How we use your personal data
Privacy notices and data protection
We are registered as a data controller with the Information Commissioner’s Office (ICO). This includes general information about the types of personal data we process, what we use it for, and who we share it with.
Your personal data – what is it?
“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address). Identification can be directly using the data itself or by combining it with other information which helps to identify a living individual.
You have the right to see the personal data we process about you, as well as the right to request erasure of your records, objection to processing, rectification of records and restriction of processing or destruction. For details of how to make such a request, please click here.
If you have any questions or concerns about the way we process your personal data, our Data Protection Officer can be contacted at DPO@n-somerset.gov.uk
If you wish to make a complaint about how we handle your personal data, we ask that you give our Data Protection Officer the opportunity to respond in the first instance, but you are not obliged to do this. You can make your complaint directly to the Information Commissioner’s Office
The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (GDPR”, the Data Protection Act 2018, and other legislation relating to personal data and rights such as the Human Rights Act.
Under GDPR, we are required to inform people about how we will use people’s personal data and for what purposes. We do this using Privacy Notices.
However, there are exceptions to the applicable data protection laws which require us to share personal data wherever necessary to the purposes of safeguarding, law enforcement and prevention of fraud.
Our privacy notices
This corporate Privacy Notice provides general information about the council’s personal data processing activities overall. As the range of services the council provides is so varied, we have also produced individual privacy notices for each service area, to explain specifically how your data will be used within each service. These can be found on the left of this page.
The personal data processed by the council in order to perform its official tasks includes:
- Names, titles, aliases, photographs;
- Contact details such as telephone numbers, addresses, and email addresses;
- Gender, age, marital status, nationality, education/work history, academic/professional qualifications, hobbies, family composition, and dependents;
- Social care records for adults and children in our care
- financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers, and claim numbers.
Special categories of personal data
The personal data we process also includes sensitive or other special categories of personal data such as criminal convictions, racial or ethnic origin, mental and physical health records, details of injuries, medication/treatment received, political beliefs, trade union affiliation, genetic data, biometric data, data concerning and sexual life or orientation.
These types of data are described in GDPR as “Special categories of data” and require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.
We process special categories of personal data in the following circumstances:
- For the provision of social care to children and adults
- Where it is needed in order to carry out our specific legal obligations.
- Where it is needed for a matter of substantial public interest (such as in the case of a threat to public health)
Less commonly, we may process this type of personal data where it is needed in relation to legal claims or where it is needed to protect your vital interests (or someone else’s vital interests) and you are not capable of giving your consent, or where you have already made the information public.
Sharing your personal data with other data controllers
Where necessary to the exercise of statutory functions and official tasks, the council may share personal data with other public authorities such as the police, health authorities, government departments and schools.
In order to deliver support and services to you we also work with:
- Community groups and volunteers
- Other not-for-profit entities
We may, for example, share personal data with other local authorities or not-for-profit bodies with which we are carrying out joint ventures, eg in relation to facilities or events for the community. Under the conditions of the Digital Economy Act 2017, we may also share personal data provided to us with other public authorities as defined in the Act, for the purposes of fraud or crime detection or prevention (see fair processing notice below), to recover monies owed to us, to improve public service delivery, or for statistical research. We do not share the information with other organisations for commercial purposes.
Sharing of “special categories” data with public sector partners
We only share sensitive personal data in limited circumstances: where we are required to do so by law or where it is necessary to fulfil our statutory obligations. This includes providing a range of public sector services for your health and social care, and the safeguarding of vulnerable children and adults. The sharing of personal data will include the linking of data sets held by the council, the NHS and other public sector partners to comply with our statutory duties and to provide joined up services.
We may also use personal information to identify and assist individuals: whose vital interests are threatened, and /or who need additional support during emergencies or major incidents, for example emergency evacuation.
Sharing of personal data with external service providers
Your personal information may be shared with external service providers, whom we have contracted to act on our behalf, in order to provide the public services and support you have requested from us. We undertake to share only information which is relevant and necessary for the provision of the relevant service.
The council relies on various suppliers and service providers who process data on our behalf. These companies are “data processors” for the council. This means we instruct them, under contract, on their use and treatment of the personal data we are responsible for.
We must also ensure they have adequate security measures to keep the information safe.
Consent and GDPR
When you are asked to consent to a data controller’s use of your personal data this implies the controller is relying on “consent” as the legal basis for such use.
Consent may not be used as the legal basis for processing your personal data if:
- You not have a free choice
- You have not been provided relevant privacy information (what personal data may be used, how, and why)
- refusing consent may have a negative impact on you (this is the case where consent is a condition of receiving the service you want)
- There is an imbalance of power between the person and the organisation requesting the consent. This is likely when the organisation is a public authority
- GDPR provides a more appropriate basis for processing (such as for processing by public authorities in the exercise of their tasks).
The council does not generally request consent for using your personal data as, in accordance with the rules above, it is not a valid legal basis for processing involved in carrying out our official functions and tasks.
We will, however, request your consent for us to provide the actual support service we may be offering you. This choice should be also be informed with relevant privacy information. Therefore, we will always tell you about how and why we will use your information to provide the service before you decide whether you agree to receive it.
Data protection principles
The council is committed to adhering to the principles established in data protection law in its use of personal data.
This means it should be:
- Lawful and transparent
- Use for the specified purpose (collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes)
- Limited to the minimum amount of data required to deliver the service
- Accurate and up to date
- Kept only as long as necessary for the purposes we have told you about and any other legal requirements we have
- Secure from unauthorised access, misuse or loss
The council currently uses personal data for the following purposes:
- To deliver public services including to understand your needs, to provide the services that you request and to understand what we can do for you and inform you of other relevant services;
- To confirm your identity;
- To contact you;
- To help us to build up a picture of how we are performing;
- To prevent and detect fraud and corruption in the use of public funds and where necessary for the law enforcement functions;
- To enable us to meet all legal and statutory obligations and powers including any delegated functions;
- To carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice from time to time with the aim of ensuring that all children and adults-at-risk are provided with safe environments and generally as necessary to protect individuals from harm or injury;
- To protect the use of public funds;
- To maintain our own accounts and records;
- To seek your views, opinions or comments;
- To notify you of changes to our facilities, services, events and staff, councillors and other role holders;
- To send you communications which you have requested and that may be of interest to you. These may include information about campaigns, appeals, other new projects or initiatives;
- To process relevant financial transactions including grants and payments for goods and services supplied to the council;
- To allow the statistical analysis of data so we can plan the provision of services.
Our processing also includes the use of CCTV systems for the prevention and prosecution of crime.
What is the legal basis for processing your personal data?
The council is a public authority and has certain powers and obligations. Most of your personal data is processed under our “official authority”. This means that it relates to local government responsibilities, which have been established in government legislation. When exercising these powers or duties it is necessary that we process personal data of residents or people using the council’s services. We will always take into account your privacy interests and rights.
We may process personal data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract. An example of this would be processing your data in connection with the use of sports facilities, or the acceptance of an allotment garden tenancy. This also includes the use of your data if you are a council member of staff.
We reserve the right to monitor and record electronic communications (website, email and phone conversations). There are a number of reasons why we may do this; staff training, records of conversations or detection, investigation and prevention of crime. We will inform you if your call is being recorded or monitored.
Any email sent to us, including any attachments, may be monitored for reasons of security and making sure they comply with our information security policy. You have a responsibility to make sure any email you send to us is within the bounds of the law. Emails that we send to you or you send to us may be retained as a record of contact and your email address stored for future use in accordance with our retention schedule.
How long do we keep your personal data?
The council will only retain and store your data for as long as it is needed for the purpose for which it was collected, or as required by the law, or as dictated by best practice as recommended by the Information and Records Management Society (IRMS).
We will keep some records permanently if we are legally required to do so. We may have legal obligations to retain some data in connection with our statutory obligations as a public authority. The council is permitted to retain data in order to defend or pursue claims. In some cases the law imposes a time limit for such claims (for example three years for personal injury claims or six years for contract claims). We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim. We will only keep data only for as long as we need it, and we will delete it when it is no longer needed.
Fair processing notice – sharing of data with a specified anti-fraud organisation
Fraud costs the public sector an estimated £20.6 billion a year. It is in all our interests to prevent it. Public authorities have a particular responsibility to ensure that taxpayers’ money is not taken out of the system fraudulently.
We are required by law to protect the public funds we administer. We may share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises. Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.
Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
The Cabinet Office currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Cabinet Office for matching for each exercise, and these are set out in the Cabinet Office’s guidance.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.
Data matching by the Cabinet Office is subject to a Code of Practice. For information on the Cabinet Office’s legal powers and the reasons why it matches particular information, see: