The new Data Protection Act 2018 and the General Data Protection Regulation (GDPR), which came into force on 25 May 2018 gives you the right to be informed about any personal information we may hold about you.
Details of the information our services may hold about you can be found in our privacy notices.
Privacy notice information
We may use your personal information to carry out our duties and deliver services.
We decide why, what and how personal information is used and ensure it is held securely. This means we are a ‘data controller’ under the new data protection legislation.
Why we collect and use personal information
We deliver a range of services that we are either legally required to, or able to do, and undertake a number of public tasks.
We'll use your information to:
- provide, plan and manage our services
- carry out our regulatory, licensing and enforcement roles
- carry out any other tasks which we have to do by law
- make and take payments and grants and spot fraud
- listen to your ideas about our services
- tell you about our services
We can only use your personal information if we have a legal basis for doing so. The legal basis will be recorded on the relevant service area privacy notice.
Sometimes we use personal information that is considered sensitive under the legislation, such as your ethnicity or health condition, which will require extra conditions to be in place before it can be used. We can only use this type of personal data if we can meet one of the conditions and this information will be recorded on the relevant privacy notice.
Please visit the Information Commissioner's Office legal basis for processing personal data and conditions for processing special categories (sensitive) of personal data for more information.
If we're using your ‘consent’ as our legal basis to use your information you'll always be given the opportunity to make a positive statement of your consent to use it for a specific purpose, informed that you can withdraw that consent at any time, and given a contact name who can action your request to withdraw consent.
Please visit the Information Commissioner's Office consent information.
Who we share your information with
Unless a privacy notice says otherwise, we do not ordinarily share your information. Rarely, we may make an exception because there is a substantial public interest requiring us to do so. For instance, if NHS Test And Trace ask us to help in a case of suspected exposure to COVID-19, we will help. We will only pass on your details if the law says we must, or government guidance says we should.
In certain circumstances, there will be lawful reasons to share your personal information with external agencies. The service area privacy notices have details of these organisations.
We use a range of organisations to either store personal information or help deliver our services to you. Where we have these arrangements there is always an agreement in place to make sure that the organisation complies with data protection law.
We'll often have completed a privacy impact assessment (PIA) before we share personal information to make sure we protect your privacy and comply with the law.
Sometimes we have a legal duty to provide personal information to other organisations. This is often because we need to give that information to courts, including:
- if we take a child into care
- if the court orders that we provide the information
- if someone is taken into care under mental health law
We may also share your personal information when we decide there’s a lawful reason that’s more important than protecting your privacy. This does not often happen, but we may share your information:
- in order to find and stop crime and fraud, or if there are serious risks to the public, our staff or to other professionals
- to protect a child
- to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them
For all of these reasons, the risk must be serious before we can override your right to privacy.
If we’re worried about your physical safety or feel we need to take action to protect you from being harmed in other ways, we’ll discuss this with you and, if possible, get your permission to tell others about your situation before doing so.
We may still share your information if we believe the risk to yourself or others is serious enough.
There may also be rare occasions when the risk to yourself or others is so great that we need to share your information straight away without consulting you.
If this is the case, we’ll make sure that we record what information we share and our reasons for doing so. We'll let you know what we've done and why if we think it is safe to do so.
We'll only use your personal information if we need to. Where possible we'll remove details that identify you from data before using it. Or if that is not possible, only use the minimum amount of your personal data necessary to a complete a task.
If we use your personal information for research and analysis, we’ll always remove details that identify you from the information or use a different name against your information unless you've agreed that your personal information can be used for that research.
We do not sell your personal information to anyone else.
What your rights are over your information
You have the following rights in regard to your personal information, you can request to:
- access copies any records we hold about you
- have any information we hold about you corrected
- have any information we hold about you deleted or destroyed
- restrict how information we hold about you can be used or shared
- object to information about your you being held
- have any information we hold about you transferred to a third party
- challenge decisions relating to you made using automated decision making and profiling (currently we have no services that use automated decision making or profiling for decision making)
There are forms to help you if you want to make a request to exercise individual rights under GDPR and the Data Protection Act 2018.
There are reasons why we may not be able to comply with your request or we may only be able to do so partially. For example, when we are required to hold your personal information by law to perform a public task we may not be able to delete or destroy it.
For more detailed advice on your rights visit the Information Commissioner's Office (ICO).
How we keep your information secure
All personal information we record is stored securely and in accordance with the new Data Protection Act 2018 and the General Data Protection Regulation (GDPR), which came into force on 25 May 2018.
Most of the information we hold about you is held on secure internal systems. The rest is held on secure third party systems or with secure information storage companies where we have carried out checks to ensure they are secure and have contracts in place which detail their data protection obligations.
Although the majority of personal information we hold is stored on systems in the EU, as previously mentioned most of it is held on our secure internal systems, there may be some occasions when your information may leave the EU, either in order to transfer it to another organisation or be stored on a system outside of the EU.
We will have additional protections on your information if it leaves the EU, ranging from secure ways of transferring information to ensuring we have a robust contract in place with the third party involved and we will always follow the guidance from the ICO.
In order to provide you with assurance that we will hold your personal information securely we achieved the ISO 27001 Information Security Management accreditation. This is an internationally recognised information security standard, which is externally audited on a regular basis to ensure we comply. We also meet NHS information management standards through its NHS Information Governance Toolkit accreditation.
Find out more about our information security policies, and ISO accreditation and related guidance.
How long we keep your information
We do not, ordinarily, keep your personal information indefinitely. The length of time we keep personal information varies depending upon why we collected the information and any rules relating to keeping it. If there are no specific rules we may keep personal information for shorter periods.
For more information on the length of time we keep your personal information, please see our records retention schedules.
Who to contact about the information we hold about you
If you have any queries, concerns or complaints, relating to you, about how we obtain, use, store or share your personal information, or if you wish to make a request relating to your individual rights under the new legislation, please contact us:
Data Protection Officer
If you're not satisfied with our response, you can contact the Information Commissioner's Office with your concerns.
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate).
Information Commissioners Office
Information Commissioners Office (ICO)has further advice and guidance on the new data protection laws.