Last amended: 21 October 2019
- What personal information we obtain
- How we collect information about you
- Why we collect information about you
- How we use information about you
- International transfers
- Information sharing
- Communication with the council
- Profiling and automated decision making
- How long will your information be held?
- How we protect your information
- Your rights
- Links to third-party websites
- Contact information
- Service specific privacy notices
This privacy notice provides you with information about what we do with your personal data (information that is about you and identifies you).
We are accountable
The council is registered (Z581464X) with the Information Commissioner’s Office (ICO) as a Data Controller. We are committed to processing personal data in accordance with the General Data Protection Regulation (GDPR) principles, which ensure the safe processing of personal data. We are a public authority and have a nominated Data Protection Officer, whose details you can find below in our contact information section.
What personal information we obtain
Our ICO registration entry describes in general terms the purposes, the categories of personal data and the categories of the recipient. You can view our entry details on the ICO website - see entry Z581464X This entry applies to all council staff and members of the public. You can see service specific information in the sections below.
How we collect information about you
We collect your personal data in the following ways:
when you sign up for a service - when you sign up we collect certain personal data so you can use the service such as your email address, birth date, gender
personal data collected that enables us to provide you with additional features/functionality - from time to time, you also may provide us with additional personal data or give us your permission to collect additional personal data, for example to provide you with more features or functionality
from third parties - we will receive personal data about you and your activity from third parties, including partners we work with in order to provide you with a service.
We use anonymised and aggregated information for purposes that include testing our IT systems, research, data analysis, creating marketing and promotion models, improving services, and developing new features and functions.
Why we collect information about you
We may not be able to provide you with a product or service unless we have enough information, or your permission to use that information. Some of the services we offer, that we cannot complete without your information, are below:
- deliver public services
- confirm your identity to provide services
- contact you in your preferred method of contact
- understand your needs in order to advise you on the correct service and then provide that service
- obtain your opinion about our service
- update your customer record
- help us understand how we are performing at delivering services and if we provide what our residents need
- process financial transactions
- prevent and detect fraud in the use of public funds
- allow us to undertake statutory functions efficiently
- enable us to meet our statutory obligations including those related to diversity and equalities.
How we use information about you
We will use the information you have provided in accordance with Data Protection legislation. We will not keep it for longer than is necessary. In some instances the law sets the length of time information has to be kept. We will strive to keep your information up-to-date and accurate. We will always make sure you understand why we need the information. We will not collect irrelevant information.
In general, we process your information for the following reasons:
- for the service you have requested, to monitor and improve our performance in responding to your request
- to allow us to communicate effectively with you and provide services appropriate to your needs
- to ensure we meet our legal obligations
- to adhere with our law enforcement functions
- to prevent or detect fraud or crime
- to process financial transactions
- to collect monies owed to us
- to protect individuals from harm or serious injury, where required
- to analyse data in order to better our services.
We will not pass any personal data on to third parties, other than:
- those who process information on our behalf (our suppliers sometimes need access to information to deliver services for us)
- because of a legal requirement (such as needing to send certain information on benefits to the Department for Work and Pensions)
- organisations that we engage with in joint working such as other councils and NHS bodies.
We will only do so, where possible, after we have ensured that sufficient steps have been taken to protect the personal data by the recipient.
The General Data Protection Regulation (GDPR) imposes restrictions on the transfer of personal data outside the European Union, to third-party countries or international organisations, to ensure that the level of protection of individuals afforded by the GDPR is not undermined. As with much of the GDPR, this strengthens and codifies the UK’s existing Data Protection legislation. The GDPR limits an organisation’s ability to transfer personal data outside the EU where this is based only on that body’s assessment of the adequacy of the protection afforded to the personal data. Ideally, transfers may be made where the European authorities have decided that a third country, a territory in that third country or an international organisation ensures adequate safeguards for the protection of data.
We may share your personal data within the council, with other public authorities or government agencies in order to provide services to you and to prevent and detect fraud. You can find out more about who we share with in the service specific privacy notices below.
The council is a signatory to the Cambridgeshire Information Sharing Framework, which sets high standards for secure and safe practices in information sharing within the county and beyond.
Information will not be sold, or provided to anyone else, or used for any purpose that is not related to any of the council's statutory functions, unless you have been advised that we will do so or it is required by law. Where we need to disclose sensitive or confidential information such as medical details to other partners, we will do so only with your prior explicit consent or where we are legally required to.
Communication with the council
When you call our main contact centre (01480 388388) we record our calls for security and training purposes and keep them for 12 months. However, we do not record telephone payment transactions or if the call is passed onto another member of staff who works outside of the contact centre.
Using our website
All of our eforms have links to this Privacy Notice or a service-specific notice, before you submit any personal information. We recommend that you read the Privacy Notice before filling in the form. Details of your rights will be in the Privacy Notice in the form.
We have installed CCTV systems in and around some of our premises across the district used by members of the public, and staff and also at various street locations that are listed on the council's CCTV webpage.
This is for the various permitted purposes of public and staff safety and crime prevention and detection and building security and assistance with carrying out our statutory and public duties. We also have some cameras mounted on vehicles to improve the safety of our staff and assist with health and safety and accident and other investigations.
In all locations, signs are displayed notifying you that CCTV is in operation and providing details of who to contact for further information about the various CCTV systems in operation.
Images captured by CCTV will not be kept for longer than necessary and destroyed. However, on occasions there may be a need to retain images for longer, for example where an investigation is being carried out or data is requested by authorised agencies or organisations such as the police.
You have the right to see personal CCTV images of yourself only, and be provided with a copy of your image. If you require data other than your own image such as for a vehicle accident then please refer to the council’s CCTV webpage for advice as only permitted organisations are allowed unredacted data, such as insurance companies, solicitors and police acting on your behalf. Further advice can also be found on the ICO or Camera Surveillance websites.
Profiling and automated decision making
Automated decision making
We do not make automated decisions generally, with two major exceptions:
- some benefits are automatically calculated using the information that you have provided and
- some housing allocation is on a points-based system, which is automated to ensure that it is fair.
Where we are doing this we will inform you. You have the right to object to any decision made by solely automated means. You can ask for human intervention on any decision, to express the council's point of view and to obtain an explanation of the council's decision. You also have the right to challenge the decision.
Detect and prevent fraud or crime
We are required by law to protect the public funds we administer. We may use any of the information you provide to us for the prevention and detection of fraud. We may also share this information with other bodies responsible for auditing, administering public funds, or where undertaking a public function, in order to prevent and detect fraud. This includes the Cabinet Office’s National Fraud Initiative, the Department for Work and Pensions, other local authorities, Her Majesty’s Revenue and Customs, and the police.
Section 68 of the Serious Crime Act 2007 enables public authorities to disclose information for the purposes of preventing fraud.
How long will your information be held
We will not keep your information any longer than needed to provide the services you require. We may keep your data longer if we need to retain it for legal, regulatory or best practice reasons. The Retention Schedule sets out details of how long we keep data.
How we protect your information
The information you provide will be subject to thorough measures and procedures to make sure it can’t be seen, accessed or disclosed to anyone who shouldn’t be allowed to see it.
We have a comprehensive set of information and security policies. These define our commitments and responsibilities to your privacy and cover a range of information and technology security areas. We provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or do not look after your personal information properly.
In terms of payments we use a PCIDSS compliant provider for secure electronic payment systems. All transactions carried out via our payment providers website are protected by Secure Socket Layer (SSL) technology. This is to ensure that any information you provide, when transmitted over the internet, is encrypted and secure.
We have procedures and policies in place to ensure we do our best to protect your personal data. This includes reporting of near miss events so that we continually improve procedures.
If a breach is likely to result in high risk to rights and freedoms of individuals the council has a lawful duty to inform them without undue delay. And we are legally obligated to notify the ICO within 72 hours.
We will carry out Data Protection Impact Assessments for uses of personal data that are likely to result in high risk to individuals’ interests. We’ll carry out a screening checklist at the outset of a project (small or large) so that where there are potentially significant risks to individuals privacy this will be appropriately assessed and measures to mitigate the risk if applicable, will be actioned.
The General Data Protection Regulation gives certain rights to individuals in relation to their personal data. As available and except as limited under applicable law, the rights afforded to individuals are:
Right of access (subject access)
You have the right to ask the council what personal information we are processing about you and obtain:
- a copy of the personal data
- the purposes for which the data is being processed
- categories of data being processed
- who it is shared with
- how long the council will keep the data
- source of the data (where it is not the data subject)
- their right to rectification, restriction or erasure
- their right to lodge a complaint with the ICO.
Right of rectification
You have the right to have inaccurate personal data rectified without undue delay. Incomplete data should also be completed. The decision over the accuracy of the data lies with the council. This right does not exempt the council from the principle of data accuracy.
Right to erasure (right to be forgotten)
Under certain circumstances you can ask for your data to be erased. The council must comply with this request if:
- the data is no longer necessary
- it is being processed on the condition of consent and this consent is withdrawn
- the subject objects to direct marketing using that data
- the grounds for processing are unlawful
- there is a legal obligation to erase the data
- the data concerned a child and it was processed online on the basis of parental consent.
The council does not have to comply if processing is necessary for:
- exercising freedom of expression
- a legal obligation, lawful authority, a public task, or in the public interest
- in the public interest in protecting public health
- archiving in public interest or scientific or historical research
- establishing, exercising or defending legal claims.
You will be notified of outcome of the request without undue delay and no later than a month after a request has been made.
Right to restriction of processing
You can request restriction of the processing of your information in a number of circumstances:
- when its accuracy is contested and the authority is considering their position
- when you are using your right to object to processing (see below) and the authority is considering the balance of their grounds for processing against those of yours
- when the processing is unlawful but you don’t want it to be erased (e.g. if you are pursuing a complaint)
- you need the data to establish, exercise or defend legal claims (even if the Council no longer needs to process the data).
When processing is restricted the council is allowed to store the personal data, but not to process it further. The data the council hold on its systems should at least be marked as unavailable, but other measures will be considered such as a restriction of access by staff
If the personal data in question is disclosed to third parties, the council will inform you about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
Right to data portability
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. You can request only the data you have supplied to a controller (under either ‘Consent’ or ‘Contract’ lawful conditions only) to be provided in a ‘structured, commonly used and machine readable format (for example CSV). You can request that this information is supplied directly to another data controller on your behalf.
The council will ensure the data is transmitted securely.
Right to object
You have the right to object to the use of your data if it is processed for
- legitimate interests or the performance of a task in the public interest
- direct marketing (including profiling)
- processing for purposes of scientific/historical research and statistics.
The data must be restricted whilst the authority is considering the balance of their grounds for processing against yours.
Right to object to automated decision making
You have the right to object to any decision made by solely automated means. You can ask for human intervention on any decision, to express the council's point of view and to obtain an explanation of the council's decision. You also have the right to challenge the decision.
Where possible we will seek to comply with your request but we may be required to hold, retain or process information to comply with a legal obligation or as a public task.
Services are not directed to children under the age of 13.
We do not knowingly collect data from children under 13 years of age or under the applicable age limit (the "Age Limit"). If you are are under the Age Limit please do not use our services and do not provide any personal data to us. If you are a parent of a child under the Age Limit and become aware that your child has provided personal data, please contact us. If we learn that we have collected the personal data of a child under 13 years of age we will take reasonable steps to delete the personal data.
Links to third-party websites
We may display advertisements from third parties and other content that links to third-party websites. We cannot control or be held responsible for third parties’ privacy practices and content. If you click on a third-party advertisement or link, please understand that you are leaving Huntingdonshire District Council’s website and any personal data you provide will not be covered by this Privacy Notice. Please read their Privacy Notice to find out how they collect and process your personal data.
We may occasionally make changes to the Policy or when significant changes occur in related legislation or in council strategy. When this happens we will place an updated version on this page and the date the page has been amended will be visible at the top of this page.
If you have any concerns or comments regarding your personal data please use our secure online contact us form.
You have the right to complain to the supervisory authority, – the Information Commissioner’s Office (ICO), contact details for which are at www.ico.org.uk.