For information about the Buckinghamshire County Council’s Data Protection Practices, please visit our data protection page.
Buckinghamshire County Council has an obligation to explain how we collect and use your personal information. This is known as processing.
We have done this in two parts: Firstly, we give a clear general explanation of what we do with your personal data. Secondly, we give a more specific explanation that includes information about data use by specific Council services.
Data we process when you use Council services
- when you use a Council service (e.g. completing an online permit application or using a library) we will use the information you provide (data) to handle your interactions with the Council and to provide the service to you and also to manage that service
- we might also analyse the data you provide to ensure that we are delivering the right and best services for you. For example we might look at the number of people phoning the Council to determine how we run and support our customer contact centre
Why we process it
We process this data for the purposes explained in detail below. More generally, we will use the data we collect about you to:
- Deliver services you currently use but also might use in the future (delivery)
- Help our teams to understand how people use our services to make sure they are the best possible services (planning)
- Ensure targets around performance and activity are met (performance)
- Meet legal requirements around the way that services might be delivered (statutory – non-safeguarding)
- Ensure that our residents remain safe and protected from harm (statutory – safeguarding)
- Keep in contact with you about what we do for you (communications)
When we process your data we might also use different techniques to analyse this data. We will only ever analyse data for the reasons listed above and in accordance with our more specific areas of business (see below).
When we analyse this data about you, we might combine it with other information you have provided to us or even data about you we have received from other organisations. This will be done under the strictest protections to ensure it is done in a fair, lawful and transparent way and is compatible with the reason we collected it originally (e.g. we would not use information collected for public health to market a commercial product to you but we might combine it with social care information to enable us to ensure we are delivering the right services to you).
If you would like more information about the specific ways different teams might use your personal data, please see below for our more detailed notification:
The law requires us to publish a ‘Record of Processing Activity’ along with information which ensures that the Council is clear about what it is doing with the data it holds.
This is a live document and we will update it from time to time if we change the way we collect or use your data.
The following sections set out information we must give you and a subsequent section is an alphabetical list of teams with details about how they collect and use data if it is different from the use of data set out below and in our general notice above.
1 The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer
Buckinghamshire County Council
Telephone: 01296 395000
Data Protection Officer
Buckinghamshire County Council
2 Lawful basis and purposes of the processing
The primary lawful basis and purposes for processing personal data is to enable the Council to deliver Council services. We need to process personal data in the exercise of our public functions and powers (public task), and to perform tasks in the public interest, that are set out in law.
We also have legal obligations and powers to process personal data under the statute. These are listed in our Information Asset Register.
We also need to process your personal information to fulfill our contractual obligations to you.
We can also process your personal data with your express consent.
In exceptional cases, we might also need to process your personal data to protect your own or some else’s vital interests.
3 A description of the categories of data subjects and of the categories of personal data
Generally, the information we hold will be both personal data and special category data. Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. Special category data is information about your race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, or sexual orientation.
So, for example, we may need this sort of information in connection with health and social care services that we provide. The Council will also hold information relating to ethnicity, disability and religion to comply with Equalities and Health and Safety legislation.
Finally, the Council may also hold criminal offence data for safeguarding reasons and law enforcement purposes strictly in compliance with data protection legislation.
4 The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations
We will sometimes need to share information outside of Council departments with organisations such as our partners, third-party contractors, government bodies, the police, health and social care organisations, and educational establishments.
We will only share information with these organisations where it is appropriate and legal to do so. We may also share information, for example, if there is a risk of serious harm or threat to life, for the prevention and detection of fraud or crime, assessment of any tax or duty or if we are required to do so by any court or law. Where this is necessary, we are required to comply with all aspects of the Data Protection Legislation.
The Council will typically not disclose information to third countries and where an organisation is international in nature, we will have completed a risk assessment of the use of this data. Where possible we will require data being stored with third parties to at least be stored at sites within the EU and always with adequate protections. Where information is disclosed to a third Country, there will be a defined legal basis for this transfer which will be recorded and made available on request.
5 Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards
Please see above.
6 Where possible, the envisaged time limits for erasure of the different categories of data
The Council has a list of how long it keeps data for known as a retention schedule. Details of how long material should be kept for are available on request.
7 Where possible, a general description of the technical and organisational security measures referred to in Article 32(1)
Some of the specifics of the technical security measures the Council employs are not available as they might provide a means for malicious access to our information but generally we employ the following protections for the data we hold:
- Encrypted servers
- Remote backup
- Cloud-based computing including virtual servers
- Password protection
- Annual Individual mandatory training
- Policies and procedures around Data Protection
- Confidentiality statement linked to contractual terms
8 The purposes of the processing for which the personal data are intended as well as the legal basis for the processing
This information is recorded in our Information Asset Register. For further information contact firstname.lastname@example.org.
9 Where the processing is based on legitimate interests pursued by us or by a third party
Where we rely upon the legitimate interest’s condition for processing, it will be set out in our Information Asset Register and the associated Data Protection Impact Assessment
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
Where the Council relies upon a legal obligation for processing personal data or to form a contract with you, this will be set out in our information asset register.
Data Protection legislation gives specific data rights to individuals which include the following:
Name of right
What this means
How to enact it
You have the right to be informed of the period of time that we will hold your data
You have the right to be informed of the information we hold about you and be informed about how this data is being used
You have the right to notify us of factually incorrect information and where requested, we will attempt to correct this information.
You have the right to ask us to delete information about you when we do not have a legal reason to hold this information.
You have the right to ask us to restrict what we hold about or to not use that data unless we have a legal basis to do so.
Where applicable you have the right to information collected by an online form to be transferred to another organisation.
Where you have been asked for consent for using your personal data, you retain the right to withdraw your consent for this.
You have the right to complain to the Information Commissioner about how we have handled your personal data.
Council Teams Privacy Statements:
Use of IP addresses and cookies
Cookies enhance your experience using our website. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work more efficiently, as well as to provide information to the owners of the site.
We collect IP addresses* only for the purposes of system administration and to audit the use of our site. We do not link IP addresses to anything personally identifiable, which means that while your user session will be logged you will remain anonymous to us.
* An IP address is a unique string of numbers that identifies each computer.
Children and Young People
Services such as education, social care, and early help, which aim to protect vulnerable children and their families, as well as supporting improved public health and wellbeing, may involve collecting, using and sharing special category data as defined by the General Data Protection Regulation and Data Protection Act 2018. The provision of these services by the local authority is defined primarily in the Education Act 2016, Childcare Act 2016, Children’s Act (1989 and 2004), the Children and Social Work Act 2014, Working Together to Safeguard Children 2018.
We collect and use your personal information so we can provide you with these statutory services and other support services. The information we collect may be shared between county council services and with other organisations, such as the police, educational establishments (such as early years settings, schools and colleges), health services, and social care organisations (such as GPs and hospitals) who provide you with services.
The county council may receive personal information from third parties, for example a student’s unique identifier number to support education requirements or health services who may share the NHS numbers of people receiving support from social care. We do not disclose or share this sensitive or confidential information without your freely given, informed, unambiguous, explicit consent, except in a small number of situations where disclosure is allowed by law, or where we have good reason to believe that failing to do so would put you or someone else at risk.
Adult Social Care
Adult Social Care will in some occasions share information with local health services and utility companies if there is an emergency situation such as flood or extreme weather event where life may be at risk. This information is shared to ensure that individuals are not left at risk of harm during such an event. Where information is shared for an emergency situation, this will be done by the sharing of information in a secure manner and with the information being destroyed following the resolution of that event.
The HR team will handle information as set out in our notice above, but where there is an investigation into staff conduct; information about staff will be made available to managers and/or investigators to investigate concerns raised. This may include but is not limited to, emails, chat logs, and phone calls.
If contacted by the police or another government department with the relevant power to request information about staff (for example safeguarding, fraud, immigration), we may provide this information with sufficient justification.
What information does the organisation collect?
The organisation collects and processes a range of information about you. This includes:
- your name, address and contact details, including email address and telephone number, date of birth and gender
- the terms and conditions of your employment
- details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation
- information about your remuneration, including entitlement to benefits
- details of your bank account and national insurance number
- information about your marital status, next of kin, dependants and emergency contacts
- information about your nationality and entitlement to work in the UK
- information about your criminal record
- details of your working pattern
- details of periods of leave taken by you, including holiday, sickness absence, sabbaticals, and the reasons for any other leave
- details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
- assessments of your performance, including DSP reviews and ratings, training you have participated in, performance improvement plans and related correspondence
- information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments
- information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments
- details of trade union membership
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief
The organisation collects this information in a variety of ways. For example, data is collected through application forms, CVs or resumes; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.
The organisation seeks information from third parties with your consent only e.g. DBS checks and Occupational Health referrals. Data is stored in a range of different places, including your personnel file, in the organisation’s HR management system and in other IT systems (including the organisation’s email system).
Why does the organisation process personal data?
The organisation needs to process data to enter into an employment contract with you and to meet its obligations under your employment contract. For example, it needs to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefit and pension entitlements.
In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws, to enable employees to take periods of leave to which they are entitled, and to consult with employee representatives if redundancies are proposed or a business transfer is to take place. [For certain positions, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake the role in question.]
In other cases, the organisation has a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows the organisation to:
- maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights
- operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace
- operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes
- operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled
- obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled
- operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organisation complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled
- ensure effective general HR and business administration
- conduct employee engagement surveys
- provide references on request for current or former employees
- respond to and defend against legal claims
- maintain and promote equality in the workplace
Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). Information about trade union membership is processed to allow the organisation to operate check-off for union subscriptions.
Where the organisation processes other special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. You can ask us to stop processing this data at any time.
Who has access to data?
Your information will be shared internally, including with members of the HR and recruitment team (including payroll), your line manager, managers in the business area in which you work and IT staff if access to the data is necessary for the performance of their roles.
The organisation will not transfer your data to countries outside the European Economic Area.
Unitary Council privacy notice
Due to the proposed changes to local government within Buckinghamshire, in order to prepare for the transition to the new unitary Buckinghamshire Council, we may share your relevant personal information with other Councils - Chiltern District Council, South Bucks District Council, Aylesbury Vale District Council, Wycombe District Council and the shadow authority.
This will be on the basis of legitimate interests and/or to comply with the law.