Income Management - privacy notice

Who we are

Derby City Council is the local government unitary authority for Derby city. Our address is the Council House, Corporation Street, Derby, DE1 2FS. You can contact our Data Protection Officer on 01332 640763 or by email at data.protection@derby.gov.uk.

The Income Management Team is based at The Council House. You can contact the team by email at payment.help@derby.gov.uk

How do we collect information from you?

We collect information from you when you visit www.derby.gov.uk, when you fill in any forms using our customer portals or on our website, including myAccount or use the online payments systems; also when you contact us in writing, speak to us on the phone, by email or any other type of electronic communication, or talk to us face to face.

Payment information in respect of statutory payments (e.g., Council Tax and non-domestic rates)  and other services you request from us will be collected. This information could be collected using any of the following methods:

• From the Derby City Council online payments system
• Over the telephone using the Automated telephone line or by speaking to a Council employee
• Face to face using a chip and pin at one of our Council buildings
• Using our self-service payment machines located in the Council House reception
• At a PayPoint outlet
• Via a cheque sent in the post
• BACs payment into a Derby City Council Bank account

What types of information do we collect from you?

We collect information from you when you visit www.derby.gov.uk; also when you contact us in writing, speak to us on the phone, by email or any other type of electronic communication, or talk to us face to face.

We collect different categories of information about you, depending on the service you want from us and/or the reason why we need to process information relating to you. This could be personal information (for example your name and address), or other more sensitive data that we would only collect and use in very particular circumstances that are set out in law.

Details of information obtained from third parties?

We collect data from the following sources:

• Derby Homes
• Other Local Authorities
• Department for Work and Pensions, HM Revenues & Customs, HM Courts & Tribunals Service, Department of Education, Ministry of Housing, Communities & Local Government, organisations, and agencies as are appropriate
• Employers
• Landlords, agents, and appointees
• Schools
• Debt collection agency / Insolvency service

The data that we obtain from the above sources is usually not publicly available, but we will also obtain and use publicly available data sources wherever it is appropriate to do so for the processing of your data as allowed by law, including for the detection, prevention and prosecution of fraud.

What is the Lawful Basis?

The legal basis for data processing we are relying on comes from Article 6 of the UK General Data Protection Regulations (UK GDPR).

There will be different legal bases for the processing of data, determined by why services require customers to make payments.  The following are likely to be the most common bases used, but the list is not exhaustive.

In so far as customers are paying for goods / services obtained as a result of entering into a contract with the Council - Article 6 (1)(b) of the UK GDPR 2021 provides that processing is lawful where it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

In so far as customers are paying for goods / services that the Council is legally obliged to provide - Article 6 (1)(c) of the UK GDPR 2021 provides that processing is lawful where it is necessary for compliance with a legal obligation to which the Controller is subject.

Otherwise, Article 6 (1)(e) of the UK GDPR 2021 provides that processing is lawful where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

For further information you should check the privacy notice for the service involved with the payment that you are making at Privacy notices - Derby City Council.

If we have asked for your consent to do the processing, you will be able to opt out any time by emailing payment.help@derby.gov.uk

We process all information in accordance with our legal obligations and public tasks arising from the following provisions:

• UK General Data Protection Regulations
• Data Protection Act 2018
• The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)

Numerous services seek payment for services provided / statutory-based charges and these are covered by a wealth of legislation, including the following:

• Local Government Acts 1972; 1998; 2000; 2003
• Audit Commission Act 1988
• Accounts and Audit Regulations 2011
• Localism Act 2011
• The Debt Respite Scheme (Breathing Space Moratorium and Mental Health Crisis Moratorium) Regulations 2020
• Late payment of Commercial Debts (Interest) Act 1998

This list is not exhaustive.

For further information you should check the privacy notice for the service involved with the payment that you are making at Privacy notices - Derby City Council

How is your information used?

Depending on the services you have requested or need, we may use your information for the following purposes:

• Process a payment from you or on your behalf
• Authorise payments through third parties who handle our customer card transactions
• Import into the Councils hosted Income Management system and subsequent service systems to inform a payment has been received
• Analyse payment method data. Any disclosure of this information will not allow users to be identified
• Investigate unidentifiable payments
• Respond to queries
• Prevent and detect fraud
• Process and manage refunds
• Comply with statutory requirements e.g., VAT returns

COVID-19/Coronavirus

Coronavirus has been added as a notifiable disease under the Health Protection (Notification) Regulations 2010. Under the Public Health (Control of Disease) Act 1984 and associated Regulations; the Council has a legal duty to store, process and share personal information. The information will be stored, processed and shared as part of investigations into COVID-19 cases and outbreaks and issues of non-compliance with the acts and associated regulations. The information will also be used; interrogated and mapped to inform the Councils actions and decision-making processes. Any such storage, processing or sharing of information will be done in the public interest in order to promote health and wellbeing.

During the investigation of cases and/or outbreaks of Coronavirus, information which is gathered may be shared between departments within Derby City Council; with other Councils associated with an outbreak; other health services or with other government bodies associated with the control of the Coronavirus. The Council has a duty to notify national Government bodies, such as the UK Health Security Agency and the relevant local authority where an individual resides (if different), where there are suspected Coronavirus cases. The Council will disclose the information under Article 9(2)(j) of the UK GDPR (processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health), and confidential information may be lawfully disclosed in the public interest, without consent, where the benefits to an individual or to society outweigh both the individual’s and the public interest in maintaining the confidentiality of such data.

The Council may contact staff, service users, residents, patients, businesses and premises with messages relating to Coronavirus by text, phone, letter or email. This contact is not direct marketing; therefore we do not need your Consent before contacting you. There is more information available on the Information Commissioners Office's website.

We may use contact details held in Council systems to ensure that we are able to contact you, and to ensure that we are working from accurate and up to date information. Such information will be accessed and processed where it is necessary to comply with our legal obligations and public tasks arising from the Coronavirus Act 2020, the Health Protection (Notification) Regulations 2010 and the Public Health (Control of Disease) Act 1984, the Care Act 2014 and associated Regulations.

Research and statistics

Anonymised and pseudonymised data may be used for research and statistical purposes. Any data collected may be used for research and statistical purposes that are relevant and compatible with the purpose that the data was collected for.

Who has access to your information?

We may share your information with

• Other Council Departments including IT and Finance
• Derby Homes
• Our contracted service providers and any other parties that they have contracted with to provide their services to us (for example, processors, sub-processors, other Data Controllers).

Information relating to payments will be shared with third parties as outlined below:

If you pay by BACs, Derby City Council will process your payment using Civica UK Ltd and Lloyds Bank.

If you pay by cheque, Derby City Council will process your payment using Civica UK Ltd and Lloyds Bank.

If you pay at a PayPoint outlet, PayPoint Network Ltd will process the transaction using Civica UK Ltd.

If you pay by credit or with debit card on the Derby City Council online payments page, via our Automated Telephone Line or over the phone to a Council employee, your information is securely processed by Civica UK Ltd and its sub-processor, Elavon Financial Services DAC (UK Branch) trading as Opayo, acting as a Data Controller. Payments will also be processed using Lloyds Cardnet.

If you pay by chip and pin using a credit or debit card, payments will be processed using Lloyds Cardnet and your Chip and Pin Provider. 

Cardholder details are stored by Lloyds and Chip and Pin Providers for authorisation and processing purposes. 

Opayo

Details of what Opayo may also do with your data, as a Data Controller, are here:

https://www.opayo.co.uk/policies/privacy-policy

The Council and third party providers are responsible for maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS). These may be subject to change.

International Data Transfers

Information about Opayo’s activities is available here:

https://www.opayo.co.uk/policies/privacy-policy

We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.

What are your rights?

• Access – you can request copies of any of your personal information that is held by the Council.
• Rectification – you can ask us to correct any incorrect information.
• Deletion – you can ask us to delete your personal information. The Council can refuse to delete information if we have a lawful reason to keep this.
• Portability – you can ask us to transfer your personal data to different services or to you.
• Right to object or restrict processing – you have the right to object to how your data is being used and how it is going to be used in the future.
• Right to prevent automatic decisions – you have the right to challenge a decision that affects you that has been made automatically without human intervention, for example an online form with an instant decision.

How long will we keep your information for?

We keep and dispose of all records in line with our record retention schedule. We will comply with Data Protection legislation.

What security precautions are in place to protect the loss, misuse or alteration of your information?

We are strongly committed to data security and will take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard the information you provide to us. However, we cannot guarantee the security of any information you transmit to us. We recommend that you take every precaution to protect your personal information.

Keeping your data up to date

We want to ensure any information we hold is accurate. You can help us by promptly informing us of any changes to the information we hold about you.

Under 13

If you are accessing online services and are under the age of 13‚ please ask for your parent or guardian's permission beforehand whenever you provide us with personal information

Cookies

Cookies are small text files which identify your computer to our servers. They are used to improve the user experience. View what cookies we use and how you can manage them.

IP addresses

Internet Protocol (IP) addresses are collected when our site is used:

• for statistical or analytical purposes
• to identify any malicious activity.

Complaints

If you would like to make a complaint regarding the use of your personal data you can contact our Data Protection Officer:

• By post: Information Governance, Council House, Corporation Street, Derby, DE1 2FS
• By phone: 01332 640763
• By email: data.protection@derby.gov.uk

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO):

• By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• By phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit ico.org.uk or email casework@ico.org.uk.