Information management

Corporate Privacy Notice and General Data Protection Regulation (GDPR)

This Privacy Notice is designed to help you understand how and why Hambleton District Council processes your personal data.

This notice should be read in conjunction with the council’s service specific privacy notices which can be found at the end of this notice.

You may also want to read our helpful definitions document to understand some of the terminology we use.

Who are we?

Hambleton District Council is a ‘Data Controller’ as defined by Article 4(7) of the General Data Protection Regulation (GDPR). This means that the council has a duty of care towards the personal data that it collects and uses.

The council has appointed Veritau Ltd to be its Data Protection Officer. Their contact details are:

Information Governance Office
Veritau Ltd
County Hall
Racecourse Lane
Northallerton
DL7 8AL

infogov.HambletonDC@veritau.co.uk 

01609 53 2526

What data do you collect about me?

In order to deliver our services the council needs to collect and use your personal data and sometimes your special category personal data.

We will only collect the data we need and if we don’t need your personal data we will keep it anonymous.

Why do you need my personal data?

We may need to use and collect your personal data and sometimes your special category personal data so we can:

  • deliver, manage and check the quality of services that we provide to you
  • investigate complaints or concerns raised by you or other individuals
  • assist with the research and planning of new services

Who has access to my personal data within the council?

We may share your data between services within the council so that we can keep our information on you as up-to-date as possible and so that we can improve our services to you.

Council officers may only access your personal data if they require it to perform a task. There are procedures and checks in place to ensure that officers can not use your data for their own personal benefit.

Who do you share my personal data with?

Third party processors

In order to deliver the best possible service the council often uses third party organisations. These organisations will sometimes require access to your personal data in order to complete their work. If the council does use a third party organisation it will always have an agreement in place to ensure that the other organisation keeps your data secure.

Other organisations

Occasionally the council is required to pass your data to other organisations. This could be because of a legal requirement or because a court orders the council to do so.

For example the council may need to share information with the police to help prevent or detect a crime. The council may not have to tell you if we do share with other organisations.

Statutory functions

The council’s internal auditors, counter fraud service, data protection officer and external auditors may also have access to your personal data in order to complete their work. 

The council will only share personal data with another organisation if it has a lawful basis to do so and will always keep records of when your data has been disclosed to another organisation.

National Fraud Initiative 2018 - use of Payroll information

The Cabinet Office will shortly be carrying out its semi-annual data matching exercise. The National Fraud Initiative 2018 will match data from certain databases with a view to act in the prevention and detection of fraud.

The Cabinet Office has powers under the Local Audit and Accountability Act 2014 to require certain public bodies (including local authorities) to provide the relevant information. The council is required to provide information from the payroll system. The information will be provided in October 2018.

For more information see the Gov.uk website or contact us.

How do you protect my personal data?

The council is committed to keeping the personal data that it holds safe from loss, corruption or theft. It has a number of measures in place to do this including:

  • training for all officers and elected councillors on how to handle personal data
  • policies and procedures detailing what officers can and cannot do with personal data
  • a number of IT security safeguards such a firewalls, encryption and virus protection software
  • on site security safeguards to protect physical files and electronic equipment

What is the lawful basis for processing my personal data?

There are a number of lawful reasons for the council to collect and use your personal data. The service specific privacy notices, which can be navigated at the end of this notice, will tell you which lawful basis the council is relying on for that specific process.

Unless the council is using your data based on consent or to carry out obligations under contract then it will be relying on a legal obligation or public task.

How long do you keep my personal data for?

The council will only keep your personal data for as long as it is required to fulfil the purpose it was collected for or for as long as is required by legislation.

There are different retention periods for different types of information. The service specific privacy notices, which can be navigated at the end of this notice, will tell you how long that service area may keep your information for.

Do you transfer my data outside of the UK?

Generally the information that the council holds is all held within the UK. However, some information may be held on computer servers which are held outside of the UK. The council will take all reasonable steps to ensure your data is not processed in a country that is not seen as ‘safe’ by the UK or EU government.

If the council does need to send your data out of the EU it will ensure it has extra protection from loss or unauthorised access.

What are my Data Protection rights?

Data Protection legislation gives you, the data subject, a number of rights in regards to your personal information. You can find out more on the Information Commissioner's Office (ICO) website here.

Subject access requests

To submit a subject access request, download this form and return it to us.

How do I complain about the way in which you have handled my personal data?

If you have concerns about the way in which the council has handled your personal data please contact our Data Protection Officer (Veritau Ltd) at the address provided above. 

The Information Commissioner’s Office (the Data Protection Regulator) will deal with complaints if the council has mishandled your personal data. Contact:

First Contact Team
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow Cheshire
SK9 5AF

casework@ico.gsi.gov.uk // 03031 23 1113 

www.ico.org.uk

Other privacy notices

This privacy notice is Hambleton District Council's main privacy notice. Service-specific privacy notices can be found here:

Data Protection definitions

You can download the data protection definitions here.

Data Protection Act 1998

The Data Protection Act 1998 came into force on 1 March 2000 to protect personal data about individuals. This has been superseded by the General Data Protection Regulation (GDPR) above.

Website Privacy Statement

You can view our website privacy statement here.