‘Your data privacy’ - Privacy notice for customers
To be able to serve you effectively City of Lincoln Council need to be able to collect, hold and use your personal data.
What is personal data?
Personal data identifies you or is capable of identifying you. This includes your name, address, date of birth, telephone number, National Insurance number and bank details. This also includes images of you, audio recordings of you and information online that identifies you. Personal data must relate to a living person.
Some personal data is more sensitive. We must look after this more carefully for you. This includes data relating to your race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health, (mental and physical), sexual orientation, criminal history, biometric (fingerprints, voice recognition) and genetic data (DNA). We also look after you financial data carefully and keep this secure.
Who is looking after your data?
When you provide your data to us City of Lincoln Council become what is known as the ‘controller’. This means we are required by strict data protection laws to look after your data, during the time which you allow us to use it.
On occasions we may act jointly with another controller such as a council or partner organisation to deliver a service. If so we will inform you of this in a ‘privacy notice’ for the particular service. Privacy notices inform you how we will use your data.
We are required to register with the Information Commissioner’s Office (ICO). The ICO are an independent body who check that organisations in the UK comply with data protection laws. The ICO also have powers to take action against organisations if they fail to comply.
How we protect your data
We take your privacy seriously and laws state that we must use your personal data:
- fairly, lawfully and be open with you about how we use it
- for a particular purpose and we must not do anything with your data which is not compatible with this
- keep your data accurate and delete any inaccuracies without delay
- obtain from you only the data which is necessary
- keep your data only for as long as necessary
- store your data safely and securely
We are also required to keep records of what we use your data for and how we protect it, so that we are accountable to you.
You can help us protect your data by informing us of any change in your details such as your address or contact details and also by informing us of any inaccuracies in your data.
Privacy designed for you
We identify and consider privacy risks to you when planning to use or hold your data in new ways, such as when introducing new technologies and services. To do this we carry out assessments of privacy, which are built into our design process.
We are required by law to carry out these assessments for example, where it is likely to have a high risk to your privacy or where using CCTV in a public area, or making automated decisions (made solely by computers) which have legal or significant effects on you or where we are using large amounts of sensitive data.
We have also developed systems such as online accounts to enable you to access your own data, directly relating to council tax and benefits.
Why we need your data
We need your data to provide you with services. These in summary include services to;
- protect and support you
- maintain and improve the City
- process your housing and benefits applications
- collect council tax
We also need your data to;
- manage services provided to you
- train our staff to deliver services
- check the quality of services
- check our spending on services
- research and improve services for you
- deal with any enquiries or complaints you may have
How do we keep your data secure?
We keep your data secure in a number of ways. Your data held on computers is kept in secure systems. This means we control access to systems and our computer network, and use tools such as encryption, anti-virus software and password protection. Your data held outside of systems such as paper data is also protected through physically restricting access. We may also use ‘pseudonymisation’ which means key coding your data so that it can be used without identifying you. Your data is reviewed for accuracy, staff receive data protection training and we test our security measures regularly.
How the law allows us to use your data
We must have a legal reason to use your data. These can be any of the following;
- we have your consent to use it or
- it is required by law or
it is necessary for;
- a contract you have entered into with us or are about to enter
- to perform our legal duties and official functions
- for a task we may carry out to the benefit of society as a whole
- for employment purposes
- to deliver health and social care services
- to protect public health
- for archiving, research or statistical purposes
- for legal cases
- to protect someone in an emergency or
- you have made your information available publically
There are many laws that allow us to use your data the main ones being the Local Government Acts and the Localism Act 2011. When you provide your data for a service we will explain the legal reason your data is being used.
If we are using your data based upon your consent alone we must be able to show this was obtained correctly. This means we must provide you with clear information as to what you are consenting to at that time. Your consent needs to be confirmed by you taking an action such as signing a form, ticking a box or clicking on an icon online. Your consent can not be obtained by you failing to read something or by not opting out.
As we are a public authority we usually have an alternative legal reason to process your personal data, being that this is part of our public task. There are however some services where consent maybe required and if so we will request this from you. For example we would always obtain your consent first to send you direct marketing.
If we are using your data on the basis of your consent alone, you can withdraw your consent at any time and will be provided with contact details to do this by the particular service or you can contact the Data Protection Officer to withdraw your consent at email@example.com.
How long do we keep your information?
We retain data in line with our retention schedules which are based on guidelines provided by the Local Government Association. These set out how long we are required to keep your data and when we must delete or confidentially destroy this.
There are many legal reasons why we are required to retain your data and the schedules set out how many months, or years, we should keep your data. The length of time we are required to keep your data may also be provided to you by the particular service.
Who do we share your information with?
We will not share your data with others without your consent, unless the law allows for this or because they are processing your data on our behalf.
Sharing your data for law enforcement
The law sometimes requires us to share your data for law enforcement. This may include sharing your data with;
- The Police
- Revenues and Customs
- The Immigration Service
- The Courts
We may also carry out social media investigations where allowed by law for example but not exclusively in preventing anti-social behaviour.
Sharing your data to prevent and detect fraud
We are under a duty to protect the public funds we administer and we may use your data for the prevention and detection of fraud. We may also share this with other bodies responsible for auditing or administering public funds for these purposes. For further information and contact details, see www.lincoln.gov.uk/dmnotice.
We may also carry out social media investigations where allowed by law for example but not exclusively regarding council tax and housing fraud.
Sharing your data for matching
We may use your data for data matching under our legal powers contained in Part 2A of the Government Act 1998. Data matching involves comparing computer records held by one organisation against other computer records held by the same or another organisation to see how far they match. This is usually personal data. We are required by the government to participate in data matching exercises to assist in the prevention and detection of fraud. Data matching may also be used to assist us in responding to emergencies or major incidents for example to identify individuals who may need additional support in an emergency evacuation.
Sharing your data with our partners
We may have a legal reason to share your data with partners (other controllers) to help deliver a service to you. Where this is relevant we will inform you of this at the time you provide your data. If we are sharing your data regularly with partners there will be agreement written up and signed by all partners to confirm they will comply with data protection laws and arrangements for this. This will include measures to keep your data secure when being transferred between the partners.
Sharing your data with contractors
Where we share your data with others because they are processing this on our behalf these organisations are what is known as ‘processors’. We remain in control of your data at all times and processors can only use your data according to our instructions. The processors will sign a contract which states this and will include measures for keeping your data confidential and secure. Processors must also comply with data protection laws.
Sharing your data for safeguarding you and others
We may share your data when we believe this is required to protect you or others from a risk of harm. This includes mental or physical harm. This for example could be in an emergency situation or where we believe we need to protect a child or a vulnerable adult from a risk of harm. This risk would need to be serious for us to override your privacy.
Is your data being transferred to other countries?
Your data is mainly stored on our computer servers in the UK. On occasions however your data may be transferred to other countries for example because this is being stored by a processor in the cloud or on their servers located in another country. If your data is transferred outside the EU (Brexit may mean to any other country) additional considerations will be made. This includes transferring to countries which are considered ‘safe’ by Government and ensuring contracts have strict requirements to keep your data secure and in line with our data protection laws. We will also inform you of any such transfers.
What are your legal rights relating to your data?
Data protection laws give you rights relating to the data which we collect and hold about you. These include your right to;
- be informed about how we use your data
- access and receive copies of your data
- rectify your data if incorrect
- have your data deleted in certain circumstances
- restrict your data from being used in certain circumstances
- data portability in certain circumstances
- object to your data being used
- rights related to automated decision making
How do you make a request relating to your personal data?
If you wish to make a request, please complete our online form and submit this to firstname.lastname@example.org. If you are unable to use this form or do not wish to do so, please contact our Legal Officer at email@example.com or telephone 01522 881188 asking for the Legal Officer. You can make your request verbally if you wish, although we will still require the information requested on the form to confirm your identity.
Please provide the necessary proof of your identify so we can confirm that the person making the request is you. If we are not sure that the person making the request is you, then we must refuse to provide the information until we receive all the relevant documents.
Will you be charged a fee for your request?
There is no fee for you to make a request. However we may charge a reasonable administration fee in certain circumstances. This is if your request is unfounded or excessive, such as, you have requested the information repeatedly from us before.
We may also charge you an administration fee to provide you with copies of information you have already been provided with.
If we consider your request is unfounded or excessive, particularly repetitive the law says we are also allowed to refuse your request.
Where we hold a large amount of information about you, we are allowed to ask you what the information you are requesting relates to. This will then assist in narrowing our search, which will help you receive the correct information.
If we refuse your request we must explain why to you, within one month of us receiving your request. We must also inform you as with any request of your right to complain to the Information Commissioner’s Office.
When will you receive a response from us?
We must comply with your request within one month of us receiving this. This period can be extended by us in certain circumstances up to a further two months (three months in total). This extension is only allowed if your request is complex or lengthy.
We would need to inform you of any extension within one month of receiving your request. We would also need to explain to you why we consider the extension is necessary.
Your right to be informed
You have a right to be informed by us of certain information concerning how we use your data. This is provided to you in this document and/or a privacy notice for the service.
This information may be given to you in paper form, online, over the telephone or verbally in person. When and what information you are given depends on whether you have provided your data directly to us or through others. Normally you will be providing your data directly to us and therefore the information must be given to you at the time you provide your data to us.
This includes information including what your data will be used for, the laws allowing its use where relevant or whether this is being used because you have consented and if so how you withdraw your consent. Also information including how long your data will be kept and who your data will be shared with.
Your right to access your data
You have the right to receive from us confirmation as to what your data is being used for and to obtain access to your data, including being provided with copies of this. You also have the right to receive, the information you should be given in a privacy notice.
However information may be withheld from you if it contains;
- confidential information about other people or
- information that a qualified health professional considers will cause serious harm to you or someone else’s physical or mental wellbeing if provided to you or
- information we consider that providing to you, would stop us from preventing or detecting a crime
- training and employment references written by us
- management forecasts such as plans for redundancy
- negotiations which show someone else’s position in a dispute
- legal advice given to us or someone else
If your request is made electronically we should provide the response to you in a commonly used electronic format for example word or pdf. We should also where possible provide access to a secure self-service system which gives you direct access to your data, for example our online accounts systems for council tax and benefits.
Your right to rectification of your data
You have a right to request that we rectify (correct) your data if inaccurate or incomplete. This is without delay from us in doing so. If we have disclosed your data to others, we must also inform them of this, where possible. We must also inform you who your data has been given to.
We may not always be able to change or remove information, such as opinions about you that you disagree with. We will correct factual inaccuracies and may record your comments to confirm where you disagree with information. If we will not be taking any action to your request, we will inform you of this and the reason for this.
Your right to have your data deleted
You have a right to be deleted although this right will not apply to your data which is current and relates to council services or legal and enforcement matters. For example this right does not apply to council tax and benefit records which we are still required by law to retain.
You can only use this right where;
- your data is no longer required for the reason it was collected
- you withdraw your consent and this is the only reason we have to use it
- you use your right to object (see below) and this is successful
- there is no legal reason for your data to be used
- your data needs to be deleted to comply with the law
- a child (under 13 years) provided their data online
We can refuse your request to be deleted where your data is being used for any of the following reasons;
- for freedom of expression
- we are required to have it by law for example for collecting council tax or benefits and the law still requires us to keep it for a certain period of time
- for public health reasons
- it is required for scientific or historical research or statistical purposes or
- it is necessary for legal cases and investigations
If your request is successful and where your data has already been shared with others we would need to inform them of our deletion of your data. This is unless it is impossible or too difficult for us to do this.
Your right to restrict (limit) what we use your data for
You have a right to ask us to restrict what we use your data for when;
- you have told us that your data is inaccurate and we need to restrict its use until we have considered this
- where you have objected to its use (see below) and we are considering your request
- when there is no legal reason for us to use it but you do not want it to be deleted altogether
- where we no longer need the data but you require this for a legal case
If we have disclosed your data to others then we will inform them about the restriction unless it is impossible or too difficult for us. We will also inform you if we decide to lift the restriction at any time.
Your right to data portability
This allows you to ask us to transfer your data back to you or another service provider in a safe and secure way without affecting its usability or you providing it again.
This right only applies;
- to data you have provided to us and
- where the legal reason for its use is your consent or a contract and when
- decisions are being made by automated means (solely by computers)
It is unlikely that your right will apply therefore to the majority of council services you receive from us. We would inform you if you have a right to data portability.
Your right to object
You have a right to object to us using your data when;
- it is not required by law to be used
- it is direct marketing (marketing addressed to you)
- when it is being used for scientific/historical research and statistics
If you object we would need to stop processing your data unless;
- we can show compelling grounds for using your data which override your interests, rights and freedoms
- this is necessary for legal cases
- the scientific/historical research is to the benefit of society as a whole
We will inform you of your right to object if relevant to the service at the time we obtain your data.
Your rights related to decisions made by computers
You have the right not to be subject to a decision where;
- it is based on automated processing (decisions made solely by computers) and
- it has a legal or a significant effect on you
We can only carry out automated decision making when;
- it is necessary for you to enter into a contract with us
- it is allowed by law with safeguards in place to protect you, for example for fraud or tax evasion or
- it is based on your explicit (written) consent or
- where the decision does not have a legal or significant effect on you
Where we carry out automated processing we must ensure that you are able to:
- obtain human intervention if requested
- express your point of view and
- obtain an explanation of the decision and challenge it
Automated decisions must not concern a child or be based on sensitive data unless;
- you have provided your explicit (written) consent
- it is necessary as it benefits society as a whole, based on law, with measures in place to protect you.
If we carry out ‘profiling’ which is a decision made on certain aspects of your data, then we must do the following;
- provide you with details of the logic (reasoning), significance (impact on you) and consequences of the decision
- implement measures to ensure inaccuracies are corrected and minimise the risk of error
- keep your data secure according to the risk and prevent discriminatory effects.
Where can I get advice?
If you want to know more about your rights relating to your data or you have a query or complaint regarding the way we have handled your data please contact our Data Protection Officer:
Telephone: 01522 881188
City of Lincoln Council, City Hall, Beaumont Fee, LN1 1DD
If however you remain unhappy, then you have a right to complain to the Information Commissioner at:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate) or visit www.ico.org.uk or email firstname.lastname@example.org.
Back to top