Privacy Notice

Introduction

The Council needs to collect and use certain types of personal information to operate effectively. This includes information on current, past and prospective employees, Members, suppliers, clients / customers, residents, tenants, partners and others with whom it communicates. 

The Council regards the lawful and proper treatment of personal information as being fundamental to the effective delivery of its objectives and is key to the maintenance and confidence between the Council and the public it serves. There have been significant changes to Data Protection, a new European law called the General Data Protection Regulation (GDPR) will come into force on the 25th May 2018. 

The current Data Protection Act will be repealed and replaced with a new Data Protection Act 2018.The Act also implements the Crime and Justice Directive.

This Privacy Notice below explains how and why the Council uses information about you and the ways in which we protect your privacy, it explains how you can access your information what new rights you have in relation to information and how to exercise those rights.

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. 

Individual Rights

The Council regards individuals’ rights as fundamental to its citizens and therefore endorses the enhancement of individual data rights as set out in the legislation. All requests for personal information will be dealt with in accordance with the individual’s statutory rights. Queries regarding the Council’s processing of personal data will be dealt with promptly and courteously.

The GDPR provides the following rights for individuals:

1. The right to be informed

2. The right of access

3. The right to rectification

4. The right to erase

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights in relation to automated decision-making and profiling, you can ask for human intervention or challenge a decision

9. The right to withdraw consent at any time where the processing is based on consent. 

To exercise any of these rights please contact us by: 

FOI Unit,

Vale of Glamorgan Council  

Civic Offices

Holton Road

Barry

Vale of Glamorgan

CF63 4RU

• 01446 700111
• foiunit@valeofglamorgan.gov.uk

Generally these requests will be processed free of charge however a reasonable fee may be charged if requests are manifestly unfounded or excessive. We may ask for identity in processing requests. We shall advise you of this when we respond.

What is Personal Data?

Any information relating to an identifiable natural person who can be directly or indirectly identified in particular by reference to an identifier.

This includes:

• Names
• Addresses
• date of birth
• Age
• Personal details
• family details
• lifestyle and social circumstances
• goods and services
• financial details
• employment and education details,
• housing needs
• visual images, personal appearance and behaviour
• licenses or permits held
• student and pupil records
• business activities
• other case file information

In some instances we process special categories or personal data these are defined by law and are:

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Why we use personal information?

We process personal information to enable us to provide a range of government services to local people, businesses and others which include:

• delivery of services,
• supporting you,
• dealing with concerns and complaints,
• maintaining our own accounts and records
• supporting and managing our employees
• promoting the services we provide
• marketing our local tourism
• carrying out health and public awareness campaigns
• managing our property
• providing leisure and cultural services
• provision of education
• carrying out surveys
• administering the assessment and collection of taxes and other revenue including benefits and grants
• licensing and regulatory activities
• local fraud initiatives
• the provision of social services
• crime prevention and prosecution offenders including the use of CCTV
• corporate administration and all activities we are required to carry out as a data controller and public authority
• undertaking research
• the provision of all commercial services including the administration and enforcement of parking regulations and restrictions
• the provision of all non-commercial activities including refuse collections,
• internal financial support and corporate functions
• managing archived records for historical and research reasons
• data matching under local and national fraud initiatives

Lawful Processing

Personal information will only be processed where there is a lawful basis for doing so. There are six available lawful bases for processing.

We process your information lawfully in compliance with one or more of the following:

(a) Your Consent

(b) Necessary for the performance of a Contract

(c) Necessary to comply with the law: Legal obligation

(d) Vital interests:the processing is necessary to protect someone’s life

(e) Public task:the processing is necessary to perform a task in the public interest or in the exercise of official authority

(f) Legitimate interests:the processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this does not apply to a public authority processing data to perform official tasks.)

We process special category data in compliance with one or more of the following as set out in the GDPR:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Please note that the Data Protection Act makes alternations to these and accordingly should be read in conjunction. 

Recipients of Information

In order to provide services it is sometimes necessary to share information. For instance a relative may contact the Council in relation to a person who cannot. 

Sometimes we have a legal duty to provide information. 

• To protect a child
• For the detection and prevention of crime/fraudulent activity;
• or if there are serious risks to the public,
• to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.
• We may also share your information internally with other Council departments if there is a legitimate reason for doing so.

In doing this we will comply with all aspects of the data protection act. What follows is a description of the categories we may need to share some of the personal information with. Of course not all information will be shared will all of these it is only what is necessary in respect of the service being provided.

• family, associates or representatives of the person whose personal data we are processing
• current past and prospective employers
• healthcare, social and welfare organisations
• educators and examining bodies
• Consortiums and shared services
• providers of goods and services
• customers
• financial organisations
• debt collection and tracing agencies
• private investigators
• service providers
• local and central government
• ombudsman and regulatory authorities
• press and the media
• professional advisers and consultants
• courts and tribunals
• trade unions
• political organisations
• professional advisers
• credit reference agencies
• professional bodies
• survey and research organisations
• police forces
• housing associations and landlords
• voluntary and charitable organisations
• religious organisations
• students and pupils including their relatives, guardians, carers or representatives
• data processors
• other police forces, non-home office police forces
• regulatory bodies
• courts, prisons
• customs and excise
• local and central government
• international law enforcement agencies and bodies
• security companies
• partner agencies, approved organisations and individuals working with the police,
• licensing authorities
• service providers
• press and the media
• healthcare professionals
• current past and prospective employers and examining bodies
• law enforcement and prosecuting authorities
• legal representatives, defence solicitors
• police complaints authority
• the disclosure and barring service
• healthcare professionals
• Consortium Education Services

Where we have arrangements with commercial companies to process personal information on our behalf, there is a contract, memorandum of understanding or information sharing protocol in place to ensure that the organisation complies with data protection law.

It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the data protection act.

How do we keep information secure?

We will take appropriate steps to make sure we hold records about you (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them.  Our security includes:

• Encryption
• Access controls on systems
• Security training for all staff
• Guidance for staff in how to safeguard information

How long do we keep your personal information?

Please see our retention schedule which explains the retention period for information held by the Vale of Glamorgan Council.

The Vale of Glamorgan Council Retention Schedule 

You have the right to request that the Vale of Glamorgan Council stop processing your personal data in relation to any council service. However, if this request is approved this may cause delays or prevent us delivering a service to you. Where possible we will seek to comply with your request but we may need to hold or process information in connection with one or more of the Council’s legal functions.