Our privacy notice

Calderdale Council is registered as a 'data controller' with the Information Commissioners Office under the Data Protection Act 2018 (DPA2018). We process personal data in compliance with the DPA 2018 and the UK General Data Protection Regulation (UK GDPR).

We collect and process your information in order to provide various public sector services to you. Some of these services are statutory such as Council Tax and Benefits data whereas others are optional. In these cases we require explicit consent from you. Information may be collected on paper or online forms, by phone, email or by a member of Calderdale staff.

Why do we collect information about you?

We need to collect and use information about you, in order to:

• Deliver public services to you.
• Provide public health functions.
• Confirm your identity to provide some services.
• Contact you by post, email or telephone regarding your requirements.
• Understand your needs to provide the services that you request.
• Update your record.
• Help us build up a picture of how we are performing at delivering services to you.
• Prevent and detect fraud and corruption in the use of public funds.
• Allow us to undertake statutory functions efficiently and effectively.
• Make sure we meet our statutory obligations including those related to diversity and equalities.

We may not be able to provide you with a product or service unless we have enough information, or your permission to use that information.

How we use your information

We will use the information you provide in a manner that complies with the DPA2018 and associated legislation. We will endeavour to keep your information accurate and up-to-date and not keep it longer than is necessary. Information will be kept in line with our retention policy. In some instances the law sets the length of time information has to be kept.

We will only use your information and share it between Council Services:

• To provide the service you requested and to monitor and improve the Council's performance in responding to your request.
• To make sure that we meet our legal obligations.
• Where necessary for law enforcement functions.
• To prevent and detect fraud or crime.
• To process financial transactions including grants, payments and benefits involving the council, or where we are acting on behalf of other government bodies e.g. Department for Work and Pensions.
• Where necessary to protect individuals from harm or injury (Safeguarding).
• To allow the statistical analysis of data so we can plan the provision of services.
• To create anonymised data to be used and published to help improve services. This anonymised data will not contain any personal information which means that individuals cannot be identified.

Information sharing with other organisations

We may need to pass your information to other people and organisations that provide a service on our behalf. These providers are obliged to keep your details securely and use them only to provide the service to you or in accordance with our instructions. This sharing will always be done with your explicit consent and will be explained to you at the point of requesting our services.

We also get information from some external organisations or pass information to them, to:

• Verify the accuracy of the information we hold.
• Assist with service delivery by assessing eligibility for services.
• Enable the anonymisation of data for the use and publication of datasets and statistical analysis of data to improve services.
• Comply with the council's legal obligations.

We may share information with third parties where we are required by law to do so or where otherwise permitted by the DPA2018. For example, where the disclosure is necessary to enable the council to exercise its statutory functions.

Where we need to share sensitive or confidential information such as children's data, financial data or health information with third parties, we will do so only with your prior explicit consent, or where we are required by law to do so, or where otherwise permitted by the DPA2018, for example, where the disclosure is necessary to enable the council to exercise its statutory functions.

We may share your information including sensitive or confidential information where it is necessary for the prevention or detection of crime or to prevent risk of harm to an individual.

We will endeavour to ensure where possible that appropriate steps have been taken by the recipient to protect personal information that is shared.

Detect and prevent fraud or crime

Calderdale Council is required by law to protect the public funds it administers. We may use any of the information you provide to us for the prevention and detection of fraud or may share with the Police if it is suspected that a crime may have been committed. We may also share this information with other bodies that are responsible for auditing or administering public funds including our external auditor, the Department for Work and Pensions, other local authorities, HM Revenue and Customs and the Police, for example.

In addition to undertaking our own data matching to identify errors and potential frauds we are required to take part in national data matching exercises undertaken by the Cabinet Office. The use of data by the Cabinet Office in a data matching exercise is carried out under its powers in Part 6, Schedule 9 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned.

For more about this, see: Data matching.

Emergency response management

Data matching may also be used to assist the council in responding to emergencies or major incidents, by allowing the council, in conjunction with the emergency services, to identify individuals who may need additional support in the event of, for example, an emergency evacuation.

Phone calls

We will always inform you if we record or monitor any phone calls you make to us. This will be used to increase your security, for our record keeping of the transaction and for our staff training purposes.

Emails

Please note: Unless encrypted, email messages sent via the Internet may not be secure and could be intercepted and read by someone else. Please bear this in mind when deciding whether to include personal or sensitive information in any email messages you intend to send. If you email us we may keep a record of your contact and your email address and the email for our record-keeping of the transaction.

Using our website

If you are a user with general public access, the Calderdale Family Hubs website does not store or capture personal information, but merely logs a number called your IP address which is automatically recognised by the system.

The system will record personal information if you:

• Subscribe to or apply for services that require personal information.
• Report a fault and give your details for us to respond.
• Contact us and leave your details for us to respond.

Cookies

Cookies are small text files that 'remember' bits of information from your visit to a website. They make the interaction between you and the website faster and easier. Without cookies the website thinks you are a new visitor every time you move to a new page.

You can find out more about our specific cookies in our cookies policy.

CCTV

We have installed CCTV systems in some of our premises used by members of the public, for the purposes of public and staff safety and crime prevention and detection. In all locations signs are displayed notifying you that CCTV is in operation.

We will only disclose images to others who intend to use the images for the purposes stated above or where disclosure is legally required or otherwise permitted under the DPA2018. Images will not be released to the media for entertainment purposes or placed on the Internet.

Images captured by CCTV will not be kept for longer than necessary. However, on occasions there may be a need to keep images for longer, for example, where a crime is being investigated.

For details of how we handle the information, please see: Public spaces CCTV - privacy notice

How we protect your information

Our aim is not to be intrusive and we will not ask irrelevant or unnecessary questions. The information you provide will be subject to rigorous measures and procedures to make sure it cannot be seen, accessed or disclosed to anyone who should not see it.

We have an Information Governance Framework that includes a Data Protection and Privacy Statement and Information Governance and Security policies. These define our commitments and responsibilities to your privacy and cover a range of information and technology security areas.

We will not keep your information longer than it is needed or where the law states how long this should be kept. We will dispose of paper records or delete any electronic personal information in a secure and confidential way.

Rights for individuals under GDPR

From May 2018 the General Data Protection Regulations will come into effect. The Regulations will give increased rights for individuals. The rights and how to exercise these are detailed below.

The right to be informed. The way that your personal data is collected, handled and processed and the purpose for its processing should be detailed in the Privacy Notice associated with the method of the collection, whether this is via electronic means or paper. The Privacy Notice is a full explanation for you of exactly why we need your personal data, where it will be stored, who it will be shared with, the purpose of collecting it, the Data Protection Officer contact, your rights to object and how long the data will be kept for. Each Privacy Notice is different depending upon the data being collected. There is a generic privacy Notice on the Council website but specific detailed ones are available at the time that your data is collected.

• The right of access. This is your right to request sight of the information that we as a Council hold about you. It is called a Subject Access Request (SAR) and is processed under s.7 DPA2018 and will be dealt with by the Information Governance team free of charge. Please ensure that any request, is in writing to information_management@calderdale.gov.uk.
• The right to rectification. This means that you have the right to request that we correct any incorrect or inaccurate information held on our systems, such as wrong addresses, incorrect spellings etc. Corrections must be carried out within a month of us being informed, including asking third parties to also amend their systems accordingly. Please contact the name provided on the appropriate Privacy Notice.
• The right to be forgotten. This means that as long as the purpose for processing the data is not a statutory one, or in other words does not have a legal basis, then you can request that your information is withdrawn by withdrawing your consent for processing. As long as the data is not required for a legal or safeguarding purpose, you have the right for your entry to be deleted from our systems. Obviously an individual cannot be “forgotten” from the Council Tax system but for systems that do not have a legal basis such as mailing lists, then you have the right to be forgotten and erased from the system.
• The right to restrict processing. This right applies where an individual may feel that we are acting upon incorrect or inaccurate information. They will have the right under the new law to request that we restrict processing while we look into the situation. This must be done and a decision made within a month. During this time no action or further processing can take place. Once a written decision is made and any inaccuracies documented and amended the processing can be re-commenced.
• The right to data portability. The right to data portability is new. It only applies to personal data an individual has provided to a controller and where the processing is based on a person's consent or for the performance of a contract; and when processing is carried out by automated means.
• The right to object. This right is the same right that exists currently in that you can complain to the Councils DPO if you feel that your data rights have been incorrectly handled or breached. Complaints about data protection should not be sent to the Councils complaints department but should be sent to the Councils DPO at information.management@calderdale.gov.uk.
  Complaints about the service that you have received should be sent to our Complaints department.
• The right not to be subject to automated decision-making including profiling. If the Council intends to use your data for profiling purposes or for automatic decision making you must provide explicit consent or us to process your data in this way. You can withdraw your consent at any time. In addition, you can request that a “human” make the decision and that the “automated” part is not utilised.

You have the right to ask Calderdale Council to stop processing your personal data in relation to any council service (other than statutory services) where that processing is likely to cause substantial and unwarranted damage or distress. However, this may cause delays or prevent us delivering a service to you. Where possible we will seek to comply with your request, however there may be circumstances where this is not possible. For example, if we are required to hold or process information to comply with a legal requirement.

We try to ensure that any information we hold about you is correct. There may be situations where you find the information we hold is no longer accurate and you have the right to have this corrected.

Changes to this privacy notice

We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with the changes in the law.

More information

Complaints about data protection issues should not be sent to our Complaints and Compliments service, they should be sent to the Council's Data Protection Officer, Suzanne Prescott at information.management@calderdale.gov.uk.

If you have a question about this Privacy Notice, please contact the Information Management Team:

• Email: information_management@calderdale.gov.uk.
• By post: Town Hall, Crossley Street, Halifax. HX1 1UJ.