How we use your information
What is personal information?
This is information about a living person which allows anyone to work out who they are such as name, address, telephone number, date of birth, and bank details and so on. This can include letters, emails, photographs, audio and video recordings. Some of your information is also known as special category data which is more sensitive, and we have to look after it more carefully. This includes details of ethnic origin, religious beliefs, sexual orientation, trade union membership, health data, and biometric (for example fingerprints, facial recognition) and genetic (such as DNA) data.
What information do we collect about you and how do we use it?
By providing services for you we ask for a wide range of information, some of which is personal. This can be (for example) information used for the assessment and collection of Council Tax and business rates, the payment of benefits, grants and loans administration, applications for housing and accommodation, and for the collection of waste. We then use your personal information to deliver the service or fulfil an obligation. Many of these services and obligations are covered under laws, the main ones for the council are the Local Government Acts and the Localism Act 2011 but there are many more. A non-exhaustive list of the reasons we take your information can be found in our: Privacy Notice Information for West Suffolk Council service areas.
Where does your data go?
On 31 December 2020, the United Kingdom left the European Union (EU).
Before this point, the UK and Europe had very similar data protection laws and regulations, and still do. However, because we are now separate from the EU, both the UK and Europe need to formally declare that each other's laws and regulations are 'adequate' before 30 June 2021 to be able to continue to transfer personal data between them. If they do not, we need to put in place special provisions to allow such transfers to continue.
The majority of your data held by the council is secured within the UK and is covered by the General Data Protection Regulation (UK) but a small amount (used by our system providers) is secured within the EU (Dublin). Through contacts we ensure we have appropriate protections in place for your privacy that correspond with the highest standards, such as the EU GDPR equivalent level protections wherever your data may be stored.
Standard contract clauses (SCCs) exist which explain the necessary safeguards both we and our suppliers need to put in place when transferring data. We are using these with our system suppliers who hold data in the EU and will also continue to:
- constantly review all their data transfers to identify areas that require change
- utilize standard contract clauses as a default, and
- introduce additional contractual, organisational, and technical safeguards to further protect your information.
Don’t I have to give consent for you to use or share my personal information?
Usually, the information we hold about you has been collected for a specific purpose. Your consent may be needed when we want to use data for a different purpose. For example, we collect your name and address so we can send you Council Tax bills, but we would need your permission if we used this information to send you something else at another time, this is called opting in. If you give consent for this action or any other form of opt in consent, you have the right to ask for this consent to be withdrawn, where relevant.
However, your consent may not be required if an exemption is applied. For example where we are undertaking checks as part of the National Fraud Initiative, to prevent and detect crime, ensure we can enforce the collection of council tax, or permitted to share data under other legislation. We will also share your information between services in the council so we can keep our records on you as up-to-date as possible and improve our services to you. For example if you tell the housing team you have moved, they will pass this information on to other parts of the council to update their records but don’t worry, our staff can only see your information if they need it to do their job.
Depending on the purpose for which we originally obtained your personal information, we may share with other local authorities or organisations such as suppliers or contractors, voluntary organisations or not for profit organisations for the purposes of carrying out joint ventures or referring you to support services.
On occasions the council will undertake research into various topics. When using personal data for research purposes, the data will usually be anonymised to avoid the identification of an individual, unless consent has been given for the use of the personal data.
Safeguarding – if there is a safeguarding concern, we will take immediate steps to safeguard people from harm in accordance with our Children and Adult Safeguarding Policy. We will only share your personal information with other agencies in order to protect your vital interests or the vital interests of another person. This will include information sharing with the Suffolk Multi Agency Safeguarding Hub (MASH) if we believe somebody to be at risk of abuse or harm.
What if I choose not to give personal information?
We may need to collect personal information by law, carrying out a public task or under the terms of a contract we have with you. If you choose not to give us this personal information, it may delay or prevent us from meeting our obligations. It may also mean we cannot perform services or give assistance to you. Any data collection that is optional would be made clear at the point of collection.
Can I see what personal information you hold about me?
Yes - the General Data Protection Regulation provides the following rights for individuals:
- The right to be informed – this is the information given to you in a privacy notice
- The right of access – you can ask to see the personal information we hold about you
- The right to rectification – if you feel your information is incorrect you can ask for it to be corrected
- The right to erase – there are some circumstances when you can ask for your personal information to be erased (removed from our systems)
- The right to restrict processing – there are some circumstances when you can ask for the processing of your personal information to be restricted
- The right to data portability – you may request to acquire and reuse your personal information for your own purposes
- The right to object – you can object to processing if you feel your personal information is not being used for the purposes that you gave it to us for
- Rights in relation to automated decision making and profiling – you have the right to know if your personal information is used in an automated process which could result in an unfavourable decision against you.
How we use your information to make automated decisions
We sometimes use systems to make automated decisions based on personal information we have about you. This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know. These automated decisions can affect the service we may offer you now or in the future.
Here are the types of automated decisions we make:
Housing Register - We use a system that, based on the information you fill in when applying to join the housing register, assesses your priority for housing. Dependent on the answers you give in relation to the financial section you may be eligible to go onto the register and be made ‘live’ automatically without any officer oversight, albeit with a low priority.
As a person you have rights over automated decisions:
- You can ask that we do not make a decision based on the automated score alone
- You can object to an automated decision and ask that an officer reviews it
If you want to know more about these rights, please contact us.
What do I have to do if I want to exercise one of my rights above? (Data Subject Access Request)
In regards to all of the above, you can ask us for confirmation that your data is being processed, access to information that we hold about you and other supplementary information. This is called a Data Subject Access Request. You can request this information verbally or in writing. To help you in this process and ensure we get as much information as possible about your request, please complete the online Data Subject Access Request form.
You will be required to provide proof of identity. We must respond to you within one month, once we have checked your identity. If we feel the request is complex we may ask for an extension of this period.
If the information we provide is incorrect, you must write to us and tell us what information is incorrect and ask that it be corrected. If we do not agree that the information is incorrect, you may ask us to record your disagreement. There is no charge for this service. However, a charge may be incurred if the request is deemed manifestly unfounded or excessive, particularly if it is repetitive.
In certain circumstances, your request may be denied and we will write to you and inform you if that is the case.
How can I contact you if I don’t understand what I have read?
We can be contacted by email at: email@example.com or write to us at: The Data Protection Officer, West Suffolk House, Western Way, Bury St Edmunds, Suffolk, IP33 3YU.
Where can I find more information about my rights?
The Government has set out a number of data protection principles and rights for you that we must follow when using your personal data. These principles and rights are detailed in the Data Protection Act 2018. How we comply with these principles and rights is explained in our West Suffolk Data Protection Policy and our Record Management Guidance
If you wish to complain about the way in which your request has been processed then your complaint will be dealt with as a Step two complaint in accordance with our complaints procedure. If you are still unhappy with the decision, you have a right of appeal to the Information Commissioner’s Office
We aim to have a secure website, and use security technology to protect any sensitive personal data we process about you. But your use of the internet, and this website, is entirely at your own risk. We have no responsibility or liability for the security of personal information transmitted over the internet. Please be aware that emails sent through the internet may not be secure so please consider this before you send personal or sensitive data.
Other legal requirements in regards to personal information
Data Matching and the National Fraud Initiative (NFI)
The information you give when you complete and return a form electronically or on paper will be held in accordance with current data protection legislation.
We are required by law to protect the public funds we administer.
We may share information provided to us with other bodies responsible for auditing or administering public funds, or where undertaking a public function, in order to prevent and detect fraud. Your personal data may be used to manage, monitor, improve and promote our services. Where delivery of services or actions is in partnership with others, it may also be shared with other persons or bodies in accordance with, and restricted to, the terms of information shared agreements and protocols.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.
Computerised data matching allows potentially fraudulent claims, applications and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office's National Fraud Initiative; a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed on: GOV.UK - National Fraud Initiative
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018.
Data matching by the Cabinet Office is subject to a Code of data matching practice for the National Fraud Initiative
More information on the Cabinet Office's legal powers and the reasons why it matches particular information
For more information on data matching at West Suffolk contact Bernadette.firstname.lastname@example.org