This privacy notice is here to tell you what information we collect about you, what we do with that information and why we do it, who we share it with, and how we protect your privacy.
Personal information is information that identifies a living person. That can be obvious information like name and address, or it may be something like an IP address or an identifier like an NHS number.
This includes information you tell us about yourself, information we are given by other people or organisations, or what we learn by having you as a resident or client.
Some information is considered more sensitive or special:
- sexuality and sexual health
- religious or philosophical beliefs
- physical or mental health
- trade union membership
- political opinion
- genetic/biometric data
- criminal history
We must take extra care when collecting and using these types of information.
How we collect your personal information
- The Council collects information in a number of ways, for example: when you apply for our products and services; when you use our website, when you speak to us faceto-face, when you complete online or paper forms; when we receive information from landlords
- The Council may also collect information from government departments and from other local or public authorities to enable us to carry out our statutory functions and to provide services to you
- At times, The Council must by law provide your personal information to us, for example, if you are 18 or over and either own or rent a property in the district you must register to pay Council Tax
How will we use the personal data we collect about you?
The Council will process (collect, store and use) the information you provide in a manner compatible with the General Data Protection Regulation and the UK Data Protection Act. We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary. The Council is required to retain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on individual business needs.
Purpose and legal basis for processing your information
The Council collects and processes information about you, so that we can carry out our functions as a Local Authority and to deliver public services. This includes but is not limited to:
- Administering the assessment and collection of taxes and other revenue including benefits and grants
- The provision of all commercial services including the administration and enforcement of parking regulations and restrictions
- The provision of all non-commercial activities including refuse collections from residential properties
- Local and national fraud initiatives and data matching under these initiatives
- To prevent and detect fraud or crime and prosecution offenders including the use of CCTV
- Licensing and regulatory activities
- Providing leisure and cultural services
- Carrying out health and public awareness campaigns
- Managing our property
- Maintaining our own accounts and records
- Supporting and managing our employees
- Promoting the services we provide
- Marketing our local tourism
- Carrying out surveys
- Undertaking research
- Internal financial support and corporate functions
- Managing archived records for historical and research reasons
- Corporate administration and all activities we are required to carry out as a data controller and public authority
We collect and process the following categories of personal information
- Personal and family details
- Lifestyle and social circumstances
- Goods and services
- Financial details
- Employment and education details
- Housing needs
- Visual images, personal appearance and behaviour
- Licenses or permits held
- Business activities and
- Case file information
We may also collect and process special categories of personal information that may include
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data, biometric data for the purpose of uniquely identifying a person
- Data concerning health
- Data concerning a person's sex life or sexual orientation
This information is only used for the intended purpose but if we intend to use it for any other purpose, we will normally ask you first. In some cases, The Council may use your information for another purpose if it has a legal duty to do so, to provide a complete service to you, to prevent and detect fraud, or if there is a risk of serious harm or threat to life.
Who we may share your information with?
- The Council may share your data with third parties in the following circumstances:
- With Government Departments as required by law, for example the Department for Works & Pensions and Her Majesty’s Customs & Excise
- Where the Council contracts with a third party to wholly or partly provide a particular Council service, for example specialist consultants
To pass onto independent examiners in association with a local or neighbourhood plan submission where any of the following apply
- National or public security
- Taxation matters
- Public health
- Prevention & detection of crime
- The protection of the individual, or the rights and freedoms of others
- Breaches of ethics in regulated professions
We may share your data with other Council services where this will lead to an enhanced service being provided to you.
The Council is required by law to protect the public funds it administers. We may use any of the information you provide to us for the prevention and detection of fraud or may share with the Police if it is suspected that a crime may have been committed. We may also share this information with other bodies that are responsible for auditing or administering public funds including the Council’s external auditor, the Department for Work and Pensions, and other local authorities, HM Revenue and Customs, and the Police for example.
In addition to undertaking our own data matching to identify errors and potential frauds we are required to take part in national data matching exercises undertaken by the Cabinet Office.
The use of data by the Cabinet Office in a data matching exercise is carried out under its powers in Part 6, Schedule 9 of the Local Audit and Accountability Act 2014.
It does not require the consent of the individuals concerned. For more information see National Fraud Initiative web page.
Data matching may also be used to assist the council in responding to emergencies or major incidents, by allowing the council, in conjunction with the emergency services, to identify individuals who may need additional support in the event of, for example, an emergency evacuation.
Details for international transfers
It may sometimes be necessary to transfer personal information overseas. When this is needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the Data Protection Legislation.
How long we keep your information
The Council will only keep your information for as long as is required by law and to provide you with the necessary services. Further details are published in the Council's Document Retention Policy.
The Council may also anonymise some personal data you provide to us to ensure that you cannot be identified and use this data to allow the Council to effectively target and plan the provision of services.
Cookies enhance your experience using our website. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work more efficiently, as well as to provide information to the owners of the site.
We do not store or transmit any personally identifiable data on these cookies. However, we do use a number of third party services to improve our website and the services we offer you, including Google Analytics, Hot Jar and Double Click. These services may place a cookie on your computer which may record your IP address and enable them to monitor your use of our website as well as other websites you visit where your IP address is stored.
You can change your cookie setting at any time in the security settings in the browser you use to access the internet. Please note however, that rejecting all cookies may impact on your enjoyment or use of this website.
We collect IP addresses*only for the purposes of system administration and to audit the use of our site. We do not link IP addresses to anything personally identifiable, which means that while your user session will be logged you will remain anonymous to us. However, as stated above, we do use a number of third party services to improve our web-site and the services we offer you and these services may place a cookie on your computer which may record your IP address and enable them to monitor the use of our website or of other websites you visit.
*An IP address is a unique string of numbers that identifies each computer.
The Council has to process personal data in order to carry out its functions as a Local Authority, but we can only do this where there is a legal basis. This is known as the ‘lawful basis for processing’.
GDPR extends individuals’ rights in terms of this processing, for example the right of access (also known as Subject Access Requests). It also introduces some new ones, such as the right to erasure, right to restrict processing and the right to data portability. Under GDPR individuals have 8 rights to exercise when it comes to your personal data, all for your rights are listed below:
- Right to informed -you have the right to ask the Council for information about what personal data is being processed about yourself and the rationale for such processing
- Right of access – you have the right to request a copy of the information that we hold about you. If you wish to request for your personal data please email DPO@hertsmere.gov.uk
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete. If you think we hold in accurate data on you please inform us by emailing DPO@hertsmere.gov.uk
- Right to be forgotten – you can make a request and have your data deleted where there is no compelling reason for its continued processing and provided that there are no legitimate grounds for retaining it
- Right to restriction of processing – where certain conditions apply you can restrict the processing of your personal data
- Right of portability – you have the right to have the data we hold about you transferred to another organisation
- Right to object – you have the right to object to certain types of processing such as direct marketing
- Rights in relation to automated decision and profiling – you have the right to object to automated processing, including profiling
- Right to judicial review: in the event that the Council refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 4.2.
Privacy policies of other websites
Change in your personal circumstances
You must notify The Council immediately if there are any changes in your circumstances and personal details so we can maintain an accurate and up to date record of your information.
As the Council creates new services, this may generate a need to amend the Privacy Notice. If our Privacy Notice changes at any time in the future, it will be posted on this page.
The Council’s retention policy
The Council has a Retention Policy and Schedules.
By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified.
You may withdraw consent at any time.
Subject Access Requests
The UK General Data Protection Regulation (UK GDPR) provides you with the right of access to personal data we hold about you.
Requests are free and the Council has an obligation to respond within 30 days of your request, unless your request is large or complicated, when we are allowed to take longer to respond to you.
What you need to know
The UK GDPR and the Data Protection Act make us responsible for handling your information securely and efficiently, and for ensuring we do not disclose it to other people or organisations without meeting legal conditions that protect your privacy (for example, we may have to ask your permission).
Make a Subject Access Request online
If you want to see the information we hold on you or to access data about yourself, you can download and complete a form and return by post or email.
You need to include copies of the following with the form:
- proof of identity such as a driving licence, passport, or government identification card
- proof of residency such as a driving licence, current benefits or pensions statement, current rent statement or tenancy agreement, or a recent (within the last three months) utility bill with your name on it
Please send copies of your proof of identity and residency. Do not send original documents.
Can I make a subject access request verbally?
You can make a subject access request verbally, but we recommend you put it in writing if possible because this gives you a record of your request.
If you are making a verbal request, try to:
- use straightforward, polite language
- focus the conversation on your subject access request
- discuss the reason for your request, if this is appropriate – work with them to identify the type of information you need and where it can be found
- ask them to make written notes – especially if you are asking for very specific information; and
- Check their understanding – ask them to briefly summarise your request and inform them if anything is incorrect or missing before finishing the conversation
However, even if you make your request verbally, we recommend you follow it up in writing (e.g. by letter, email or using a standard form).
Requesting information on behalf of a third party
We will ask for proof of your authority to act for a third party if you are making a request on their behalf (for example proof of power of attorney, or proof of parental responsibility).
Children are generally considered competent to make a subject access request at age 12 or over. We will require proof of parental responsibility before disclosing any information.
For more guidance on what your request should look like, please check the ICO website.
CCTV footage and disclosures to other organisations
[We generally only hold CCTV footage for a calendar month. If the subject access request is not made within this time frame, we may no longer have the footage.
If you are an organisation making a request under The Data Protection Law Enforcement Directive, make a disclosure request.
The council must respond to requests made under laws that allow access to information. The Freedom of Information Act 2000 and Environmental Information Regulations 2004 require us to answer requests for information that we hold. Data protection legislation also requires us to respond to requests for information about individuals, which we tell you more about in the Your Rights section of this notice.
The Council has an obligation to respond within 20 days and can extend for another 40 days.
All council services use personal data so that we can comply with these laws.
We use personal information to handle any complaints you or another person makes to us. Sometimes we manage complaints for specific legal reasons, such as for enforcing planning law or for environmental health reasons.
Your Data Controller
Your Data Controller is Hertsmere Borough Council
The Hertsmere Borough Council is required by law to appoint a Data Protection Officer (DPO), who is responsible for monitoring our compliance with data protection legislation and advising on our data protection obligations.
If you have any questions or worries about how the council collects or uses your personal information you can email or write to the Data Protection/Information Officer.
Data Protection/Information Officer
Hertsmere Borough Council
Phone: 020 8207 2277
Get independent advice about data protection and privacy
For independent advice about data protection and privacy, you can contact the Information Commissioner’s Office (ICO). The ICO oversees how organisations comply with data protection legislation in the UK.