comply with our information governance policy. You have a responsibility to make sure any email you send to us is within the bounds of the law. Emails that we send to you or you send to us may be retained as a record of contact, and your email address stored for future use in accordance with our record retention schedule.