Artificial Intelligence - privacy notice
What is the purpose of this privacy notice?
Derby City Council is utilising Artificial Intelligence (AI) technologies to help protect and further develop our services for citizens, so we can continue to deliver them well and efficiently, in the face of increasing financial pressures.
We remain committed to treating your information securely in line with data protection law, particularly so where we are utilising new technology. This privacy statement is designed to explain why we collect information about you, how we intend to use that information and whether we will share this information with anyone else.
Implementing new and fast developing technology requires using a staged approach which is inherently iterative in nature. This means that the considerations in this privacy notice may be subject to change i.e. why information is processed, how it is intended to be used, and who it will be shared with, may not be known yet or may change as the project evolves. Therefore, this privacy notice will be kept under review accordingly to ensure that it is up to date and accurate.
Please note: The processing of the data will occur in the Council’s private cloud and the Microsoft cloud (to which the Council subscribes).
Who we are
Derby City Council is the local government unitary authority for Derby city. Our address is the Council House, Corporation Street, Derby, DE1 2FS. You can contact our Data Protection Officer on 01332 640763 or by email at data.protection@derby.gov.uk.
We are using a third party service provider, ICS.AI, to assist us with developing and implementing new technologies. Their privacy notice can be found on their website at ICS.AIOpens in new tab. ICS.AI are subject to strict confidentiality obligations and the handling of Council data happens within Council systems.
How do we collect information from you?
We are integrating artificial technology into existing services the Council provides. More information about the services we provide, and how we use information in the course of delivering them, can be found in our privacy notices.
Most of the information we collect comes directly from you, such as when you visit www.derby.gov.uk, when you fill in any forms using our customer portals or on our website, including our chatbot or myAccountOpens in new tab; also when you contact us in writing, speak to us on the phone, by email or any other type of electronic communication, or talk to us face to face.
Some information is generated by us in the course of providing services to you. Some information we collect comes from third parties, such as:
- Derby Homes and other partners;
- Other Local Authorities and the East Midlands Combined Authority;
- Third parties delivering services on our behalf and those assisting with the maintenance of systems and services;
- Legal Advisors
- Consultants
- Charities
- Other Statutory Organisations including but not limited to Department of Work and Pensions, HM Revenues & Customs, HM Courts & Tribunals Service, Department of Education, Ministry of Housing, Communities & Local Government, and other agencies as are appropriate;
- NHS bodies, GP surgeries, NHS healthcare Professionals and other Health Support Organisations;
- Employers, landlords, tenants, and agents;
- Educational Institutions including schools, local colleges and Universities;
- Credit reference agencies, banks and other financial institutions, such as for credit checks, debt recovery purposes and fraud investigations;
- The police, in relation to criminal activity;
- Other residents and members of the public, for instance if they were to make a complaint about you
What types of information do we collect from you?
We collect different categories of information about you, depending on the service you want from us and/or the reason why we need to process information relating to you. This could be:
- Personal details, such as your name, date of birth, gender, marital status, national insurance number and place of birth;
- Contact details, such as your address, telephone number and email address;
- Confirmation of your identity, such as a copy of your passport or driving licence;
- Information about your family and others, such as dependants, your family and other people living with you;
- Financial and transaction information, such as your bank account details, payments made to us, DWP Number, money owed to us, benefits information and information about your financial circumstances;
- Employment status, including information about any changes to your employment status;
- Information about your needs, such as whether you have a carer or social worker or whether you need documents translated or in large print;
- Other special category data - sexual orientation, ethnicity, hazards information (for instance, violence, drug use), social history and social circumstances
- Your contact with us, such as when you visit www.derby.gov.uk, when you fill in any forms using our customer portals or on our website, including myAccountOpens in new tab; also when you contact us in writing, speak to us on the phone, by email or any other type of electronic communication, or talk to us face to face.
Some of the information we collect about you is particularly sensitive and we take extra care to keep this type of information safe and secure. The types of sensitive information we may collect about you includes:
- information about your health and social circumstances, such as any medical conditions, disabilities or special requirements you may have, drugs/substance misuse, child abuse and domestic violence;
- information about your race, ethnicity, religion or sexual orientation (diversity data), to help us to understand the composition of Derby citizens so that we can ensure fairness and equality in the services we provide;
- information about criminal convictions and offences, such as in relation to reports of anti-social behaviour or in relation to information sharing with the police.
What is the lawful basis?
The lawful basis for processing personal information using AI will vary depending on the nature and scope of that particular workstream. These lawful bases are likely to include, but are not limited to the following UK General Data Protection Regulations (UK GDPR) provisions:
- Art 6(1)(b) Contracts: where the processing is linked to contracts with the data subject
- Art 6(1)(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Art 6(1)(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Art 6 (1) (f) Legitimate interests processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Subject to a balancing assessment taking into individuals fundamental rights.
We rely on the following conditions as per Article 9 (2) of the UK GDPR when processing special category information using AI:
- Art 9(2)(b) Employment: where the processing is linked to employment and social security (read with Schedule 1 paragraph 1 of the Data Protection Act 2018).
- Art 9(2)(f) Legal claim or judicial acts: processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity.
- Art 9(2)(g) Substantial Public Interest: Processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
- Art 9(2)(h) Social Care: processing is necessary for social care purposes, including the management of such services and systems (read with Schedule 1 paragraph 2 of the Data Protection Act 2018).
Why will we use your information?
We will use your information as part of the services the Council already provides, but use new technologies as part of the delivery.
We may use information about you in two main ways:
- Helping our AI systems learn and making sure they work appropriately (development and testing); and
- Once the systems are ‘live’ as part of integrated new technologies in our day to day work (operational use of data).
Development and testing
We are developing and introducing AI solutions within the Council that will ultimately benefit the functioning of the Council and improve the services the Council can provide to individuals in Derby. Processing your information is necessary to develop and successfully implement these AI solutions, including testing them to make sure they work appropriately. By introducing these technologies, individuals will find it easier to contact the Council and have any questions/concerns dealt with more quickly. Where we can make our services more efficient, we can reinvest savings in other services delivered by the Council. There are also a number of other benefits that will be derived from the delivery of the programme, including indirect benefits for Derby’s citizens in terms of the Council and staff being able to respond better and more quickly to people’s needs and questions. Other indirect benefits include:
- Automated Processes: AI can automate routine and repetitive tasks, allowing Council employees to focus on more complex and strategic activities, and undertaking more regular review and analysis than human capacity allows for.
- Enhanced Decision-Making: AI can analyse large datasets quickly and provide valuable insights - this can empower decision-makers and citizens with accurate and timely information, leading to more informed and effective decision-making.
- Streamlined Operations: AI can optimise workflows and streamline operations by identifying bottlenecks and inefficiencies.
- Risk Mitigation: AI can predict potential issues or risks, allowing the Council to take proactive measures to mitigate them - this can enhance resilience and reduce the likelihood of unexpected disruptions.
- Skill Enhancement: Implementing AI often requires upskilling the workforce.
- Innovation and Adaptability: Introducing AI should encourage a culture of innovation within the Council - employees are more likely to explore creative solutions and embrace change, fostering adaptability.
Operational use of data
Once the AI solutions are implemented, personal data will be processed inherently in the solutions which are integrated into the Council’s existing operations. This allows the customer to self-serve this processing. Here, personal data is already being processed by the Council, and there may already be some pre-existing degree of automation. For instance, we are planning to use AI to help sort, store, prioritise and respond to emails received from members of the public, within current electronic storage systems (the mail servers and inboxes). This is processing data which the Council already holds and uses, using existing electronic systems and technology. What is different under these proposals is that the AI will help provide a ‘first line’ response or additional insight by analysing communication or other personal data relating to members of the public, and the degree of sophistication in automation is higher.
How is your information used?
We may use your information to:
- Train, develop and test AI tools to improve the quality and efficiency of the services provided to you.
- Provide our services to you using AI tools where appropriate, including as part of adult social care services, childrens’ services, and wider council services (including revenue and benefits services and facilities management etc.).
- Communicate with you, including providing automated responses to any requests you make.
- Manage debt by providing a single, consolidated view and analytics of debt across the Council, and pursuing any debts/arrears owed to us.
- Improve internal Council processes and increase efficiencies of administrative tasks which are necessary for the day to day functioning of our organisation, such as the training of our employees and the auditing of systems and processes.
- For internal research and analysis purposes to help improve our services, for the benefit of you and others.
Please note: The processing of the data will occur in the Council’s private cloud and the Microsoft cloud (to which the Council subscribes).
Research and statistics
Anonymised and pseudonymised data may be used for research and statistical purposes. Any data collected may be used for research and statistical purposes that are relevant and compatible with the purpose that the data was collected for.
Who has access to your information?
For the technology to work, we may need to share your information with our contractors. This includes our prime-contractor ICS.AI, and ICS.AI’s sub-processors (listed in full below). This list includes all sub-processors that have been engaged in the life cycle of the project and may include sub-processors who are no longer engaged in processing.
|
Processor company details, including name, trading name (if different), company number and address |
Service processor will be providing |
Form of engagement with processor, including title and date of sub-contract |
|---|---|---|
|
ICS.AI Ltd |
AI Development Services |
Call-Off Contract for the G-Cloud 13 Framework Agreement (RM1557.13) 15/02/2024 |
|
datatechfactory GmbH & Co. KG
|
Value Re-seller for AudioCodes |
Service Contract 29/01/2024 |
|
AudioCodes |
Cloud-based audio processing and transcription services |
Service Contract 29/01/2024 |
|
Access Independent |
Occupational Therapy Assessment & Review services |
Service Contract 14/02/2024 |
|
Kalabo |
AI Development Services |
Sub-Contractor Agreement 03/11/2023 |
|
PGL Solutions UK |
AI Development Services |
Sub-Contractor Agreement 13/12/2022 |
|
Fast Data Science |
Data Services |
Sub-Contractor Agreement 09/01/2024 |
|
Scott Associates |
Application & Integration Services |
Sub-Contractor Agreement 05/09/2023 |
|
Dwayne Johnson Consultancy |
Business Consultancy |
Sub-Contractor Agreement 28/09/2023 |
|
Facilitate Consultancy |
Business Consultancy, Application & Integration Services and Quality Assurance (Adult Social Care) |
Sub-Contractor Agreement 14/05/2024 |
|
WorkWell Solutions |
Business Consultancy and Quality Assurance (Adult Social Care) |
Sub-Contractor Agreement 15/05/2024 |
|
HC Brooks |
Business Consultancy (Children's Services) |
Sub-Contractor Agreement 09/05/2024 |
|
DataFrame Solutions |
Business Consultancy, Data Architecture & Modelling, Data Analytics & Business Intelligence |
Sub-Contractor Agreement 10/05/2024 |
|
Liquid Personnel Limited |
Occupational Therapy Assessment & Review services and Financial Assessments |
Service Contract 17/05/2024 |
|
SDeane |
Occupational Therapy Assessment & Review Management Services |
Sub-Contractor Agreement 13/05/2024 |
|
The OT Service |
Strategy & QA for Reviews as OTs |
Sub-Contractor Agreement 23/09/2024 |
|
L Knights |
Strategy & QA for Reviews as Social Workers |
Sub-Contractor Agreement 25/09/2024 |
|
PW McKay |
Business Consultancy |
Sub-Contractor Agreement 19/06/2023 |
ICS.AI will be helping to develop and implement the models. All processing of data will take place on the Council’s own IT systems or ‘cloud services’ allocated exclusively to the Council. ICS.AI do not have copies of or use the Council’s data in their own environment. The Council has entered into a contract and information processing agreement with ICS.AI. The IPAs have been subject to legal review and meet or exceed the legal requirements set out in Article 28 UK GDPR.
ICS.AI have subcontractors working to develop the AI solutions – they are integrated subcontractors working within ICS.AI’s own environment and on the Council’s own systems. They all carry out annual cyber and GDPR training via ICS.AI. The contract and information processing agreements with ICS.AI require sub-processors to be appointed on substantially similar terms to the agreement between the Council and ICS.AI.
Other individuals who may be shared your information depend on the type of service being provided and would be in line with current processes. Refer to the specific privacy policy in relation to such service for more information.
We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.
International Data Transfers
We and our core IT systems are located within the UK and we do not routinely transfer or store your data outside of the UK. However, many IT systems are now hosted ‘in the cloud’ by system suppliers, which means that the data is occasionally transferred / held outside the UK. Where we use IT providers based outside the UK, we will make sure that there are appropriate safeguards in place to protect the data.
The table below provides examples of international transfers of personal information related to the implementation of AI and the safeguards which are in place.
| Sub-processor transferring data internationally | Location of international data transfer | Mechanism in place to protect Shared Personal Data, e.g. Adequacy Regulation, IDTA |
|---|---|---|
| Microsoft Azure (AI Bot Service) | Western Europe | Adequacy Regulation |
| Microsoft Azure (Failover) | Sweden | Adequacy Regulation |
| Microsoft Azure (Bing Search API) | Global (unable to specify where service is based) | IDTA |
| Datatech Factory GmbH & Co (AudioCodes) | Germany/Netherlands | Adequacy Regulation |
Do we use automated decision making (profiling)?
Yes, the AI will perform small scale automated decision making. The majority of our decision making is subject to human oversight, as we integrate ‘human in the loop’ into our processes.
For more complex projects or applications, our AI solutions will analyse information to allow an appropriate Council expert to make a decision and this will require some level of ‘triage’. ‘Triage’ means that automated decisions will be made as to what to escalate to staff members.
For lower risk projects automated decision-making will be made around triage and also general ‘quick task’ decisions such as answering questions or categorising data. We will make it clear where we are using automatic decisions.
Because of the variety and complexity of technology used, it is not possible to summarise here the ‘logic’ used within the models. You can ask us for more information about this if you are interested. If you are unhappy about any decision we have taken using automated processes, you can ask for a real person to look again at the decision.
What are your rights in relation the personal data we process?
Under certain circumstances, by law you have the right to:
- Access – request copies of any of your personal information that is held by the Council.
- Rectification – ask us to correct any incorrect information.
- Deletion – ask us to delete your personal information. The Council can refuse to delete information if we have a lawful reason to keep this.
- Portability – ask us to transfer your personal data to different services or to you.
- Right to object or restrict processing – object to how your data is being used and how it is going to be used in the future.
- Right to prevent automatic decisions – challenge a decision that affects you that has been made automatically without human intervention, for example an online form with an instant decision.
National Data Opt Out
We are one of many organisations working within health and social care to improve health and wellbeing for patients as well as the public. Information collected from you when you use our services may be stored and shared with services or partner organisations for purposes other than your individual care, for instance to help with:
- Improving the quality and standards of care provided
- Research into the development of new treatments
- Preventing illness and diseases
- Monitoring safety
This may only take place when there is a clear legal basis to use this information. Confidential information about your health and care will only be used in limited circumstances where it is not possible to use anonymised data.
You have a choice about whether you want your confidential information to be used in this way. If you are happy for your information to be used in this way you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
For more information or to register your choice to opt out please visit https://www.nhs.uk/your-nhs-data-matters/. You can choose to opt in at any time.
Please be aware that the National Data Opt Out does not apply to information used for marketing purposes, your data would only be used in this way with your specific agreement.
All Health and Social Care organisations should have systems and process in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.
Our organisation is compliant with the national opt out policy.
How long will we keep your information for?
We will only retain your personal information for as long as necessary to fulfil the purposes for which we have collected it or to fulfil another lawful purpose (as described above). Designated retention periods are set out in our record retention schedule.
When we no longer have a lawful purpose for holding your data, we will securely destroy your personal information.
What security precautions are in place to protect the loss, misuse or alteration of your information?
We are strongly committed to data security and will take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard the information you provide to us.
However, we cannot guarantee the security of any information you transmit to us. We recommend that you take every precaution to protect your personal information.
Keeping your data up to date
We want to ensure any information we hold is accurate. You can help us by promptly informing us of any changes to the information we hold about you.
Under 13
If you are accessing online services and are under the age of 13‚ please ask for your parent or guardian's permission beforehand whenever you provide us with personal information
Cookies
Cookies are small text files which identify your computer to our servers. They are used to improve the user experience. View what cookies we use and how you can manage them.
IP addresses
Internet Protocol (IP) addresses are collected when our site is used:
- for statistical or analytical purposes
- to identify any malicious activity.
More information can found on our cookies page.
Complaints
If you would like to make a complaint regarding the use of your personal data you can contact our Data Protection Officer:
- By post: Information Governance, Council House, Corporation Street, Derby, DE1 2FS
- By phone: 01332 640763
- By email: data.protection@derby.gov.uk
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO):
- By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- By phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Alternatively, visit ico.org.uk or email casework@ico.org.uk.