Corporate privacy notice

What is a data controller and who are they?

A data controller is a person or organisation who processes personal data about other data subjects. They are responsible for keeping it safe and only using it as the law allows.

What is personal data?

Personal data is defined in the General Data Protection Regulations (GDPR) as any information which can be used to identify a living individual. If we can identify someone, directly or indirectly, ie you could combine it with other data to determine who it’s about, then it’s personal data.

It includes things like your name, email address, contact details, photographs, location and IP address data, financial information, social media profiles, cookie identifiers, and any other data that may be used to identify you. We don’t process all of these, but they are all classed as personal data.

What is special category data?

In addition to personal data like the types shown above, there is a more sensitive grouping known as special category data.

This includes information about your medical history and concerning your health, trade union membership, information about your sexual life, genetics data and biometrics (where used to identify you), and information that reveals your racial or ethnic origin, your political opinions, and your religious or philosophical beliefs.

Again, we don’t process all of these but they are all classed as special category data.

The Data Protection Act 2018 (DPA18) and the EU General Data Protection Regulation (GDPR) ensure that we comply with a series of data protection principles.

These principles are there to protect you and they make sure that we:

• process all personal information lawfully, fairly and in a transparent manner
• collect personal information for a specified, explicit and legitimate purpose
• ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected, or compatible with this purpose
• ensure the personal information is kept accurate and up to date
• keep your personal information for no longer than is necessary for the purpose(s) that we collected it for
• keep your personal information secure using appropriate technical and/or organisational measures

We collect and hold a wide variety of personal information.

We use this information to:

• deliver services and confirm your identity to help us deliver some of those services
• contact you by phone, text, post or email
• understand your needs so we can provide the services you request
• understand what we can do for you, and with your consent, inform you of other services which may be relevant (this activity may include the use of profiling and automated decision making)
• obtain your opinion about our services and our development plans
• maintain an accurate customer record for you
• help us to understand our performance and ensure we are delivering services well and to meet the needs of our customers
• prevent and detect fraud and corruption in the use of public funds
• undertake statutory functions effectively and efficiently

Usually your personal data is provided directly by you, when you contact us.

This information is collected online, via emails that you send to us, in the letters you write to us, or when you phone us.

Your information might also be provided to us by another organisation or partner. Sometimes this is because you have contacted them when it should have been sent to us, or it may be because you have asked them to act on your behalf. We may also receive your information from our partners if they feel you need our support/intervention and the law allows them to do so.

We may receive your data from agencies who we work with to prevent and detect fraud and crime, where the law permits us to do so.

We may collect information from social media, where information has been made public, where you have given us permission to do so, where the law allows, or if you post on one of our social media pages.

There are a number of legal reasons that allow us to collect and use your personal information.

Generally, we collect and use personal information where:

• you have requested a service from us
• it is necessary to meet our legal obligations
• you have made your information publicly available
• it is necessary for archiving, research, or statistical purposes – for these purposes your data would be used in a pseudonymised format (name and other identifying information replaced with a unique number)

If you have given us your consent we may contact you about other services appropriate to your needs (this type of processing may involve profiling/automated processing).

We may also use your personal information to monitor/improve our performance in responding to your request and to assist in service planning to ensure our services meet our customers’ needs.

Web statistics about your visit to our site are collected automatically. This information is used to help us follow browsing preferences so that we can regularly improve our website. These statistics do not contain personal data.

If your experience would be improved by our website knowing your location, we will ask permission to obtain your current location from your device. This can include coordinates, direction of travel and the time the data was recorded. 

If we rely on your consent to use your personal information, you have the right to remove it at any time.

Information will be shared among officers and other partner agencies where the law allows or requires it, to help deliver the services you require, and to improve our services. We will only use/share the minimum personal data necessary at all times.

We may also be legally required to share your personal data with law enforcement bodies such as the police, government authorities and other organisations, for the prevention and detection of crime or fraud.

We do not share your personal information with any third parties other than those who deliver services on our behalf, who have been carefully selected to do so, or where the law requires us to.

We will only share the minimum necessary information and will always consider your rights before we decide to share your information.

We will always ensure we keep your information safe and secure while it is in our care, and while in transit to our service providing partners or other agencies we are required to share it with.

We carry out checks to ensure our partners and service providers apply the same level of care and security to the data we pass to them. We are explicit with our partners/service providers that they may only use your data to provide the services you requested. However, we may provide your personal information to partners/other organisations where it is necessary, either to comply with the law, or where data protection law permits us to (for example to prevent or detect crime or to protect you).

We will never share your information with third parties for marketing or sales purposes or for any commercial use without your express consent unless the law requires us to do so.

We do not buy or sell any personal data, unless the law requires us to.

Our staff undertake data protection training and know the importance of accuracy of personal data held about our staff and customers.

Staff are encouraged to ensure we keep your data up to date and accurate.

We also encourage you to contact us to let us know if your information has changed.

We want you to be able to trust us with your personal information; we take our responsibilities as guardians of it very seriously.

We keep our systems secure so you can be confident in our ability to look after it. We employ a variety of technical measures to keep your data safe and to prevent unauthorised access to, or use or disclosure of your personal information.

Electronic data is stored on secure systems and we control who has access to information (using both physical and electronic means).

We ensure all of our contractors who need access to your data to deliver services are meeting the same standards as we do as a minimum. We regularly review our arrangements with them to ensure they keep us up to date on any changes or improvements to their systems and processes. They are also obliged by law to let us know if they have a breach involving the personal information of our staff or customers.

When we do share your data, we do it via secure channels and will not share more than is necessary for the task.

Our staff all attend regular data protection training and are all aware of their role in keeping your data secure.

We store your data within the European Union. Some organisations which provide services to us may transfer personal data outside of the European Economic Area, but we will only allow them to do so if your data is adequately protected.

For example, some of our systems use Microsoft products. As an American company, it may be that using their products result in personal data being transferred to or accessible from the USA. However, we will allow this as we are certain personal data will still be adequately protected.

We will only keep your personal information for as long as it is needed. In some cases, the law dictates that we must keep it for longer periods than our customers would expect.

We have a data retention schedule which details what personal information we hold and for how long for each of the services we provide.