Privacy policy

Personal data is information about a living person that means we can work out who they are, such as their name, address, telephone number, date of birth, bank details and so on. This can include written letters or emails, photographs, and audio and video recordings. 

Some data is called special category data. This includes details of ethnic origin, religious beliefs, sexual orientation, trade union membership, health data, and biometric such as fingerprints and facial recognition, and genetic data such as DNA.

We're required to process personal data lawfully and our Data Protection Policy sets out our commitment as to how we'll comply with the Data Protection Act 2018.

As a local authority, we have a lawful basis for gathering and processing information where necessary for the delivery of services;

• to ensure that we undertake our statutory functions and public tasks when required to do so by law, including those relating to diversity and equalities
• to safeguard public safety; and
• where there is a risk of harm or in an emergency situations

Where we need your consent we'll ask for it. 

For some services, we need to use your personal data to get in touch with you and deliver services. For example, we use your data to:

• provide our services and anything we must do by law
• undertake our regulatory, licensing and enforcement roles, which we have to do by law
• make payments, grants and benefits
• spot fraud
• listen to your ideas about our services
• tell you about our service
• use data matching to help us identify people who need additional support or if a potential incident affects us. This may require us to share information with partner organisations to respond to the incident, for example emergency resilience

If personal data is subject to an automatic decision making process (by a computer) then we'll inform you of this in our individual service privacy notices. 

To ensure that your personal information is reliable, accurate and up to date, it's expected when providing information that you:

• provide us with accurate information
• inform us as soon as possible if there's any changes to your personal information

We have a responsibility to keep your information safe and secure and we respect your privacy. All of our employees are required to undertake annual data protection and information security training to ensure that personal data is processed in accordance with the data protection principles.

We'll not disclose personal information to third parties for marketing purposes without your consent or use your personal data in a way that may cause damage or harm to you.

Information is processed by the council in the UK or in the EU.  However, we'll inform you within our Services Privacy Notices of any instances where this may not be the case.

We'll not keep your information for any longer than it is needed, and will dispose of both paper and electronic records in a secure way. The length of time we need to keep information will depend on the purpose for which it is collected and other factors such as:

• your personal data rights
• where a record including your information forms evidence gathered as part of an investigation
• where a record including your information is selected for permanent preservation
• if we are required to keep it by law. 

You can find out how long we keep information and data within our Retention Schedule. Read our Business Classification Scheme and Retention Schedule (PDF) [2MB] (opens new window) .

To provide you with efficient services, we'll sometimes share your personal information between teams within the Council, and with external partners and agencies involved in delivering services on our behalf.

Within the council we may share your information between our services:

• so that the information held about you is up to date
• to allow us to improve our services to you
• for statistical analysis for performance and management insight to help improve our services

We may also provide personal information to third parties, but only where it is necessary, either to comply with the law or where permitted under data protection legislation.  

Examples of organisations who we may share your information with include

• DWP
• HMRC
• NHS Greater Glasgow & Clyde
• Police Scotland
• Voluntary organisations and care providers. 

Our service specific privacy notices set out the recipients or organisations involved in providing services on our behalf, or with whom we share personal information. 

We'll only share your information with partners or suppliers who have sufficient measures and procedures in place to protect your information and can meet their legal obligations under data protection legislation. These requirements will be set out in contracts or information sharing agreements.

We'll not share your information for marketing purposes, unless you have specifically given us with permission to do so.

We're required by law to protect the public funds we administer and there are circumstances under which we're legally required to disclose information. These purposes are:

• performing statutory enforcement notices
• disclosures required by law
• detecting/preventing crime and/or fraud
• auditing and/or administering public funds

We may share information provided to bodies responsible for auditing or administering public funds, in order to prevent and detect fraud. Organisations include:

• The Cabinet Office
• DWP
• other local authorities
• HMRC
• Audit Scotland
• the Police

You can find out more details about how our services use your personal data within their separate privacy notices. View our privacy notices web page 

You have certain rights over your personal data. Some of these rights are only available in certain circumstances and are usually dependant on the legal basis upon which we hold your data. You'll find further information about how our various services use your personal data within our service privacy notices, including the legal basis for doing so. Your information rights are:

To be informed about how we collect and use your personal information

• Privacy notices such as this set out how we collect and use your personal details

To request information we hold about you

• This is known as a subject access request and is free of charge. We must respond within one month, although this can be extended to three months if the information is complex. Consult our data protection page for details of how to submit a request for your personal data.

To rectification

• You're entitled to have your information rectified if it is factually inaccurate or incomplete. We must respond to your request within one month. If we decide to take no action, we'll tell you why and let you know about your right of complaint to the UK Information Commissioner.

To erasure

• You have the right to ask us to delete your information or stop using it.  It will not always be possible for us to comply with your request, for example if we have a legal obligation to keep the information.  If we decide to take no action, we'll tell you why and let you know about your right of complaint to the UK Information Commissioner.

To restrict processing

• You have the right to restrict how your data is processed in certain circumstances, for example if the information is not accurate. If a restriction is applied, we can retain just enough information to ensure that the restriction is respected in future. If we decide to lift a restriction on processing we must tell you.

To data portability

• If we're processing your personal data with your consent, and it is held in a structured, commonly used, machine readable form, you have a right to ask us to transmit it to another data controller so they can use it.  This right does not apply if we process your personal data as part of our public task.

To object

• You can object to your information being used for profiling, direct marketing or research purposes.

To automated decision making and profiling

• This is to reduce the risk that a potentially damaging decision is taken without human intervention

The Council must appoint a Data Protection Officer to make sure it is complying with data protection legislation.
 

Data Protection Incidents

If you're concerned about what we do with your data, or think something has gone wrong, for example if you have received correspondence from the Council which is not addressed to you can contact the Council's Data Protection Officer to report a data protection incident.  
 

Complaints

If you wish to make a complaint or comment about how we have processed your personal information, you can do so by contacting the Council's Data Protection Officer. 

If you are still unhappy with how the council have handled your complaint, you may contact the UK Information Commissioner's Office

In writing:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone:

03031 231113

or find out more on the Information Commissioner's Office website 

Where we provide links to other websites, we're not responsible for the content as these are provided purely as a courtesy.

We accept no liability in respect of the content nor the availability of the linked websites. You should read their privacy notices to learn how they deal with your information.

Cookies are pieces of data that are often created when you visit a website. More information about why we use cookies can be found in our Cookie policy.