Uttlesford District Council Overarching Privacy Notice
This privacy notice explains how Uttlesford District Council, (as a Data Controller) collects, uses and protects personal data that we hold.
Your personal data - what is it?
Personal data is any information relating to a living person who can be identified from that data directly or indirectly such as name, photograph, identification number, location data or online identifier. There are also special categories of personal data referred to as 'sensitive personal data' and the categories include genetic data, biometric data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation.
The processing of personal data is governed by the principles set out in General Data Protection Regulation (the GDPR) 2016 and the Data Protection Act 2018.
Who are we?
Uttlesford District Council is the data controller (contact details below). This means it decides how your personal data is processed and for what purposes.
How do we process your personal data?
We comply with our obligations under the GDPR and the principles of the Data Protection Act (DPA) by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
Under the GDPR and DPA, we have a legal duty to protect any personal data we collect from you. We will use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.
What is the legal basis for processing your personal data?
The legal basis for processing your personal data will depend on the reasons for collecting it. Generally, the legal basis for processing by the Council as a public authority will be:
1. To perform a function or provide a service required by statute;
2. To comply with a legal obligation;
3. Where the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;
4. Where disclosure is in the vital interests of yourself or another person;
5. With your explicit consent;
6. In very limited circumstances, the Council may be able to rely on 'legitimate interest' of the Authority but only when these interests override those of the individual and when the Council is not acting in its role as a public authority.
Who will your data be shared with?
Depending on the purpose for which we originally obtained your personal data and the use to which it is to be put, it may be shared with other departments within the council to deliver services and with other local authorities. Personal data may be shared where necessary with other organisations that provide services on our behalf such as contractors carrying out repairs to Council houses. In such cases, the personal data provided is only the minimum necessary to enable them to provide services to you.
Sometimes we have a legal duty to disclose your information to other organisations or make it available in a public way. This is often because it forms part of an application or legislation requires it or where court orders are in place. In these situations we do not have an option but will be clear about how we use your information.
In most cases we will not disclose your personal data without your consent; however there are situations where consent would not be required such as when we feel there is a good reason that is more important than protecting your confidentiality. This does not happen often, but we may share your information:
- For the detection and prevention of crime/fraudulent activity; or
- If there are serious risks to the public, our staff or to other professionals;
- To protect a child; or
- To protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.
- Where there is a risk to you and the risk is sufficiently serious that the need to disclose your information is more important than protecting your confidentiality.
On occasions the Council will undertake research into various topics. When using personal data for research purposes, the data will usually be anonymised to avoid the identification of an individual, unless consent has been given for the use of the personal data.
We do not sell personal information to any other organisation for the purposes of direct marketing.
How long do we keep your personal data?
We will only keep your personal data for as long as is necessary for the purpose for which we are processing it, unless we have a legitimate reason for keeping it, for example, any legal requirement to keep data for a set time period. However, where possible we will anonymise this data so that you cannot be identified. Where we do not need to continue to process your personal data, it will be securely destroyed.
Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:
a. Right of access: to request a copy of your personal data which we hold about you.
b. Right to rectification: to request that we correct any personal data if it is found to be inaccurate or out of date;
c. Right to erasure: to request that your personal data be erased where it is no longer necessary for us to retain such data;
d. Right to withdraw consent: to withdraw your consent to the processing at any time (this will only apply in certain circumstances; please contact the Council's Data Protection Officer who will explain if your consent can be withdrawn).
e. Right to data portability: to request that we provide you with your personal data and where possible directly to another controller (where applicable)- please note this only applies where the processing is based on consent or is necessary for the performance of a contract with you; and in either case where we process the data by automated means;
f. Right to restrict processing: to request that a restriction be placed on further processing where there is a dispute in relation to the accuracy or processing of your personal data;
g. Right to object: to object to the processing of personal data (where applicable) - please note this only applies where processing is based on legitimate interests (or the performance of a task in the public interest/ exercise of official authority); direct marketing and processing for the purposes of scientific / historical research and statistics;
h. Right to complain: to lodge a complaint with the Information Commissioner's Office.
You can access the personal information that we hold about you at any time by submitting a Subject Access Request (SAR) to the Council. This request should be in writing and clearly specify the information you require.
Please email us at firstname.lastname@example.org or write to us at Uttlesford District Council, Council Offices, London Road, Saffron Walden, Essex, CB11 4ER. Alternatively, please complete and return the SAR form available on the Council's website to assist you with submitting a request.
You can ask to change information you think is inaccurate, you should let us know if you disagree with something written on your file. We may not always be able to change or remove that information but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with it.
If you would like to make a request in regards to the processing of your personal data please contact the Data Protection Officer on the details provided below. However, it is not always possible for requests to delete information to be fulfilled and the Data Protection Officer can provide you with more information on request.
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
If you have any concerns, questions or comments please email the Council's Data Protection Officer: email@example.com or write to
Data Protection Officer
Uttlesford District Council
Essex, CB11 4ER
If having exhausted the complaints process you are still of the opinion that your request or review has not been dealt with satisfactorily, you can complain to the Information Commissioner's Office https://ico.org.uk/ or by calling them on 0303 123 1113 or writing to:
Information Commissioner's Office
Cheshire, SK9 5AF