For Privacy Notices for specific services, please click on the link below:
The General Data Protection Regulation (GDPR) gives individuals the right to be informed about how organisations use their personal data. Gloucestershire County Council will provide this information in layered approaches through Privacy Notices. You can find the council's general privacy notice on this page, along with privacy notices for specific services below.
Gloucestershire County Council general Privacy Statement
Gloucestershire County Council is registered as a data controller with the Information Commissioner’s Office (ICO). Our registration number is Z7334901.
You can contact the Data Protection Officer with any issues regarding the processing of your personal data by:
Data Protection Officer
Information Management Service
We process the personal data that we collect for a number of different purposes. This privacy statement gives a general overview of how we use personal data. In some cases individual services provided by us will have their own, more specific, privacy notice. You can find these privacy notices by clicking on the link below:
1. Who we collect personal data about
We collect personal data about many different people, from both within and outside the county. These people include;
- People who visit our websites or complete forms on our websites
- People who receive care from the council or one of our providers
- People who receive other services from us
- Relatives or other individuals who interact with those receiving services from us
- People who contact us with a query or complaint
- People who make comments about the services we provide or actions we take as a county council
- People who have been referred to us from other organisations
- People who visit the organisation or who are recorded on CCTV on council premises
- Job applicants
- Current and former employees
- Our suppliers and providers or their employees
2. The types of personal data we collect and use
The data we collect about individuals can include;
- Name and contact details
- Personal and family details
- Identifiers, such as National Insurance Numbers or NHS numbers
- Lifestyle and social circumstances
- Financial information
- Employment and educational details
- Housing or social care needs
- Visual images, such as photographs or CCTV recordings
- Licenses or permits held
- Student and pupil records
- Business activities
We also collect what is known as sensitive personal information (or special categories of data). These include;
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic and biometric data
- Mental or physical health details
- Sex life
- Sexual orientation
We also collect equalities data to fulfil our equalities and monitoring obligations.
In some instance we will also collect personal data relating to criminal convictions or offences.
3. Why we collect and use personal data
Public Tasks & Legal Obligations
We have a number of statutory responsibilities, powers and duties which require us to carry out certain tasks in the public interest. In many situations these powers allow us to collect personal data without the need for consent. If we use these powers to collect personal data, we will always ensure your data is treated;
- Fairly – We will ensure that the personal data we collect is only used for the purposes for which we collected it and related activity, such as checking accuracy of contact details, planning future service provision and historical archives, , unless we are required to use or share it in a different way by law.
- Transparently – We will ensure that individuals are told when we have collected their personal data and that they know why we have collected this information, unless we are required to use or share your data without telling you by law.
- Securely – We will ensure the security of the personal data that you provide to us, and will ensure it is only available to people who are authorised to see it.
Some of our services are provided by other organisations on our behalf. In these cases we usually disclose personal data to them either under contract or because our powers or duties require us to do so. These providers also have to meet data protection requirements.
In some cases we collect information through a contractual agreement with an individual. For example, when someone is employed by us we will collect specific personal data about them for the purposes of their employment.
When you contact us about accessing a service or with an issue you wish us to look into it is reasonable for us to take that contact as your consent to process and use your personal information for that purpose.
There are some services that we provide that are not part of our powers or duties. In those cases we might seek your consent to collect your personal data.
If you are contacting your county councillor, they will usually rely on your request to deal with your request as permission to contact the county council and pass on your personal data, unless you state otherwise.
When there isn’t a legal reason or overriding interest for sharing your personal information, we will seek your consent if we want to share your personal data with a third party.
We will collect your consent when we want to add your name to a mailing list.
4. The purposes we collect and use personal data for
Because we provide a range of services, there are many different purposes we could use personal data for. However, we will only ever use the information you provide us for specific purposes, which we will make clear to you when the data is collected. Unless we are required by law, we will usually ask your consent we to use your data for a different purpose. .
These purposes could include:
- The provision of social services for adults and children
- Maintaining our own accounts and records
- Supporting and managing our employees
- Promoting the services we provide
- Carrying out health and public awareness campaigns
- Managing our property
- Providing cultural services
- Provision of education
- Carrying out surveys
- Administering benefits and grants
- Revenue services grants
- Licensing and regulatory activities
- Crime prevention and prosecution offenders including the use of CCTV
- Answering your queries and requests
- Corporate administration and all activities we are required to carry out as a data controller and public authority
- Undertaking research, strategic needs analysis and public health research
- The provision of all commercial services including the administration and enforcement of parking regulations and restrictions
- The provision of all non-commercial activities including the disposal of household waste
- Internal financial support and corporate functions
- Managing archived records for historical and research reasons
- Data matching under local and national fraud initiatives
- Prevention and control of disease and the promotion of health within the community
- Legal and other traded services to schools
- Consultancy and advisory services in relation to public health
- Identifying gaps in service provision in order to help improve those services
5. Who we share personal data with
We sometimes need to share information with the individuals we process information about and other organisations, where it is relevant. Where this is necessary we are required to comply with all aspects of data protection law.
- customers (for example, we would share the personal information about a taxi driver with the relevant service users)
- family, associates or representatives of the person whose personal data we are processing
- current past and prospective employers
- healthcare, social and welfare organisations and professionals
- educators and examining bodies
- providers of goods and services
- financial organisations
- debt collection and tracing agencies
- private investigators
- service providers
- local and central government
- ombudsman and regulatory authorities
- press and the media
- professional advisers and consultants
- courts and tribunals
- trade unions
- political organisations
- professional advisers
- credit reference agencies
- professional bodies
- survey and research organisations
- police forces
- housing associations and landlords
- voluntary and charitable organisations
- religious organisations
- students and pupils including their relatives, guardians, carers or representatives
- other police forces, non-home office police forces
- regulatory bodies
- courts, prisons
- customs and excise
- local and central government
- international law enforcement agencies and bodies
- security companies
- partner agencies, approved organisations and individuals working with the police,
- licensing authorities
- service providers
- current past and prospective employers and examining bodies
- law enforcement and prosecuting authorities
- legal representatives, defence solicitors
- the disclosure and barring service (DBS)
Personal data may be shared with regulatory and statutory bodies who assess council performance and financial spend, as well as where required by law, such as to prevent and detect crime or fraudulent activity.
Personal data may be shared within the council to check accuracy of your contact details to ensure our records are accurate and up to date and also to ensure that officers are aware of your circumstances and other services you are receiving when visiting or providing you with support.
6. How long we keep personal data for
We keep personal data for different lengths of time depending on the purposes for which it was collected. Sometimes the law will specify how long we have to hold personal data for. You can find detailed information on how long we keep personal data for by viewing the council’s Records Retention and Disposal Schedule, which is available by clicking here;
7. Is personal data transferred outside of Europe?
A large majority of the personal data that we collect is held within the United Kingdom and European Economic Area (EEA). Data Protection law allows the council to hold personal data if it is inside the EEA. The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.
In very rare circumstances some of the personal data we collect is stored overseas. However, if data is held outside the EEA then we can do so if we have ensured that there is suitable protection of in place.
8. How does the council keep personal data secure?
Technical and physical security measures
The council protects the privacy and security of all data that we control and process. This protection includes:
- Baseline security recruitment checks,
- Controlled staff pass access to buildings and systems,
- Servers based within the United Kingdom,
- Our network is Cyber Essentials Plus and Public Services Network (PSN) accredited,
- Regular patching and updating of systems to maintain the security and integrity of the council network.
Policies and procedures
The council also ensures that its policies and procedures reflect good practice for data protection and that staff are aware of these. This includes:
- Review and acceptance of Data Protection, Internet Acceptable Use, Email Acceptable Use and Information Security policies by all staff – completion is monitored and recorded electronically,
- Online Data Protection training for all new staff – completion is monitored and recorded electronically,
- Automatic locking of PCs when not in use,
- A clear procedure for reporting and dealing with suspected breaches of data protection,
- Our approach is accredited by the NHS Data Security and Protection Toolkit.
9. Your rights
Data Protection law gives you a number of rights over your personal data. Not all of these rights are automatic, and some may not be available to you at all times. For instance, where there is a legal obligation for us to withhold or retain data. If the council refuses to oblige your rights, we will always explain why this is and our reasons for doing so.
To protect the confidentiality and integrity of the personal data we hold, we will always ask for proof of your identity before proceeding with any rights that you wish to use, if we are not already satisfied about your identity. If you have authorised a third party to act on your behalf we will also ask them to prove in writing that they have your permission to act.
The council is required by the law to respond to your requests within one month of receipt of the request. We may extend that period by a further two months where necessary, for example when the request is complex. If we need to extend the period then we will tell you why.
Right to access
You have the right to access personal data that we hold about you. Sometimes part or all of the information may be withheld, if this is the case we will explain why.
Right to withdraw consent
Where you have given consent for us to collect and use your personal data (for example, when you subscribe to a mailing list) you can withdraw that consent and stop the further use of it for those purposes. This does not apply if we have collected your personal data in line with our legal obligations, public tasks or as part of a contractual agreement we have with you.
Right to rectification (correction) of personal data
You can request that your personal data be corrected if you believe the information we hold about you is incorrect or incomplete.
Inaccurate data is not necessarily the same as a difference of opinion. Opinions are, by their very nature, subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. If you don’t agree with the opinion of an officer of the council or other person we will record your view alongside theirs.
Right to erasure (to be forgotten)
You have the right to request the deletion or removal of personal data we hold about you.
When the right applies:
- We no longer need to use the personal data for the purposes we collected it for;
- You withdraw your consent from using the personal data where you provided it;
- You object to the use of the personal data and there are no overriding legitimate grounds for us to continue using it;
- We use the personal data unlawfully; or,
- We are legally obliged to erase the personal data.
The right does not provide an absolute ‘right to be forgotten’. There are some specific circumstances where the right to erasure does not apply. We can refuse to comply with a request for the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
- For public health purposes in the public interest;
- Archiving purposes in the public interest, scientific research, historical research or statistical purposes; or,
- The exercise of legal claims.
Right to object
You have the right to object to us using your information if you feel we have used it outside the remit of our public tasks, official authority, or when you have received marketing from us.
Rights relating to automated decision making or profiling
You have the right not to be subject to a decision based solely on automated decision making, including profiling, which produces legal effects about you or significantly affects you. The council can only carry out solely automated decision making when it is authorised by law, you have given us your explicit, written consent, or when it is necessary for entering into a contract with the council.
Who to contact about these rights
If you wish to use their rights on some or all of your personal data held by the council, then you should contact the council via one of the ways below:
Information Management Service
Gloucestershire County Council
First Floor, Block 4(a)
Shire Hall, Westgate Street
10. Contacting the Information Commissioner's Office
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by;
11. Any questions?
If you have any questions about this privacy notice or the way the council handles your personal data, please contact our Data Protection Officer via our Information Management Service:
- Email us on firstname.lastname@example.org
- Writing to:
Data Protection Officer
Information Management Service
Gloucestershire County Council