Corporate privacy notice

Privacy notices explain how we collect, use and share your information, how we keep it safe, how long we keep it and how we will dispose of it when we no longer need it.

The council must collect and share your personal information in order to provide the services you require. The council is required to hold certain data by law in line with the Data Protection Act and General Data Protection Regulation.

You can also read service privacy notices.

Who to contact

If you would like further information about how we use your personal information, or you wish to exercise one of your data rights or you wish to complain about the use of your personal information please contact the Data Protection Officer.

What is a data controller and who are they?

A data controller is a person or organisation who processes personal data about other data subjects (individuals like you, as a service user or member of staff of the council). They are responsible for keeping it safe and only using it as the law allows.

All data controllers in the UK must register with the Information Commissioners Office (ICO). They must keep records of what data they process, what allows them to do so, how it is used, if it is shared (and with who), how it is stored, how long legally they can keep it and how and when it will be securely destroyed.

This information is usually kept in a document called a record of processing activities or ROPA (sometimes referred to as an information asset register). The council’s ROPA can be requested by contacting the Data Protection Officer. North Northamptonshire Council is registered as a data controller with the ICO under the current data protection legislation because we collect and process personal information about you.

What is personal data?

Personal data is defined in the General Data Protection Regulations (GDPR) as any information which can be used to identify a living individual. If we can identify someone, directly or indirectly, ie you could combine it with other data to determine who it’s about, then it’s personal data.

It includes things like your name, email address, contact details, photographs, location and IP address data, financial information, social media profiles, cookie identifiers, and any other data that may be used to identify you. As an organisation, we don’t process all of these, but they are all classed as personal data.

What is special category data?

In addition to personal data like the types shown above, there is a more sensitive grouping known as special category data.

This includes information about your medical history and concerning your health, trade union membership, information about your sexual life, genetics data and biometrics (where used to identify you), and information that reveals your racial or ethnic origin, your political opinions, and your religious or philosophical beliefs.

Again, as an organisation, we don’t process all of these but they are all classed as special category data.

This policy explains how the council collect, use and share your information, how we keep it safe, how long we keep it and how we will dispose of it when we no longer need it.

It applies to all personal data and special category data that we hold and process, including data held and processed on our behalf by processors we have specifically chosen to carry out particular tasks for us using personal data. It includes all electronic and paper records and relates to current and archived data.

The council has chosen to use a tiered approach to providing information to customers and staff about how we use your data. This policy outlines our overall approach to privacy and managing personal data. Each individual service will have a specific privacy notice which will give details of how data is processed in delivering that service. They will also be provided to you when you first make contact with that service or team.

The Data Protection Act 2018 (DPA18) and the EU General Data Protection Regulation (GDPR) ensure that we comply with a series of data protection principles.

These principles are there to protect you and they make sure that we:

  • process all personal information lawfully, fairly and in a transparent manner
  • collect personal information for a specified, explicit and legitimate purpose
  • ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected, or compatible with this purpose
  • ensure the personal information is kept accurate and up to date
  • keep your personal information for no longer than is necessary for the purpose(s) that we collected it for
  • keep your personal information secure using appropriate technical and/or organisational measures

We collect and hold a wide variety of personal information.

We use this information to:

  • deliver public services and confirm your identity to help us deliver some of those services
  • contact you by phone, text, post or email
  • understand your needs so we can provide the services you request
  • understand what we can do for you, and with your consent, inform you of other services which may be relevant (this activity may include the use of profiling and automated decision making)
  • obtain your opinion about our services and our development plans
  • maintain an accurate customer record for you
  • help us to understand our performance and ensure we are delivering services well and to meet the needs of our customers
  • prevent and detect fraud and corruption in the use of public funds
  • undertake statutory functions effectively and efficiently

Further information can be found about what each service does with the data they hold in the service privacy notices.

We will only collect personal information from you that we need to provide the services you require, or information we are required by law to hold about you.

This may include information about you and other members of your household, your address and contact information, and where appropriate (ie for council tax or benefit claims) financial and banking details.

If you give us permission, we may also collect location data, cookies and online identifiers and other relevant information that allows us to provide you with details of other services that may be useful to you.

We may process more sensitive information, also known as special categories of personal data, about you. This may include information which may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.

This data will only be used where we can show we meet the necessary conditions for processing set out in the GDPR/Data Protection Act 2018 and will only be processed to meet a defined need. For further information on our processing of Special Category data, please see the Appropriate Policy Document on our policies page, and our individual service privacy notices.

Usually your personal data is provided directly by you, when you contact us to ask us about a service you need, or to tell us we have done a good job or you are unhappy with the service you have received.

This information is collected online, via emails that you send to us, in the letters you write to us, or when you phone us or visit our offices/outreach locations, including images captured on council CCTV systems (NB: CCTV also covers body worn cameras and other recording equipment).

Your information might also be provided to us by another organisation or partner. Sometimes this is because you have contacted them when it should have been sent to us, or it may be because you have asked them to act on your behalf (like your Councillor). We may also receive your information from our partners if they feel you need our support/intervention and the law allows them to do so.

We may receive your data from agencies who we work with to prevent and detect fraud and crime, where the law permits us to do so.

We may collect information from social media, where information has been made public, where you have given us permission to do so, where the law allows, or if you post on one of our social media pages.

If you have an online account with us, you will be able to see the questions, comments and issues you have raised with us:

  • via our online form or email to our customer services email
  • through our customer service staff who answer our phones and manage our customer service centres or outreach locations

There are a number of legal reasons that allow us to collect and use your personal information.

Generally, we collect and use personal information where:

  • you have requested a service from us
  • it is necessary to meet our legal obligations
  • you have entered into a contract with us
  • it is necessary to protect public health
  • it is required for the defence of legal cases
  • it is needed for employment purposes
  • you, or your legal representative, have given us your consent
  • you have made your information publicly available
  • it is necessary for law enforcement reasons and to prevent, and detect fraud or crime
  • we need to protect individuals from harm (in an emergency), or
  • it is necessary for archiving, research, or statistical purposes - for these purposes your data would be used in a pseudonymised format (name and other identifying information replaced with a unique number)

If you have given us your consent we may contact you about other services appropriate to your needs (this type of processing may involve profiling/automated processing).

We may also use your personal information to monitor/improve our performance in responding to your request and to assist in service planning to ensure our services meet our customers' needs.

Web statistics about your visit to our site are collected automatically. This information is used to help us follow browsing preferences so that we can regularly improve our website. These statistics do not contain personal data.

If your experience would be improved by our website knowing your location, we will ask permission to obtain your current location from your device. This can include coordinates, direction of travel and the time the data was recorded. This location data is not tracked and is used in providing specific service requests.

If we rely on your consent to use your personal information, you have the right to remove it at any time. If you want to remove your consent, please contact our Data Protection Officer and tell us which service you are using so we can deal with your request.

Where the council is legally required to retain your information we may not be able to delete your data and we will advise you of what is being retained and why.

Information will be shared among officers, councillors and other partner agencies where the law allows or requires it, to help deliver the services you require, and to improve our services. We will only use/share the minimum personal data necessary at all times.

We may also be legally required to share your personal data with law enforcement bodies such as the police, government authorities and other organisations, for the prevention and detection of crime or fraud.

If you do not wish certain information about you to be exchanged within the Council, you can request that this does not happen by contacting our Data Protection Officer, although this may affect our ability to provide some services.

We do not share your personal information with any third parties other than those who deliver services on our behalf, who have been carefully selected to do so, or where the law requires us to.

We will only share the minimum necessary information and will always consider your rights before we decide to share your information.

We will always ensure we keep your information safe and secure while it is in our care, and while in transit to our service providing partners or other agencies we are required to share it with.

We carry out checks to ensure our partners and service providers apply the same level of care and security to the data we pass to them. We are explicit with our partners/service providers that they may only use your data to provide the services you requested. However, we may provide your personal information to partners/other organisations where it is necessary, either to comply with the law, or where data protection law permits us to (for example to prevent or detect crime or to protect you).

We will not disclose any information you provide to us “in confidence” without your permission unless we are required to by law or if we have good reason to believe that not sharing the information would put you or someone else at risk.

If we need to share your sensitive personal information including medical details or other confidential information we will only do this with your express consent or where we are legally required to do so. We may disclose information to prevent harm to an individual.

We will never share your information with third parties for marketing or sales purposes or for any commercial use without your express consent unless the law requires us to do so.

We do not buy or sell any personal data, unless the law requires us to.

All our staff undertake data protection training and know the importance of accuracy of personal data held about our staff and customers.

Staff are encouraged to ensure we keep your data up to date and accurate.

We also encourage you to contact us to let us know if your information has changed.

The council has a legal obligation to work with partner agencies, including credit reference agencies, to share information to prevent or detect crime and fraud.

We are obliged to do this on request and will only do this to verified agencies or where we have a contract and relevant information sharing agreement in place.

We will only share necessary information and will always do this using secure channels.

The council wants you to be able to trust us with your personal information; we take our responsibilities as guardians of it very seriously.

We know you need to give us your information for us to provide you with services, and often because you are required by law to give it to us. That makes it even more important that we treat it with the utmost of care and respect and data security is a key part of this.

We keep our systems secure so you can be confident in our ability to look after it. We are subject to regular testing to ensure we meet government minimum standards of security and we strive to exceed these standards where possible. We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, or use or disclosure of your personal information.

Electronic data is stored on secure systems and we control who has access to information (using both physical and electronic means).

We ensure all of our contractors who need access to your data to deliver services are meeting the same standards as we do as a minimum. We regularly review our arrangements with them to ensure they keep us up to date on any changes or improvements to their systems and processes. They are also obliged by law to let us know if they have a breach involving the personal information of our staff or customers.

When we do share your data, we do it via secure channels and will not share more than is necessary for the task.

If we are collecting sensitive personal information about you, we will take extra care to ensure your personal information and privacy rights are protected.

Our staff all attend regular data protection training and are all aware of their role in keeping your data secure. We employ a Data Protection Officer (DPO). It is their role to ensure the organisation are provided with the right information and advice on complying with the laws around data protection, they are also there to support you in engaging your rights and addressing your concerns. All staff and customers are actively encouraged to contact the DPO for advice if needed.

We have a breach management procedure to ensure if something does go wrong we manage the situation appropriately and contact you to explain what has gone wrong, what we are doing to fix it, and your rights.

Payment security

All electronic forms that request financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.

If you use a credit card to pay we will pass your credit card details securely to our payment provider. Other payment methods are handled in a similar manner. The Council complies with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council, and will never store card details.

We cannot guarantee the security of your home computer or the internet, and any online communications (eg information provided by email or via our website) are at the user’s own risk.

The council has an established Data Protection Impact Assessment process to ensure all new work and reviews of existing systems and processes which involve personal data consider the impact on your privacy.

This process means that our staff and partners consider your privacy from the outset of any new piece of work and continue to review its likely impact throughout the life of the project.

Data Protection impact assessments for major projects where there is significant potential impact on data privacy are also provided to our council committees for consideration, to allow effective decision making around council policy and new work.

The Council stores your data within the European Union. Some organisations which provide services to us may transfer personal data outside of the European Economic Area, but we will only allow them to do so if your data is adequately protected.

For example, some of our systems use Microsoft products. As an American company, it may be that using their products result in personal data being transferred to or accessible from the USA. However, we will allow this as we are certain personal data will still be adequately protected.

The council will only keep your personal information for as long as it is needed. In some cases, the law dictates that we must keep it for longer periods than our customers would expect.

We have a data retention schedule which details what personal information we hold and for how long for each of the services we provide.

If you would like more information on how long your information will be held please contact the Data Protection Officer or view our retention schedule

The legislation gives all data subjects (individuals like you) rights over the use of their data.

Our Data Protection Officer is employed to support members of the public in understanding and exercising their rights.

While we would prefer to receive your request in writing you can also contact us in person, by phone, email or social media channels. If you have any queries about access to your information, please contact our Data Protection Officer.

Please be aware we may require additional identification to verify who you are or evidence you have the appropriate authority to make the request.

We will answer your request within one calendar month of acknowledgement (we may need further information from you to clarify your request, expectations and confirm your identity to ensure we provide what you need and only to you or a third party you have authorised). We can extend the deadline for up to three calendar months for more complex requests. We will let you know if this is the case.

There is usually no charge for accessing your information and where possible we will provide it to you in an electronic format unless your request another format.

What are my ‘rights’?

15.1. Your right to be informed

We will keep you informed about how your personal information is used by us via privacy notices like this one. It would be impossible for us to put all the information about how we use your data across the various teams and services the council operates in one document.

The council have adopted a tiered approach to privacy. This means that in addition to this notice, which explains broadly how we will use your data, when you contact the council for the first time about a new service we will provide you with information about how we use your data to provide that specific service. This may be done electronically (on an e-form, by response email), on the phone (verbally, using a pre-recorded message) or in writing (on a paper form or letter). All service privacy notices are also held on the council’s website for your information.

15.2. You can ask for access to the information we hold on you (right to see)

You have the right to ask the council for the information we have about you. When we receive a request from you, we must give you access to everything you have asked for, if we hold it. This applies to personal information that is in both paper and electronic records.

However, we cannot let you see any parts of your record which contain:

  • confidential information about other people
  • data likely to cause serious harm to your or someone else’s physical or mental wellbeing
  • information that, if provided, may stop the prevention or detection of a crime

If you have any queries about access to your information, please contact our Data Protection Officer.

We will answer your request within one calendar month of acknowledgement (we may need further information from you to clarify your request, expectations and identity to ensure we provide what you need and only to you or a third party you have authorised).

There is no charge for accessing a single copy of your information and where possible we will provide it to you in an electronic format unless your request another format.

15.3. You can ask to change information you think is inaccurate

You should let us know if you disagree with something written on your file.

We may not always be able to change or remove that information, but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with it.

Please contact the Data Protection Officer to inform us of any inaccuracies.

15.4. You can ask to delete information (right to erasure)

In some circumstances you can ask for your personal information to be deleted, for example:

where there is no current legal reason for the use of your information;

  • where your personal information is no longer needed for the reason it was collected in the first place
  • where you have removed your consent for us to use your information (and we have no other legal reason to use it)
  • where deleting the information is a legal requirement

Where your personal information has been shared with others, we will take steps to make sure those using your personal information comply with your request for erasure.

Please note that we cannot delete your information where:

  • we are required to have it by law
  • it is there for public health purposes
  • it is for, scientific or historical research, or statistical purposes where it would make information unusable
  • it is necessary for legal claims

15.5. You can ask to limit what we use your personal data for

You have the right to ask us to restrict what we use your personal information for where you have identified inaccurate information, and have told us about it.

When information is restricted, it cannot be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it is for important public safety in the UK.

Where restriction of use has been granted, we will inform you before we carry on using your personal information.

You have the right to ask us to stop using your personal information for any council service. However, if this request is approved, this may cause delays or prevent us delivering that service.

Where possible we will seek to comply with your request, but we may need to hold or use information because we are required to by law.

15.6. You can ask to have your information moved to another provider (data portability)

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.

However, this only applies if we are using your personal information with consent or as part of the performance of a contract we have with you (not if we are required to use your data by law). It is likely that data portability will not apply to most of the services you receive from us.

15.7. Your right to object and your rights around automated decisions and profiling

You can object to your personal data being used for profiling, direct marketing or research purposes.

You can ask to have any computer made decisions explained to you, and details of how we may have 'risk profiled' you.

You have the right to question decisions made about you by a computer, unless it is required by law, or you have consented to it.

You also have the right to object if you are being 'profiled'. We only use your personal information to profile you with your express consent, in order to deliver the most appropriate services to you.

If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer.

Since April 2013, The Health and Social Care Act 2012 has given local authorities the power to perform public health functions.

This means that the Council has "a duty to improve the health of the people and responsibility for commissioning appropriate public health services" and the statutory responsibilities for public health services are clearly set out in the Health and Social Care Act 2012. See the 'Public Health' section below for further details.

North Northamptonshire Council will have access to the following data:

  • Primary Care Mortality Database (PCMD) – The PCMD holds mortality data as provided at the time of registration of the death along with additional GP details, geographical indexing and coroner details where applicable.
  • Births and Vital Statistics datasets – Births files include date of birth, sex, birthweight, address, postcode, place of birth, stillbirth indicators and age of mother. Deaths data includes: deaths broken down by age, sex, area and cause of death sourced from the deaths register.
  • Hospital Episode Data (HES) – Is a data warehouse containing details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England. This data is collected during a patient's time at hospital and is submitted to allow hospitals to be paid for the care they deliver. HES data is designed to enable secondary use, that is use for non-clinical purposes, of this administrative data.

This data is supplied to Public Health by NHS Digital under section 42 (4) of the Statistics and Registration Service Act 2007, as amended by section 287 of the Health and Social Care Act 2012, and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

Lawful basis for processing this data

Statutory public health duties that the data will be used to support:

Duty to improve public health: Analyses of the data will be used to support the duty of the local authority under Section 12 of the Health and Social Care Act 2012 to take appropriate steps to improve the health of the population, for example by providing information and advice, services and facilities, and incentives and assistance to encourage and enable people to lead healthier lives.

Duty to support Health and Wellbeing Boards: Analyses of the data will be used to support the duty of the local authority and the Clinical Commissioning Group (CCG)-led Health and Wellbeing Board under Section 194 of the 2012 Act to improve health and wellbeing, reduce health inequalities, and promote the integration of health and care services; the data will also be used to support the statutory duty of Health and Wellbeing Boards under Section 206 of the 2012 Act to undertake Pharmaceutical Needs Assessments.

Duty to produce Joint Strategic Needs Assessments (JSNAs) and Joint Health and Wellbeing Strategies (JHWBs): Analyses of the data will be used to support the duty of the local authority under Sections 192 and 193 of the 2012 Act to consult on and publish JSNAs and JHWSs that assess the current and future health and wellbeing needs of the local population.

Duty to commission specific public health services: Analyses of the data will be used to support the local authority to discharge its duty under the Local Authorities Regulations 2013 to plan and provide NHS Health Check assessments, the National Child Measurement Programme, and open access sexual health services.
Duty to provide public health advice to NHS commissioners: Analyses of the data will be used by Local Authorities to discharge its duty under the 2013 Regulations to provide a public health advice service to NHS commissioners.

Duty to publish an annual public health report: Analyses of the data will be used by Directors of Public Health to support their duty to prepare and publish an annual report on the health of the local population under Section 31 the 2012 Act.

Public Health responses on behalf of the local authority to licensing applications and other statutory local authority functions requiring public health input: Analyses of the data will be used by the Director of Public Health to support their duty under Part 3 of the National Health Services Act 2006 (as amended by Section 30 of the Health and Social Care Act 2012) to provide the local authority public health response (as the responsible authority under the Licensing Act 2003, as amended by the Health and Social Care Act 2012 Schedule 5 - Part 1) to licensing applications.

Legal basis for access to civil registration data (mortality, births and vital statistics) DARs

This data assists local authorities in tailoring local solutions to local problems, and using all the levers at their disposal to improve health and reduce inequalities and it helps to create a 21st century local public health system, based on localism, democratic accountability and evidence as directed in the Health and Social Care Act 2012.

Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act 2012 and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

Vital statistics:

  • Processing: General Data Protection Regulation Article 9 (2) (h)
  • General Data Protection Regulation Article 6 (1) (e)
  • Dissemination: Health and Social Care Act 2012 - s261(5)(d)

Primary Care mortality data:

  • Processing: General Data Protection Regulation Article 9 (2) (h)
  • General Data Protection Regulation Article 6 (1) (e)
  • Dissemination: Health and Social Care Act 2012 - s261(5)(d)

Births:

  • Processing: General Data Protection Regulation Article 9 (2) (h)
  • General Data Protection Regulation Article 6 (1) (e)
  • Dissemination: Health and Social Care Act 2012 - s261(5)(d)

Categories of personal data processed:

  • Mortality data:
  • cause of death
  • date of birth
  • NHS number
  • address and postcode
  • postcode of place of death

Births:

  • place of birth
  • address and postcode of mother
  • NHS number
  • date of birth

HES:

  • (Pseudo anonymised)
  • age
  • sex
  • ethnicity
  • GP
  • details of health including diagnosis, treatment and admission details

Alongside your Right to Object, the NHS National Data Opt-out Programme gives you the right to opt out of your confidential patient information being used for reasons other than their individual care and treatment (such as for research and planning purposes). Patients and the public will be able to use the national system from 25 May 2018. All health and care organisations will be required to uphold patient and public choices by March 2020.

There are occasions where service providers will have a legal duty to share information, for example for safeguarding or criminal issues. The process for opting out will depend on the specific data and what programme it relates to. For further information, please contact the Public Health team by emailing [email protected]

Last updated 09 November 2023