Privacy notices and data protection

We are registered as a data controller with the Information Commissioner’s Office (ICO). This page includes general information about the types of personal data we process, what we use it for, and who we share it with.

Your personal data – what is it?

“Personal data” is any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address). Identification can be directly using the data itself or by combining it with other information which helps to identify a living individual.

Your rights

You have the right to see the personal data we process about you, as well as the right to request erasure of your records, objection to processing, rectification of records and restriction of processing or destruction.  

If you have any questions or concerns about the way we process your personal data, contact our Data Protection Officer at DPO@n-somerset.gov.uk

If you wish to make a complaint about how we handle your personal data, we ask that you give our Data Protection Officer the opportunity to respond in the first instance, but you are not obliged to do this. You can make your complaint directly to the Information Commissioner’s Office.

The law

The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the General Data Protection Regulation (GDPR”, the Data Protection Act 2018, and other legislation relating to personal data and rights such as the Human Rights Act.

Under GDPR, we are required to inform people about how we will use people’s personal data and for what purposes. We do this using privacy notices.

However, there are exceptions to the applicable data protection laws which require us to share personal data wherever necessary to the purposes of safeguarding, law enforcement and prevention of fraud.

Our privacy notices

This corporate privacy notice provides general information about the council’s personal data processing activities overall. As the range of services the council provides is so varied, we have also produced individual privacy notices to explain specifically how your data will be used within each service area. You can find links to these on the left of this page.

Personal data

The personal data processed by the council in order to perform its official tasks includes:

  • names, titles, aliases, photographs
  • contact details such as telephone numbers, addresses and email addresses
  • gender, age, marital status, nationality, education/work history, academic/professional qualifications, hobbies, family composition and dependants
  • social care records for adults and children in our care
  • financial identifiers such as bank account numbers, payment card numbers, payment/transaction identifiers, policy numbers and claim numbers

Special categories of personal data

The personal data we process also includes sensitive or other special categories of personal data such as criminal convictions, racial or ethnic origin, mental and physical health records, details of injuries, medication/treatment received, political beliefs, trade union affiliation, genetic data, biometric data, data concerning and sexual life or orientation.

These types of data are described in GDPR as “special categories of data” and require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal data.

We process special categories of personal data in the following circumstances:

  • for the provision of social care to children and adults
  • where it is needed in order to carry out our specific legal obligations
  • where it is needed for a matter of substantial public interest (such as in the case of a threat to public health)

Less commonly, we may process this type of personal data where it is needed in relation to legal claims or where it is needed to protect your vital interests (or someone else’s vital interests) and you are not capable of giving your consent, or where you have already made the information public.

Sharing your personal data with other data controllers

Where necessary for statutory functions and official tasks, the council may share personal data with other public authorities such as the police, health authorities, government departments and schools.

In order to deliver support and services to you we also work with:

  • community groups and volunteers
  • charities
  • other not-for-profit bodies

We may, for example, share personal data with other local authorities or not-for-profit bodies with which we are carrying out joint ventures, e.g. in relation to facilities or events for the community.  Under the conditions of the Digital Economy Act 2017, we may also share personal data provided to us with other public authorities as defined in the Act, for the purposes of fraud or crime detection or prevention (see fair processing notice below), to recover monies owed to us, to improve public service delivery, or for statistical research. We do not share the information with other organisations for commercial purposes.

Sharing of “special categories” data with public sector partners

We only share sensitive personal data in limited circumstances - where we are required to do so by law or where it is necessary to fulfil our statutory obligations. This includes providing a range of public sector services for your health and social care, and the safeguarding of vulnerable children and adults. The sharing of personal data will include the linking of data sets held by the council, the NHS and other public sector partners to comply with our statutory duties and to provide joined up services.

Vital interests

We may also use personal information to identify and assist individuals whose vital interests are threatened and /or who need additional support during emergencies or major incidents, for example emergency evacuation.

Sharing of personal data with external service providers

Your personal information may be shared with external service providers, which we have contracted to act on our behalf, in order to provide the public services and support you have requested from us. We undertake to share only information which is relevant and necessary for the provision of the relevant service.

The council relies on various suppliers and service providers which process data on our behalf. These companies are “data processors” for the council. This means we instruct them, under contract, on their use and treatment of the personal data we are responsible for.

We must also ensure they have adequate security measures to keep the information safe.

Consent and GDPR

When you are asked to consent to a data controller’s use of your personal data this implies the controller is relying on “consent” as the legal basis for such use.

Consent may not be used as the legal basis for processing your personal data if:

  • you do not have a free choice
  • you have not been provided relevant privacy information (what personal data may be used, how, and why)
  • refusing consent may have a negative impact on you (this is the case where consent is a condition of receiving the service you want)
  • there is an imbalance of power between the person and the organisation requesting the consent. This is likely when the organisation is a public authority
  • GDPR provides a more appropriate basis for processing (such as for processing by public authorities in the exercise of their tasks)

The council does not generally request consent for using your personal data as, in accordance with the rules above, it is not a valid legal basis for processing involved in carrying out our official functions and tasks.

We will, however, request your consent for us to provide the actual support service we are offering you. This choice should also be informed by relevant privacy information. Therefore, we will always tell you about how and why we will use your information to provide the service before you decide whether you agree to receive it.

Data protection principles

The council is committed to adhering to the principles established in data protection law in its use of personal data.

This means it should be:

  • lawful and transparent
  • used for the specified purpose (collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes)
  • limited to the minimum amount of data required to deliver the service
  • accurate and up-to-date
  • kept only as long as necessary for the purposes we have told you about and any other legal requirements
  • secure from unauthorised access, misuse or loss

The council currently uses personal data to:

  • deliver public services including to understand your needs, to provide the services that you request, to understand what we can do for you and inform you of other relevant services
  • confirm your identity
  • contact you
  • help us to build up a picture of how we are performing
  • prevent and detect fraud and corruption in the use of public funds and where necessary for law enforcement functions
  • enable us to meet all legal and statutory obligations and powers including any delegated functions
  • carry out comprehensive safeguarding procedures (including due diligence and complaints handling) in accordance with best safeguarding practice to ensure that all children and adults-at-risk are provided with safe environments and generally to protect individuals from harm or injury
  • protect the use of public funds
  • maintain our own accounts and records
  • seek your views, opinions or comments
  • notify you of changes to our facilities, services, events, staff, councillors and other role holders
  • send you communications which you have requested and that may be of interest to you including information about campaigns, appeals and other new projects or initiatives
  • process relevant financial transactions including grants and payments for goods and services supplied to the council
  • allow the statistical analysis of data so we can plan the provision of services

Our processing also includes the use of CCTV systems for the prevention and prosecution of crime.

What is the legal basis for processing your personal data?

The council is a public authority and has certain powers and obligations. Most of your personal data is processed under our “official authority”. This means that it relates to local government responsibilities, which have been established in government legislation. When exercising these powers or duties it is necessary that we process personal data of residents or people using the council’s services.  We will always take into account your privacy interests and rights.

We may process personal data if it is necessary for the performance of a contract with you, or to take steps to enter into a contract. An example of this would be processing your data in connection with the use of sports facilities, or the acceptance of an allotment tenancy. This also includes the use of your data if you are a member of council staff.

Electronic communications

We reserve the right to monitor and record electronic communications (website, email and phone conversations). There are a number of reasons why we may do this; staff training, records of conversations or detection, investigation and prevention of crime. We will inform you if your call is being recorded or monitored.

Any email sent to us, including any attachments, may be monitored for reasons of security and making sure they comply with our information security policy. You have a responsibility to make sure any email you send to us is within the bounds of the law. Emails that we send to you or you send to us may be retained as a record of contact and your email address stored for future use in accordance with our retention schedule.

How long do we keep your personal data?

The council will only retain and store your data for as long as it is needed for the purpose for which it was collected, or as required by the law, or as dictated by best practice as recommended by the Information and Records Management Society (IRMS).

We will keep some records permanently if we are legally required to do so. We may have legal obligations to retain some data in connection with our statutory obligations as a public authority. The council is permitted to retain data in order to defend or pursue claims. In some cases the law imposes a time limit for such claims (for example three years for personal injury claims or six years for contract claims).  We will retain some personal data for this purpose as long as we believe it is necessary to be able to defend or pursue a claim. We will only keep data for as long as we need it, and we will delete it when it is no longer needed.

Fair processing notice – sharing of data with a specified anti-fraud organisation

Fraud costs the public sector an estimated £20.6 billion a year. It is in all our interests to prevent it. Public authorities have a particular responsibility to ensure that taxpayers’ money is not taken out of the system fraudulently.

We are required by law to protect the public funds we administer. We may share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises. Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.

Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The Cabinet Office currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Cabinet Office for matching for each exercise, and these are set out in the Cabinet Office’s guidance.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.

Data matching by the Cabinet Office is subject to a Code of Practice. For information on the Cabinet Office’s legal powers and the reasons why it matches particular information, see the GOV.UK website.