Your personal information and privacy

Warwick District Council is responsible for handling the personal information that you give us lawfully, fairly, securely and in a manner that safeguards your privacy. The Council is also responsible for ensuring that you are able to exercise the statutory rights that you have in relation to your personal information. This privacy notice explains how we do this.

What is personal information?

Personal information can be anything that identifies and relates to a living person. This can include information that, when put together with other information, can then identify a person. For example, this could be your name and contact details, a photograph, or an address and a personal description.

Special personal information

The Data Protection Act classes some personal information as ‘special personal data’, because of the impact that unlawful or unfair use could have on someone.

The special personal data types are: Racial or ethnic data, political opinions, religious or philosophical beliefs, trade union membership, health data, sex life, sexual orientation, genetic information, biometric information.

The Council is required by law to take extra care to safeguard ‘special’ information. Details of our security policies can be found here {link to information security and code of conduct policy}.

Why do we need your personal information?

We need to collect and hold information about you, in order to:

• deliver public services
• confirm your identity to provide some services
• contact you by post, email or telephone
• understand your needs to provide the services that you request
• understand what we can do for you and inform you of other relevant services and benefits
• obtain your opinion about our services
• update your customer record
• help us to build up a picture of how we are performing at delivering services to you and what services the people of Warwick District need
• prevent and detect fraud and corruption in the use of public funds
• allow us to undertake statutory functions efficiently and effectively
• make sure we meet our statutory obligations including those related to diversity and equalities.

We may not be able to provide you with a service unless we have enough information.

The lawful collection and use of personal information

The Council has a legal duty to provide many of its services and some of these are law enforcement duties so in these cases it is lawful for us to collect and use your personal information. In many cases you are obliged to provide your personal information in order to access the service, for instance to claim housing benefits.

Sometimes we will ask for or use personal information for other reasons that are not directly related to our legal duties, for example where we:-

• Are dealing with a task in the public interest or need to use a specific power that we have.
• Need to act in the Council’s legitimate interest, where this does not clash with your personal information rights.
• Need to disclose information in order to protect you or someone else from harm. There are rare occasions when the risk to others is so great that we need to share information straight away. If this is the case, we’ll make sure that we record what information we share and our reasons for doing so. We will let you know what we have done and why, when we think it is safe to do so.

If we are asking for the personal information for any other reason we will always request your specific consent.

Fair collection and use of personal information

Fair collection and use of personal information is ensured by the provision of Privacy Notices on forms when information is collected or received. These give details of for example; the specific use of personal information being asked for, the lawful basis of the use, who it is shared with etc. as required under the Right to be Informed (see below).

When contractors or partners provide council services

Where the Council uses a contractor or partner to provide services on our behalf, we will ensure that any personal information used will be handled to the same high standard through formal contracts or detailed binding agreements which comply with our data protection obligations. The same is true when the Council receives personal information from other partners and agencies.

We will provide details of what information is shared with other organisations in privacy notices at the point when information is requested or received.

Information sharing

We will not pass any personal data on to third parties, other than those who either process information on our behalf, or because of a legal requirement, and will only do so, where possible, after we have ensured that sufficient steps have been taken to protect the personal data by the recipient.

Information given in confidence

We will not disclose any information that you provide ‘in confidence’ to us, to anyone else without your permission, except where disclosure is required by law, or where we have good reason to believe that failing to share the information would put you or someone else at risk. If the Council does disclose information for these reasons, you will be told about this if it is judged appropriate to do so.

Information shared with partner organisations and agencies

We may need to pass your information to other people and organisations that provide the service. These providers are obliged to keep your details securely, and use them only to fulfil your request. If we wish to pass your sensitive or confidential information onto a third party, we will only do so where we are legally obliged to or we have your explicit consent.

Sharing special personal information

Where we need to disclose sensitive or confidential information such as medical details to other partners, we will do so only with your prior, explicit consent or where we are legally required to. We may also lawfully disclose information when necessary to prevent risk of harm to an individual or individuals.

Sharing for Marketing Purposes

At no time will your information be passed to organisations external to us and our partners for marketing or sales purposes or for any commercial use without your prior express consent.

Keeping records of people who present threatening behaviour

In most cases, people who engage with us are reasonable and allow us time to do our job. However, some people behave in a way which affects our ability to do our job. If this happens, we may need to manage the way that person can contact us or the way we contact and deal with that person.

In extreme cases, we keep details of people who we consider present a possible threat to the safety or wellbeing of our staff. We may share this information with third parties where they may be required to contact that person. We will normally tell the person when their details are recorded in this way, unless we believe this may provoke unacceptable behaviour towards our staff. We regularly review information recorded in this way and delete it when it is no longer relevant.

Legal obligations including the prevention and detection of crime, including fraud

We may disclose information to other bodies where it is necessary, either to comply with a legal obligation, or where permitted under the Data Protection Act (or subsequent Regulation or Act), e.g. where the disclosure is necessary for the purposes of the prevention and/or detection of crime.

The Council is required by law to protect the public funds it administers. We may use any of the information you provide to us for the prevention and detection of fraud. We may also share this information with other bodies responsible for auditing, administering public funds, or where undertaking a public function, in order to prevent and detect fraud. This includes the Cabinet Office, the Department for Work and Pensions, other local authorities, HM Revenue and Customs, and the Police.

Section 68 of the Serious Crime Act 2007 enables public authorities to disclose information for the purposes of preventing fraud, as a member of a specified anti-fraud organisation or otherwise in accordance with any arrangements made with such an organisation.

Personal Information transferred outside the EU

The majority of personal information is stored on systems in the UK. But there are some occasions where your information may leave the UK. If we transfer and process your information overseas or use web services that are hosted outside the European Union, we will tell you and it will only take place with data processing agreements that meet our obligations under the GDRP/Data Protection Act.

We’ll take all practical steps to make sure your personal information is not sent to a country that is not seen as ‘safe’ either by the UK or EU Governments. If we need to send your information to an ‘unsafe’ location we’ll always seek advice from the Information Commissioner first. 

Your information rights

The right to be informed is your gateway to exercise your other personal information rights.

The right to be informed

At the point that we ask for your personal information we will provide the following details:

• Why we are collecting it, how your information will be used and the lawful basis for doing this.
• Who it will be shared with, including if information is transferred outside the EU area.
• How long it might be kept for.
• What your rights are and how to use them.
• How to complain if you think your personal information has been used incorrectly or unfairly.

The right to access your personal information

You can ask for access to the information that we hold about you.

We would normally expect to share what we record about you with you whenever we assess your needs or provide you with services.  However, you also have the right to ask for the information we have about you and the services you receive from us. When we receive a request from you, we must give you access to personal information we have recorded about you that you request. 

You can ask us to change your personal information you think is inaccurate (Rectification)

You should let us know if you disagree with something included in or something omitted from your records. We may not always be able to change or remove that information, but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with it.  

You can ask us to delete your personal information (right to be forgotten or erasure)

In some circumstances you can ask for your personal information to be deleted, for example: 

• Where your personal information is no longer needed for the reason why it was collected in the first place
• Where you have removed your consent for us to use your information (where there is no other legal reason us to use it)
• Where there is no legal reason for the use of your information
• Where deleting the information is a legal requirement

Where your personal information has been shared with others, we’ll do what we can to make sure those using your personal information comply with your request for erasure.

Please note that we cannot delete your information where:

• we are required to have it by law
• it is used for freedom of expression 
• it is used for public health purposes
• it is for scientific or historical research, or statistical purposes where it would make information unusable
• it is necessary for legal claims 

You can ask to limit what we use your personal data for (Restriction)

You have the right to ask us to restrict what we use your personal information for, where:

• you have identified inaccurate information, and have told us of it
• where we have no legal reason to use that information but you want us to restrict what we use it for, rather than erase the information altogether

When information is restricted it cannot be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it is important and in the public interests.

Where possible we will seek to comply with your request, but we may need to hold or use information because we are required to by law.

The right to object to our use of your personal information (Object)

This right depends on the lawful basis under which your personal information is being collected and used and therefore not always available, it does, however, require the Council to stop using your personal information. Contact the Data Protection Officer (01926 456114 or email DPO@warwickdc.gov.uk) for further information.

You can ask to have your personal information moved to another provider (Data Portability)

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.

However, this only applies if we’re using your personal information with consent (not if we’re required to by law) and if decisions were made by a computer and not a human being. 

It is likely that data portability will not apply to most of the services you receive from the Council. 

Automated decision-making and profiling rights

You can ask to have any computer made decisions that affect you explained to you, and details of whether and how we may have applied profiling to you.

You have the right to question decisions made about you by a computer, unless it is required for any contract you have entered into, required by law, or you have consented to it. 

You also have the right to object to being profiled. Profiling is where decisions are made about you based on certain things in your personal information, e.g. your health conditions. 

If and when the Council uses your personal information in profiling, you will be informed. 

How long can we keep your personal information?

There is often a legal reason for keeping your personal information for a set period of time, and we will provide the details when we collect your personal information.

All record retention details are recorded in our retention policy schedule. For each service the schedule lists how long your information may be kept for. This ranges from days for some records to decades where the law specifies this.  

How we protect your personal information

Our aim is not to be intrusive, and we will not ask irrelevant or unnecessary questions. The information you provide will be subject to rigorous measures and procedures to make sure it cannot be seen, accessed or disclosed to anyone who should not see it.

We have an Information Governance Framework that includes a Data Protection and Privacy Policy, an Information Access and Rights Policy and a set of Information Security policies. These define our commitments and responsibilities to your privacy and cover a range of information and technology security areas.

We provide training to all staff on how to handle personal information and treat it as a disciplinary matter if they misuse or do not look after your personal information properly. We will not keep your information longer than it is needed or where the law states how long this should be kept. We will dispose of paper records or delete any electronic personal information in a secure way.

Other examples of our security arrangements include:

• Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’
• Pseudonymisation, meaning that we’ll use a different name so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours
• Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
• Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches)

The Council is also required by the Data Protection Act to consider the impact on individuals of any new or changed systems or procedures that involve the processing of personal information. This is called Privacy by Design, and the issue of individuals’ privacy must be placed at the heart of new or changed systems design. In addition, where the Council is considering using new or intrusive technologies that can impact on individual privacy we must undertake a Privacy Impact Assessment (a risk assessment) that may be need to be reviewed and agreed by Information Commission before it can be implemented.

Do you store my bank account or payment card details?

Where, for example, you set up a direct debit to pay your council tax your account information is held securely and is not shared with anyone other than your bank through the banking payment system.

Where you pay for a service by payment card, your card details are only used for the specific payment that you authorise. Full details are not recorded which is compliant with the Payment Card Industry Data Security Standard (version 3.2), which is subject to an independent audit process.

Do you store my identification documents?

For some services, where we require proof of identity to provide a service, we retain a copy of your documents because we are required to prove that we have completed the identity check. This personal information will be held securely at all times and not shared, except where we are required by law to disclose, in order to detect or prevent crime, or to prevent harm to an individual.

Do you store my emails?

If you email us we may keep a record of your contact and your email address and the email for our record keeping of the transaction. For security reasons, we will not include any confidential information about you in any email we send to you, unless you consent to this.

We suggest that you keep the amount of confidential information you send to us via email to a minimum and use our secure online forms and services whenever possible.

Information recorded by the Council website

If you are a user with general public access, the warwick.gov.uk website does not store or capture personal information, but merely logs a number called your IP address which is provided via your browser recorded and recognised on our system. The system will record personal information if you:

• subscribe to or apply for services that require personal information,
• contact us and leave your details for us to respond.

We use web services called Google Analytics and Crazy Egg to collect information about how people use this site. We do this to make sure it is meeting peoples’ needs and to understand how we can make the website work better. Google Analytics stores information about what pages on this site are visited, how long users are on the site, how they got here and what users click on while they visit. Crazy Egg monitors activity on specific pages, such as how often a link is clicked or how far down a page people scroll. See the Crazy Egg privacy policy. 

We do not collect or store any other personal information (e.g. your name or address) so this data cannot be used to identify who you are.

We employ cookie technology to help log visitors to our website. A cookie is a string of information that is sent by a web site and stored on your hard drive or temporarily in your computer’s memory. The information collected is used for the administration of the server and to improve the service provided by the web site. No personal information is collected this way. You can reject the use of cookies but you may be asked for information again next time you visit. This statement only covers the council website and does not cover other websites linked from our site. Please see our cookies policy.

We provide live chat on our website, this is provided by a 3rd party Click4Assistance. You can view the live chat software privacy policy.

Monitoring and CCTV

Monitoring

In limited situations we may monitor and record electronic transactions (website, email and telephone conversations). This will only be used to prevent or detect a crime, or investigate or detect the unauthorised use of the telecommunications system and only as permitted by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.

CCTV

The Council CCTV scheme is comprised of cameras located in open spaces and internal locations within the District to promote public confidence by developing a safe and secure environment for the benefit of those employed, visiting or using the facilities provided. Signs are displayed notifying you that CCTV is in operation and providing details of who to contact for further information about the scheme. The Council is committed to the recommendations contained in the Information Commissioners CCTV Code of Practice and is BS7958 “Code of Practice for the Management and Operation of CCTV Systems” certified.

Images captured by CCTV will not be kept for longer than necessary. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated.

You have the right to see CCTV images of yourself and be provided with a copy of the images.

We will only disclose images and audio to other authorised bodies who intend to use it for the purposes stated above.  Images and audio will not be released to the media for entertainment purposes or placed on the internet for public viewing.

We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner and the Home Office.

Will my personal information ever be published on the web?

With only one exception, no personal information, including digital images where you can be identified will appear on a council website or council controlled social media platform without your explicit consent, which you can withdraw at any time and the information will be removed.

The exception to this is that some Council meetings are video recorded, and placed on warwickdc.gov.uk via our youtube account, this is to give wider access and to demonstrate transparency in the conduct of Council business and considered to be in the public interest. If you attend a Council meeting that is being video recorded, your image could be identifiable in the video on the Council website.

Where can I get advice or complain about the use of my personal data?

If you have any worries or questions about how your personal information is handled please contact our Data Protection Officer at DPO@warwickdc.gov.uk or by calling 01926 456114.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner at:

Information Commissioner's Office

Wycliffe House 
Water Lane 
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number. Alternatively, visit ico.org.uk or email casework@ico.org.uk. 

Further Information

The following links provide further detail:

• How to access the information that the Council holds about you
• Warwick District Council Data Protection and Privacy Policy
• Requesting information under the Freedom of Information Act