Corporate Privacy Notice and General Data Protection Regulation (GDPR)
This Privacy Notice is designed to help you understand how and why we process your personal data.
This notice should be read in conjunction with our service specific privacy notices which can be found at the end of this notice.
You may also want to read our helpful definitions document to understand some of the terminology we use.
Who are we?
Hambleton District Council is a ‘Data Controller’ as defined by Article 4(7) of the General Data Protection Regulation (GDPR). This means that the council has a duty of care towards the personal data that it collects and uses.
The council has appointed Veritau Ltd to be its Data Protection Officer. Their contact details are:Information Governance Office
01609 532 526
What data do you collect about me?
In order to deliver our services the council needs to collect and use your personal data and sometimes your special category personal data.
We will only collect the data we need and if we don’t need your personal data we will keep it anonymous.
Why do you need my personal data?
We may need to use and collect your personal data and sometimes your special category personal data, so we can:
- deliver, manage and check the quality of services that we provide to you
- investigate complaints or concerns raised by you or other individuals
- assist with the research and planning of new services
Who has access to my personal data within the council?
We may share your data between services within the council so that we can keep our information on you as up-to-date as possible and so that we can improve our services to you.
Council officers may only access your personal data if they require it to perform a task. There are procedures and checks in place to ensure that officers can not use your data for their own personal benefit.
Who do you share my personal data with?
Third party processors
In order to deliver the best possible service the council often uses third party organisations. These organisations will sometimes require access to your personal data in order to complete their work. If the council does use a third party organisation it will always have an agreement in place to ensure that the other organisation keeps your data secure.
Occasionally the council is required to pass your data to other organisations. This could be because of a legal requirement or because a court orders the council to do so.
For example the council may need to share information with the police to help prevent or detect a crime. The council may not have to tell you if we do share with other organisations.
The council’s internal auditors, counter fraud service, data protection officer and external auditors may also have access to your personal data in order to complete their work.
The council will only share personal data with another organisation if it has a lawful basis to do so and will always keep records of when your data has been disclosed to another organisation.
National Fraud Initiative 2018 - use of Payroll information
The Cabinet Office will shortly be carrying out its semi-annual data matching exercise. The National Fraud Initiative 2018 will match data from certain databases with a view to act in the prevention and detection of fraud.
The Cabinet Office has powers under the Local Audit and Accountability Act 2014 to require certain public bodies (including local authorities) to provide the relevant information. The council is required to provide information from the payroll system. The information will be provided in October 2018.
How do you protect my personal data?
The council is committed to keeping the personal data that it holds safe from loss, corruption or theft. It has a number of measures in place to do this including:
- training for all officers and elected councillors on how to handle personal data
- policies and procedures detailing what officers can and cannot do with personal data
- a number of IT security safeguards such a firewalls, encryption and virus protection software
- on site security safeguards to protect physical files and electronic equipment
What is the lawful basis for processing my personal data?
There are a number of lawful reasons for the council to collect and use your personal data. The service specific privacy notices, which can be navigated at the end of this notice, will tell you which lawful basis the council is relying on for that specific process.
Unless the council is using your data based on consent or to carry out obligations under contract then it will be relying on a legal obligation or public task.
How long do you keep my personal data for?
The council will only keep your personal data for as long as it is required to fulfil the purpose it was collected for or for as long as is required by legislation.
There are different retention periods for different types of information. The service specific privacy notices, which can be navigated at the end of this notice, will tell you how long that service area may keep your information for.
Do you transfer my data outside the UK?
Generally the information that the council holds is all held within the UK. However, some information may be held on computer servers which are held outside the UK. The council will take all reasonable steps to ensure your data is not processed in a country that is not seen as ‘safe’ by the UK or EU government.
If the council does need to send your data out of the EU it will ensure it has extra protection from loss or unauthorised access.
What are my Data Protection rights?
Data Protection legislation gives you, the data subject, a number of rights regarding your personal information. You can find out more on the Information Commissioner's Office (ICO) website here:
Subject access requests
To submit a subject access request, download the form below and return it to us.
How do I complain about the way in which you have handled my personal data?
If you have concerns about the way in which the council has handled your personal data please contact our Data Protection Officer (Veritau Ltd) at the address provided above.
The Information Commissioner’s Office (the Data Protection Regulator) will deal with complaints if the council has mishandled your personal data. Contact:First Contact Team
Information Commissioner’s Office
[email protected] // 03031 231113
A new Information Governance Policy suite has been approved by the Management Team. The policies have been updated in order to ensure the council’s compliance with the new data protection legislation: the GDPR and the Data Protection Act 2018. These policies include:
Data Protection Rights Policy – details of how the council will comply with an individual’s request to exercise their data protection rights.
Information Access and Transparency – details how the council will comply with transparency requirements under the Freedom of Information Act, the Environmental Information Regulations, etc
Information Governance Strategy – outlining the council’s overarching information governance strategic objectives.
Information Management Policy – details how the council will manage the information that it holds.
Other privacy notices
This privacy notice is Hambleton District Council's main privacy notice. Service-specific privacy notices can be found here:
- Coronavirus (COVID-19) privacy notice
- Business and Economy privacy notice
- Corporate Finance privacy notice
- Customer Services privacy notice
- Design and Maintenance privacy notice
- Development Management privacy notice
- District Councillors privacy notice
- Electoral services privacy notice
- Environmental Health privacy notice
- Hambleton Heroes privacy notice
- Home Improvement Agency privacy notice
- Human Resources privacy notice
- Legal Services privacy notice
- Leisure centres privacy notice
- Licensing privacy notice
- Recruitment and Selection privacy notice
- Remote Council Meetings
- Revenues and Benefits privacy notice
- Self Build Custom Build (SBCB) Register privacy notice
- Self-isolation payment privacy notice
- Waste and Street Scene privacy notice
Data Protection definitions
You can download the data protection definitions here:
Data Protection Act 1998
The Data Protection Act 1998 came into force on 1 March 2000 to protect personal data about individuals. This has been superseded by the General Data Protection Regulation (GDPR) above. Find out more here:
Website Privacy Statement
You can view our website privacy statement here: