GENERAL PRIVACY NOTICE

 

Who we are

For the purpose of the Data Protection Requirements * the data controller is Joe Cooney Keighley Town Council (KTC), Civic Centre, Keighley BD21 3RZ.  We are a registered data controller with the Information Commissioners Office, Registration number: ZA032549.

This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use one of our services.

Where we get your information from

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You have made a complaint or enquiry to us.
  • You have made an information request to us.
  • You wish to attend, or have attended, an event organised or facilitated by us.
  • You subscribe to our KTC newsletter.
  • You have applied for a job or secondment with us.
  • You are representing your organisation in any dealings with us.
  • We also receive personal information indirectly, in the following scenarios:
  • We have contacted an organisation about a complaint you have made, and it gives us your personal information in its response.
  • Your personal information is contained in reports or databases given to us by other organisations, for example Bradford Metropolitan District Council.
  • A complainant refers to you in their complaint correspondence.
  • Other individuals, for example planning applicants, include information about you in their reporting to us.
  • From other public authorities, regulators or law enforcement bodies.
  • An employee of ours gives your contact details as an emergency contact or a referee.

Why do we collect information about you?

We need to collect and use information about you, in order to:

  • deliver public services to you,
  • provide public health functions,
  • confirm your identity to provide some services,
  • contact you by post, email or telephone about your requirements,
  • understand your needs to provide the services that you request,
  • update your records,
  • help us build up a picture of how we are performing at delivering services to you,
  • prevent and detect fraud and corruption in the use of public funds,
  • allow us to undertake statutory functions efficiently and effectively,
  • make sure we meet our statutory obligations including those related to diversity and equalities.

We may not be able to provide you with a product or service unless we have sufficent information from you, or on occasions, your permission to use that information.

How we use your information

We will use the information you provide in a manner that complies with the Data Protection Act and associated legislation.  We will endeavour to keep your information accurate and up to date and not keep it longer than is necessary.  Information will be kept in line with our retention policy.  In some instances, the law sets the length of time information has to be kept.

We will only use your information and share it between Council services for the following purposes:

  • to provide the service you requested, and to monitor and improve our performance in responding to your request,
  • to ensure that we meet our legal obligations,
  • where necessary for law enforcement functions,
  • to prevent and detect fraud or crime,
  • to process financial transactions including grants, payments and benefits involving the council, or where we are acting on behalf of other government bodies such as Department for Work and Pensions,
  • where necessary to protect individuals from harm or injury (safeguarding),
  • to allow the statistical analysis of data so we can plan the provision of services,
  • to create anonymised data to be used and published to help improve services. This anonymised data will not contain any personal information which means that individuals cannot be identified.

What type of information do we collect

The council will process some or all of the following personal data where necessary to perform its tasks:

  • Contact details such as telephone numbers, addresses, and email addresses,
  • Correspondence, i.e. emails, letters, text messages, typed notes of telephone conversations,
  • Where they are relevant to the services provided by a council, or where you provide them to us, we may process information such as gender, age,  marital status, nationality, education/work history, academic/professional qualifications, hobbies, family composition, and dependants;
  • Where you pay for services or activities such as use of a council premises, financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers,
  • Case conference notes
  • Photographs (i.e. for publicity and news stories)

The personal data we process may include sensitive or other special categories of personal data.

Special Category Data

As part of Keighley Town Council’s statutory and corporate functions, we process special category data. These reasons include those of substantial public interest, and for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on KTC or the data subject in connection with employment, social security or social protection, and archiving.

For these types of processing we are required to have an appropriate policy in place setting out the explaining our procedures and policies.

Special category data is defined as personal data revealing:

– Racial or ethnic origin

– Political opinions

– Religious or philosophical beliefs

– Trade union membership

– Genetic data

– Biometric data for the purpose of uniquely identifying a natural person

– Data concerning health, or

– Data concerning a natural person’s sex life or sexual orientation

Criminal conviction data

We do not routinely process any criminal conviction data.

Employment, social care and social protection

Under Article 9 (2) (b) GDPR, KTC may process special category data where it is necessary for purposes of carrying out obligations and exercising specific rights of the controller or data subject in the field of employment, social security and social protection law. This must be carried out on the basis of union or Member State law or a collective agreement providing for appropriate safeguards for the fundamental rights and the interest of the data subject.

How we use sensitive personal data

We may process sensitive personal data including, as appropriate including your racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation and in order to comply with legal requirements and obligations to third parties.

This type of data are described in the GDPR as “special category data” and require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.

Under Article 9 GDPR, KTC may process special categories of personal data in the following circumstances:

  • In limited circumstances, with your explicit written consent
  • where it is necessary for purposes of carrying out obligations and exercising specific rights of the controller or data subject in the field of employment, social security and social protection law. This must be carried out on the basis of union or Member State law or a collective agreement providing for appropriate safeguards for the fundamental rights and the interest of the data subject.
  • Where we need to carry out our legal obligations.
  • Where it is necessary in the public interest.

Less commonly, we may process this type of personal data where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

The council will comply with data protection law. This says that the personal data we hold about you must be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited only to those purposes.
  • Accurate and kept up to date.
  • Kept only as long as necessary for the purposes we have told you about.
  • Kept and destroyed securely including ensuring that appropriate technical and security measures are in place to protect your personal data from loss, misuse, unauthorised access and disclosure.

What is the legal basis for processing your personal data

The council is a public authority and has certain powers and obligations.

The lawful basis we may use are:

  • Consent: you have given clear consent for us to process your personal data for a specific purpose.
  • Contract: the processing is necessary for a contract we have with an individual, or because they have asked us to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations), see below.
  • Public task: the processing is necessary for KTC to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for KTC’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Most of your personal data is processed for compliance with a legal obligation which includes the discharge of the council’s statutory functions and powers.

We also process personal data where necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This can either be carrying out a specific task in the public interest which is laid down by law; or exercising official authority (for example, a public body’s tasks, functions, duties or powers) which is laid down by law.

Sometimes when exercising these powers or duties it is necessary to process personal data of residents or people using the council’s services. We will always take into account your interests and rights. This Privacy Notice sets out your rights and the council’s obligations to you.

We may process personal data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract. An example of this would be processing your data in connection with the use of sports facilities, or the acceptance of an allotment garden tenancy.

Sharing your personal data

Information sharing with other organisations

We may need to pass your information to other people and organisations that provide a service on our behalf. These providers are obliged to keep your details securely and use them only to provide the service to you or in accordance with our instructions.

We may also obtain information from certain external organisations or provide information to them in order conduct data matching exercises to:

  • confirm the accuracy of the information we hold,
  • assist with service delivery by assessing eligibility for services,
  • enable the anonymisation of data for the use and publication of datasets and statistical analysis of data to improve services,
  • comply with the council’s legal obligations.
  • We may share information with third parties where we are required by law to do so or where otherwise permitted by the Data Protection Act, for example, where the disclosure is necessary to enable the council to exercise its statutory functions.
  • Where we need to share sensitive or confidential information such as children’s data, financial data or health information with third parties, we will do so only with your prior explicit consent, or where we are required by law to do so, or where otherwise permitted by the Data Protection Act, for example, where the disclosure is necessary to enable the council to exercise its statutory functions.
  • We may share your information including sensitive or confidential information where it is necessary for the prevention or detection of crime or to prevent risk of harm to an individual. For example, KTC is required by law to protect the public funds it administers. We may use any of the information you provide to us for the prevention and detection of fraud or may share with the Police if it is suspected that a crime may have been committed.  We may also share this information with other bodies that are responsible for auditing or administering public funds including the Council’s external auditor, the Department for Work and Pensions, and other local authorities, HM Revenue and Customs, and the Police for example.
  • We are not required to inform you when this has taken place.
  • We will endeavour to ensure where possible that appropriate steps have been taken by the recipient to protect personal information that is shared.
  • We may carry out data matching to identify errors and potential frauds involving our funds and we are required to take part in national data matching exercises undertaken by the Cabinet Office. The use of data by the Cabinet Office in a data matching exercise is carried out under its powers in Part 6, Schedule 9 of the Local Audit and Accountability Act 2014.  It does not require the consent of the individuals concerned.

Other data controllers the council works with

We work closely with and may share data on a regular basis with the following:

  • Bradford Metropolitan District Council
  • Community groups
  • Charities
  • Other not for profit entities
  • Contractors
  • Credit reference agencies *

CCTV

CCTV cameras are located in our premises at the Civic Centre for the purposes of public and staff safety and crime prevention and detection.  In all locations signs are displayed notifying you that CCTV is in operation.

The system is owned, operated and managed by Bradford Metropolitan Distric Council but can be accessed by ourselves.

We will only disclose CCTV images to others who intend to use the images for the purposes stated above or where disclosure is legally required or otherwise permitted under the Data Protection Act.  CCTV images will not be released to the media for entertainment purposes or placed on the internet.

Images captured by CCTV will not be kept for longer than necessary, usually no more than 30 days *. However, on occasions there may be a need to keep images for longer – for example where a crime is being investigated.

How long do we keep your personal data

We will not keep your information longer than it is needed or where the law states how long this should be kept.  We will dispose of paper records or delete any electronic personal information in a secure and confidential way.

We may keep some records permanently if we are legally required to do so.

We may have legal obligations to retain some data in connection with our statutory obligations as a public authority.  The council is permitted to retain data in order to defend or pursue claims.  In some cases, the law imposes a time limit for such claims.

We may retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim. In general, we will endeavour to keep data only for as long as we need it. This means that we will delete it when it is no longer needed.

Where we store your information and how we keep it safe

We take all reasonable precautions to keep your personal information secure and require any third parties that handle or process your personal information for us to do the same. Access to your personal information is restricted to prevent unauthorised access, modification or misuse and is only permitted among our staff and Councillors on a need-to-know basis.

Cookies

** Need to check this statement with your web site provider **

All personal information of the individuals is stored on our systems on secure servers. We operate a suite of IT and security policies to ensure your information is kept secure, including appropriate access and auditing controls.

Connection to our servers is via an encrypted Secure Socket Link (HTTPS). Passwords of users are all encrypted on our database. We use anti-virus software and fire walls to protect against cyber-attack. Unfortunately, the transmission of information via the internet isn’t completely secure.

Although we’ll do our best to protect your personal information, we cannot guarantee the security of information you send to us that is outside of our security arrangements; any transmission is at your own risk.

We also operate strict physical security at our sites and our employees all receive security and data protection awareness training.** We may store your personal information on your local device, such as your computer or mobile phone to assist you in your repeated use of our services. We have no control over inappropriate access to this information. You can delete this information at any time using the facilities of your Internet browser or mobile device.

Your rights and your personal data

The General Data Protection Regulation and Data protection Act 2018 increased rights for individuals. These rights and how to exercise them are detailed below:

The right to be informed

You have a right to know how and why your personal data is collected, handled and processed and the purpose for its processing. Most of this information is contained in this privacy notice.

The right of access

This is your right to request sight of the information that we as a Council hold about you. It is called a Subject Access Request (SAR) and will be dealt with by KTC free of charge.

For more information, please visit our ‘make a data protection request’ web page. ** amend as appropriate

The right to rectification

This means that you have the right to request that we correct any incorrect or inaccurate information held on our systems, such as wrong addresses or incorrect spellings. Corrections must be carried out within a month of us being informed, including asking third parties to also amend their systems accordingly.

The right to be forgotten

This means that as long as the purpose for processing the data is not a statutory one, or in other words doesn’t have a legal basis, then you can request that your information is withdrawn by withdrawing your consent for processing. As long as the data is not required for a legal or safeguarding purpose, you have the right for your entry to be deleted from our systems. Obviously an individual cannot be ‘forgotten’ from the Council Tax system but for systems that do not have a legal basis such as mailing lists, then you have the right to be forgotten and erased from the system.

The right to restrict processing

This right applies where an individual may feel that we are acting upon incorrect or inaccurate information. They will have the right under the new law to request that we restrict processing while we look into the situation. We have 1 month to comply or explain why we cannot do so. Once a decision is made and any inaccuracies documented and amended the processing can be re-commenced.

The right to data portability

The right to data portability is new. It only applies to personal data an individual has provided to a controller and where the processing is based on the individual’s consent or for the performance of a contract; and when processing is carried out by automated means.

The right to object

This right is the same right that exists currently in that you can complain to KTC if you feel that your data rights have been incorrectly handled or breached.

The right not to be subject to automated decision-making including profiling

If KTC intends to use your data for profiling purposes or for automatic decision making you must provide explicit consent or us to process your data in this way. We do not currently process any information in this way.

You have the right to request that KTC stops processing your personal data in relation to any council service (other than statutory services) where that processing is likely to cause substantial and unwarranted damage or distress.  However, this may cause delays or prevent us delivering a service to you.

Where possible we will seek to comply with your request, however there may be circumstances where this is not possible – for example if we are required to hold or process your information to comply with a legal requirement.

You can contact us about any of the above rights by the following channels;  by post or in person at Keighley Town Council (KTC), Civic Centre, Keighley BD21 3RZ or telephone:  01535 618252, or via email:  townclerk@keighley.gov.uk

The right to lodge a complaint with the Information Commissioner’s Office

If you believe that Keighley Town Council has not complied with your data protection rights, you can complain to the Information Commissioner’s Office, their address is Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AFor by calling 0303 123 1113.

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive details of all aspects of collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to Keighley Town Council (KTC), Civic Centre, Keighley BD21 3RZ or telephone:  01535 618252, or via email:  townclerk@keighley.gov.uk.

Transfer of Data Abroad

We do not currently process any information outside the UK.

Changes to this notice

We keep this Privacy Notice under regular review, and we will place any updates on https://www.keighley.gov.uk/. This Notice was last updated in October 2019.

 

* Data Protection Requirements means the Data Protection Act 2018, the General Data Protection Regulations 2018, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, the General Data Protection Regulation (from 25 May 2018) and all other applicable laws and regulations relating to processing of personal data and privacy in any applicable jurisdiction as amended and replaced, including where applicable the guidance and codes of practice issued by the UK Information Commissioner or such other relevant data protection authority.