Information Governance - privacy notice
Who we are
Derby City Council is the local government unitary authority for Derby city. Our address is the Council House, Corporation Street, Derby, DE1 2FS. You can contact our Data Protection Officer on 01332 640763 or by email at data.protection@derby.gov.uk.
How do we collect information from you?
We collect information from you when you visit www.derby.gov.uk, when you fill in any forms using our customer portals or on our website, including myAccount; also when you contact us in writing, speak to us on the phone, by email or any other type of electronic communication, or talk to us face to face. We may collect information from a setting you attend, such as a school or care home, where this data collection is necessary for the following purposes listed.
What types of information do we collect from you?
We collect different categories of information about you, depending on the service you want from us and/or the reason why we need to process information relating to you. This could be personal information (for example your name and address), or other more sensitive data that we would only collect and use in very particular circumstances that are set out in law.
Should you wish to exercise your statutory rights, outlined below, then we may request information from you to verify your identification such as a copy of your passport or driving licence.
Details of information obtained from third parties?
We may receive personal information about you from the police or other investigatory bodies for the purposes of assisting them in the prevention and detection of crime and for the purposes of the apprehension and prosecution of offenders.
In some circumstances we act as data processor for other organisations such as Councils and Schools, we will therefore receive personal data from these sources.
We regularly receive information from other public sector organisations we partner with on local and national initiatives, such organisations include but are not limited to:
- central government departments such as the Department for Education
- other local authorities
- NHS organisations.
What is the lawful basis?
The legal basis for data processing we are relying on comes from Article 6 of the UK General Data Protection Regulations (UK GDPR). The following sections apply:
(b) Contracts: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life. This is very limited and would only apply and would only apply in matters of life and death.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party.
We rely on the following conditions as per Article 9 (2) of the UK GDPR:
(f) Legal claim or judicial acts: processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity.
(g) Substantial Public Interest: Processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and interests of the data subject. In addition, Schedule 1, part 2(6) of the DPA2018 which relates to statutory and government purposes, part 2(10) which relates to Preventing or detecting unlawful acts, part 2(14) which relates to Preventing fraud, part 2(18) which relates to Safeguarding of children and of individuals at risk.
In addition to those provisions outlined in the corporate Information Governance Regulatory Statutory & Regulatory Standards Document, we process all information in accordance with our Legal Obligation and Public Task arising from the following provisions:
- UK GDPR (2021)
- Retained by domestic law, works alongside the DPA.
- Data Protection Act 2018
- Implements EU GDPR into UK law, lays out the rights and responsibilities of organisations and individuals.
- Freedom Of Information Act 2000
- Provides individuals with rights to access information held by public bodies and governmental departments.
- Environmental Information Regulations 2004
- Statutory rights to access environmental information held by public authorities.
How is your information used?
We may use your information to:
- Verify your identity or that of third parties providing authority for you to act on their behalf.
- Process your request for information under the Freedom of Information Act 2000 or Environmental Information Regulations 2004.
- Manage and assist with the Council’s compliance under the data protection legislation.
- Process your data subject rights request under data protection legislation. We may also process data relating to you as part of another subject access request, which may include your personal data but no third party data about you will be disclosed without your consent or other lawful justification.
- Assist the police or other investigatory bodies where sharing the information is lawful and necessary for the purposes of preventing and detection of crime or for the purposes of apprehension and prosecution of offenders.
- Where the disclosure or processing of your information is required by law or is necessary for the purpose of, or in connection with, any legal proceedings or for the purpose of obtaining legal advice.
- Assist other external partners such as local authorities, NHS, central government, East Midlands Combined Authority, where information needs to be shared for safeguarding purposes or to protect the interests of you or others.
- Process information in order to inform and improve decision making.
- Provide advice and support to internal teams in relation to information governance related queries.
- Investigate and respond to Information Commissioner Office queries, audits and complaints.
Subject access request survey
The provision names or contact details is not required. We are collecting this information to help review how we handle social care subject access requests and be more transparent about care history with care leavers within the social care service.
Findings will be reviewed internally and may be shared with other local authorities and the Information Commissioners Office.
This survey is entirely optional, if you would like to opt out of contributing to the survey after you have submitted a response, email data.protection@derby.gov.uk - you should include the date and time of your submission.
COVID-19/Coronavirus
Coronavirus has been added as a notifiable disease under the Health Protection (Notification) Regulations 2010. Under the Public Health (Control of Disease) Act 1984 and associated Regulations; the Council has a legal duty to store, process and share personal information. The information will be stored, processed and shared as part of investigations into COVID-19 cases and outbreaks and issues of non-compliance with the acts and associated regulations. The information will also be used; interrogated and mapped to inform the Councils actions and decision-making processes. Any such storage, processing or sharing of information will be done in the public interest in order to promote health and wellbeing.
During the investigation of cases and/or outbreaks of Coronavirus, information which is gathered may be shared between departments within Derby City Council; with other Councils associated with an outbreak; other health services or with other government bodies associated with the control of the Coronavirus. The Council has a duty to notify national Government bodies, such as the UK Health Security Agency and the relevant local authority where an individual resides (if different), where there are suspected Coronavirus cases. The Council will disclose the information under Article 9(2)(j) of the UK GDPR (processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health), and confidential information may be lawfully disclosed in the public interest, without consent, where the benefits to an individual or to society outweigh both the individual’s and the public interest in maintaining the confidentiality of such data.
The Council may contact staff, service users, residents, patients, businesses and premises with messages relating to Coronavirus by text, phone, letter or email. This contact is not direct marketing; therefore we do not need your Consent before contacting you. There is more information available on the Information Commissioners Office's website.
We may use contact details held in Council systems to ensure that we are able to contact you, and to ensure that we are working from accurate and up to date information. Such information will be accessed and processed where it is necessary to comply with our legal obligations and public tasks arising from the Coronavirus Act 2020, the Health Protection (Notification) Regulations 2010 and the Public Health (Control of Disease) Act 1984, the Care Act 2014 and associated Regulations.
Research and statistics
Anonymised and pseudonymised data may be used for research and statistical purposes. Any data collected may be used for research and statistical purposes that are relevant and compatible with the purpose that the data was collected for.
Who has access to your information?
We may share your information with the following third parties for the reasons detailed above:
- police and other investigatory bodies
- other local authorities
- central government departments
- His Majesty’s Courts and Tribunal Service (HMCTS)
- solicitors or insurance companies
- third party consultants such as IT specialists
- schools
- specialist video redaction companies as authorised data processors instructed to pixelate or otherwise redact video footage such as CCTV images
- the Information Commissioners Office.
We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.
Your information will only be shared for one or more of the purposes stated above and for no other purpose.
What are your rights?
- Access – you can request copies of any of your personal information that is held by the Council.
- Rectification – you can ask us to correct any incorrect information.
- Deletion – you can ask us to delete your personal information. The Council can refuse to delete information if we have a lawful reason to keep this.
- Portability – you can ask us to transfer your personal data to different services or to you.
- Right to object or restrict processing – you have the right to object to how your data is being used and how it is going to be used in the future.
- Right to prevent automatic decisions – you have the right to challenge a decision that affects you that has been made automatically without human intervention, for example an online form with an instant decision.
How long will we keep your information for?
We keep and dispose of all records in line with our record retention schedule. We will comply with Data Protection legislation.
What security precautions are in place to protect the loss, misuse or alteration of your information?
We are strongly committed to data security and will take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard the information you provide to us. However, we cannot guarantee the security of any information you transmit to us. We recommend that you take every precaution to protect your personal information.
Keeping your data up to date
We want to ensure any information we hold is accurate. You can help us by promptly informing us of any changes to the information we hold about you.
Details of any automated decision processes
We will not process your data for any automated decision processes.
Under 13
If you are accessing online services and are under the age of 13‚ please ask for your parent or guardian's permission beforehand whenever you provide us with personal information
Cookies
Cookies are small text files which identify your computer to our servers. They are used to improve the user experience. View what cookies we use and how you can manage them.
IP addresses
Internet Protocol (IP) addresses are collected when our site is used:
- for statistical or analytical purposes
- to identify any malicious activity.
Complaints
If you would like to make a complaint regarding the use of your personal data you can contact our Data Protection Officer:
- By post: Information Governance, Council House, Corporation Street, Derby, DE1 2FS
- By phone: 01332 640763
- By email: data.protection@derby.gov.uk
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO):
- By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- By phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Alternatively, visit ico.org.uk or email casework@ico.org.uk.