Corporate Privacy Notice and General Data Protection Regulation (GDPR)
This Privacy Notice is designed to help you understand how and why Hambleton District Council processes your personal data.
This notice should be read in conjunction with the Council’s service specific privacy notices which can be found at the end of this notice. Following Britain’s departure from the EU, all references to GDPR now refer to UK GDPR.
You may also want to read our helpful definitions document to understand some of the terminology we use.
Who are we?
Hambleton District Council is a ‘Data Controller’ as defined by Article 4(7) of the General Data Protection Regulation (GDPR). This means that the council has a duty of care towards the personal data that it collects and uses.
The council has appointed Veritau Ltd to be its Data Protection Officer. Their contact details are:Information Governance Office
01609 55 2848
What data do you collect about me?
In order to deliver our services the Council needs to collect and use your personal data and sometimes your special category personal data.
We will only collect the data we need and if we don’t need your personal data we will keep it anonymous.
There will be instances where we will anonymise your data. For example, in a survey we may not need your contact details. In which case, we'll only collect your survey responses.
Why do you need my personal data?
We may need to use and collect your personal data and sometimes your special category personal data, so we can:
- deliver, manage and check the quality of services that we provide to you
- investigate complaints or concerns raised by you or other individuals
- assist with the research and planning of new services
Who has access to my personal data within the council?
We may share your data between services within the council so that we can keep our information on you as up-to-date as possible and so that we can improve our services to you.
Council officers may only access your personal data if they require it to perform a task. There are procedures and checks in place to ensure that officers can not use your data for their own personal benefit.
Who do you share my personal data with?
Third party processors
In order to deliver the best possible service the Council often uses third party organisations. These organisations will sometimes require access to your personal data in order to complete their work. If the Council does use a third party organisation it will always have an agreement in place to ensure that the other organisation keeps your data secure.
Occasionally the Council is required to pass your data to other organisations. This could be because of a legal requirement or because a court orders the Council to do so.
For example the Council may need to share information with the police to help prevent or detect a crime. The Council may not have to tell you if we do share with other organisations.
The Council’s internal auditors, counter fraud service, data protection officer, and external auditors may also have access to your personal data in order to complete their work.
The Council will only share personal data with another organisation if it has a lawful basis to do so and will always keep records of when your data has been disclosed to another organisation.
National Fraud Initiative
The Council also collects and uses your data for the National Fraud Initiative (NFI). Find out more here:
How do you protect my personal data?
The council is committed to keeping the personal data that it holds safe from loss, corruption or theft. It has a number of measures in place to do this including:
- training for all officers and elected councillors on how to handle personal data
- policies and procedures detailing what officers can and cannot do with personal data
- a number of IT security safeguards such a firewalls, encryption and virus protection software
- on site security safeguards to protect physical files and electronic equipment
What is the lawful basis for processing my personal data?
There are a number of lawful reasons for the council to collect and use your personal data. The service specific privacy notices, which can be navigated at the end of this notice, will tell you which lawful basis the council is relying on for that specific process.
Unless the council is using your data based on consent or to carry out obligations under contract then it will be relying on a legal obligation or public task.
Conditions for criminal offence data, enforcement investigations and prosecutions
Where we are undertaking an investigation we are processing personal information under Part III of the Data Protection Act 2018 (DPA) for law enforcement purposes. The six law enforcement principles are similar to UK GDPR’s, however the transparency requirements are different, due to the potential to prejudice an ongoing investigation in certain circumstances.
When processing sensitive data, we must be able to demonstrate that the processing is strictly necessary and satisfies one of the conditions in Schedule 8 of the DPA or is based on consent.
How long do you keep my personal data for?
The Council will only keep your personal data for as long as it is required to fulfil the purpose it was collected for or for as long as is required by legislation.
There are different retention periods for different types of information. The service specific privacy notices, which can be navigated at the end of this notice, will tell you how long that service area may keep your information for.
Do you transfer my data outside the UK?
Generally the information that the Council holds is all held within the UK. However, some information may be held on computer servers which are held outside of the UK. The Council will take all reasonable steps to ensure your data is not processed in a country that is not seen as ‘safe’ by the UK.
If the Council does need to send your data out of the EU it will ensure it has extra protection from loss or unauthorised access.
What are my Data Protection rights?
Data Protection legislation gives you, the data subject, a number of rights in regards to your personal information. You can find out what these rights are and how you can exercise them here:
Subject access requests
To submit a subject access request, download the form below and return it to us.
How do I complain about the way in which you have handled my personal data?
If you have concerns about the way in which the council has handled your personal data please contact our Data Protection Officer (Veritau Ltd) at the address provided above.
The Information Commissioner’s Office (the Data Protection Regulator) will deal with complaints if the council has mishandled your personal data. Contact:First Contact Team
Information Commissioner’s Office
firstname.lastname@example.org // 03031 231113
A new Information Governance Policy suite has been approved by the Management Team. The policies have been updated in order to ensure the council’s compliance with the new data protection legislation: the GDPR and the Data Protection Act 2018. These policies include:
Data Protection Rights Policy - how we comply with an individual’s request to exercise their data protection rights.
Information Access and Transparency - how we comply with transparency requirements under the Freedom of Information Act, the Environmental Information Regulations, etc
Information Governance Strategy - our overarching information governance strategic objectives.
Information Management Policy - how we manage the information that we hold.
Law Enforcement Policy - how we secure compliance of sensitive data for law enforcement purposes.
Special Category and Criminal Conviction Data Policy - how we process personal data of individuals with a criminal conviction and those in special categories (such as racial, political, sexual, or health reasons).
Other privacy notices
This privacy notice is Hambleton District Council's main privacy notice. Service-specific privacy notices can be found here:
Data Protection definitions
You can download the data protection definitions here:
Data Protection Act 2018
Superceded by GDPR, and following Britain’s departure from the EU all references to GDPR now refer to UK GDPR. Find out more here:
Website Privacy Statement
You can view our website privacy statement here: