For information about the Buckinghamshire County Council’s Data Protection Practices, please visit our data protection page.
Buckinghamshire County Council has an obligation to explain how we collect and use your personal information. This is known as processing.
We have done this in two parts: Firstly, we give a clear general explanation of what we do with your personal data. Secondly, we give a more specific explanation that includes information about data use by specific Council services.
Data we process when you use Council services
- When you use a Council service (e.g. completing an online permit application or using a library) we will use the information you provide (data) to handle your interactions with the Council and to provide the service to you and also to manage that service.
- We might also analyse the data you provide to ensure that we are delivering the right and best services for you. For example we might look at the number of people phoning the Council to determine how we run and support our customer contact centre.
Why we process it
We process this data for the purposes explained in detail below. More generally, we will use the data we collect about you to:
- Deliver services you currently use but also might use in the future (delivery)
- Help our teams to understand how people use our services to make sure they are the best possible services (planning)
- Ensure targets around performance and activity are met (performance)
- Meet legal requirements around the way that services might be delivered (statutory – non safeguarding)
- Ensure that our residents remain safe and protected from harm (statutory – safeguarding)
- Keep in contact with you about what we do for you (communications)
When we process your data we might also use different techniques to analyse this data. We will only ever analyse data for the reasons listed above and in accordance with our more specific areas of business (see below).
When we analyse this data about you, we might combine it with other information you have provided to us or even data about you we have received from other organisations. This will be done under the strictest protections to ensure it is done in a fair, lawful and transparent way and is compatible with the reason we collected it originally (e.g. we would not use information collected for public health to market a commercial product to you but we might combine it with social care information to enable us to ensure we are delivering the right services to you).
If you would like more information about the specific ways different teams might use your personal data, please see below for our more detailed notification:
The law requires us to publish a ‘Record of Processing Activity’ along with information which ensures that the Council is clear about what it is doing with the data it holds.
This is a live document and we will update it from time to time if we change the way we collect or use your data.
The following sections set out information we must give you and a subsequent section is an alphabetical list of teams with details about how they collect and use data if it is different from the use of data set out below and in our general notice above.
1 The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer
Buckinghamshire County Council
Data Protection Officer: Tom Mansfield
2 Lawful basis and purposes of the processing
The primary lawful basis and purposes for processing personal data is to enable the Council to deliver Council services. We need to process personal data in the exercise of our public functions and powers (public task), and to perform tasks in the public interest, that are set out in law.
We also have legal obligations and powers to process personal data under statute. These are listed in our Information Asset Register.
We also need to process your personal information to fulfil our contractual obligations to you.
We can also process your personal data with your express consent.
In exceptional cases we might also need to process your personal data to protect your own or some else’s vital interests.
3 A description of the categories of data subjects and of the categories of personal data
Generally, the information we hold will be both personal data and special category data. Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. Special category data is information about your race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, or sexual orientation.
So for example we may need this sort of information in connection with health and social care services that we provide. The Council will also hold information relating to ethnicity, disability and religion to comply with Equalities and Health and Safety legislation.
Finally, the Council may also hold criminal offence data for safeguarding reasons and law enforcement purposes strictly in compliance with data protection legislation.
4 The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations
We will sometimes need to share information outside of Council departments with organisations such as our partners, third party contractors, government bodies, the police, health and social care organisations, and educational establishments.
We will only share information with these organisations where it is appropriate and legal to do so. We may also share information, for example, if there is a risk of serious harm or threat to life, for the prevention and detection of fraud or crime, assessment of any tax or duty or if we are required to do so by any court or law. Where this is necessary, we are required to comply with all aspects of the Data Protection Legislation.
The Council will typically not disclose information to third countries and where an organisation is international in nature, we will have completed a risk assessment of the use of this data. Where possible we will require data being stored with third parties to at least be stored at sites within the EU and always with adequate protections. Where information is disclosed to a third Country, there will be a defined legal basis for this transfer which will be recorded and made available on request.
5 Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards
Please see above.
6 Where possible, the envisaged time limits for erasure of the different categories of data
The Council has a list of how long it keeps data for known as a retention schedule. Details of how long material should be kept for are available on request.
7 Where possible, a general description of the technical and organisational security measures referred to in Article 32(1)
Some of the specifics of the technological security measures the Council employs are not available as they might provide a means for malicious access to our information but generally we employ the following protections for the data we hold:
- Encrypted servers
- Remote backup
- Cloud based computing including virtual servers
- Password protection
- Annual Individual mandatory training
- Policies and procedures around Data Protection
- Confidentiality statement linked to contractual terms
8 The purposes of the processing for which the personal data are intended as well as the legal basis for the processing
This information is recorded in our Information Asset Register, an extract is available here.
9 Where the processing is based on legitimate interests pursued by us or by a third party
Where we rely upon the legitimate interest’s condition for processing, it will be set out in our Information Asset Register and the associated Data Protection Impact Assessment
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data
Where the Council relies upon a legal obligation for processing personal data or to form a contract with you, this will be set out in our information asset register.
Data Protection legislation gives specific data rights to individuals which include the following:
Name of right
What this means
How to enact it
You have the right to be informed of the period of time that we will hold your data
You have the right to be informed of the information we hold about you and be informed about how this data is being used
You have the right to notify us of factually incorrect information and where requested, we will attempt to correct this information.
You have the right to ask us to delete information about you when we do not have a legal reason to hold this information.
You have the right to ask us to restrict what we hold about or to not use that data unless we have a legal basis to do so.
Where applicable you have the right for information collected by an online form to be transferred to another organisation.
Where you have been asked for consent for using your personal data, you retain the right to withdraw your consent for this.
You have the right to complain to the Information Commissioner about how we have handled your personal data.
Please see our specific page on data rights if you wish to enact any of these rights.
Council Teams Privacy Statements:
Use of IP addresses and cookies
Cookies enhance your experience using our website. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work more efficiently, as well as to provide information to the owners of the site.
We collect IP addresses* only for the purposes of system administration and to audit the use of our site. We do not link IP addresses to anything personally identifiable, which means that while your user session will be logged you will remain anonymous to us.
* An IP address is a unique string of numbers that identifies each computer
Adult Social Care
Adult Social Care will in some occasions share information with local health services and utility companies if there is an emergency situation such as flood or extreme weather event where life may be at risk. This information is shared to ensure that individuals are not left at risk of harm during such an event. Where information is shared for an emergency situation, this will be done by the sharing of information in a secure manner and with the information being destroyed following the resolution of that event.
The HR team will handle information as set out in our notice above, but where there is an investigation into staff conduct; information about staff will be made available to managers and/or investigators to investigate concerns raised. This may include but is not limited to, emails, chat logs, and phone calls.
If contacted by the police or other government department with the relevant power to request information about staff (for example safeguarding, fraud, immigration), we may provide this information with sufficient justification.