The Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR), gives you the right to be informed about any personal information we may hold about you, under most circumstances.
Details of the information our services may hold about you can be found in our privacy notices.
We also have a website privacy policy and a cookie policy.
Privacy notice information
We may use your personal information to carry out our duties and deliver services.
We decide why, what and how personal information is used and ensure it is held securely. This means we are a 'data controller' under the data protection legislation.
Why we collect and use personal information
We deliver a range of services that we are either legally required to, or able to do, and undertake a number of public tasks.
We'll use your information to:
- provide, plan and manage our services
- carry out our regulatory, licensing and enforcement roles
- carry out any other tasks which we have to do by law
- make and take payments and grants and spot fraud
- listen to your ideas about our services
- tell you about our services
We can only use your personal information if we have a lawful basis for doing so. The lawful basis will be recorded on the relevant service area privacy notice.
Sometimes we use personal information that is considered sensitive under the legislation, such as your ethnicity or health condition, which will require extra conditions to be in place before it can be used. We can only use this type of personal data if we can meet one of the conditions and this information will be recorded on the relevant privacy notice.
If we're using your 'consent' as our legal basis to use your information you'll always be given the opportunity to make a positive statement of your consent to use it for a specific purpose, informed that you can withdraw that consent at any time, and given a contact name who can action your request to withdraw consent.
Please see the Information Commissioner's Office guide to lawful basis for more information.
Who we share your information with
Unless a privacy notice says otherwise, we do not ordinarily share your information. Rarely, we may make an exception because there is a substantial public interest requiring us to do so. We will only pass on your details if the law says we must, or government guidance says we should.
In certain circumstances, there will be lawful reasons to share your personal information with external agencies. The service area privacy notices have details of these organisations.
We use a range of organisations to either store personal information or help deliver our services to you. Where we have these arrangements there is always an agreement in place to make sure that the organisation complies with data protection law.
We'll often have completed a data protection impact assessment (DPIA) before we share personal information to make sure we protect your privacy and comply with the law.
Sometimes we have a legal duty to provide personal information to other organisations. This is often because we need to give that information to courts, including:
- if we take a child into care
- if the court orders that we provide the information
- if someone is taken into care under mental health law
We may also share your personal information when we decide there's a lawful reason that's more important than protecting your privacy. This does not often happen, but we may share your information:
- in order to find and stop crime and fraud, or if there are serious risks to the public, our staff or to other professionals
- to protect a child
- to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them
For all of these reasons, the risk must be serious before we can override your right to privacy.
If we're worried about your physical safety or feel we need to take action to protect you from being harmed in other ways, we'll discuss this with you and, if possible, get your permission to tell others about your situation before doing so.
We may still share your information if we believe the risk to yourself or others is serious enough.
There may also be rare occasions when the risk to yourself or others is so great that we need to share your information straight away without consulting you.
If this is the case, we'll make sure that we record what information we share and our reasons for doing so.
We'll only use your personal information if we need to. Where possible we'll remove details that identify you from data before using it. Or if that is not possible, only use the minimum amount of your personal data necessary to a complete a task.
If we use your personal information for research and analysis, we'll always remove details that identify you from the information or use a different name against your information unless you've agreed that your personal information can be used for that research.
We do not sell your personal information to anyone else.
Internal audit
The Accounts and Audit Regulations 2015 require us to have an internal audit service to evaluate the effectiveness of our risk management, control and governance processes. To enable this, our internal audit team require access to documents, records and personal data belonging to the council, our contractors or suppliers to do their work. Further details are in the audit services charter.
What your rights are over your information
You have the following rights in regard to your personal information, you can request to:
- access copies any records we hold about you
- have any information we hold about you corrected
- have any information we hold about you deleted or destroyed
- restrict how information we hold about you can be used or shared
- object to information about your you being held
- have any information we hold about you transferred to a third party
- challenge decisions relating to you made using automated decision-making and profiling (currently we have no services that use automated decision-making or profiling for decision-making)
There are forms to help you if you want to make a request to exercise individual rights under GDPR and the Data Protection Act 2018.
There are reasons why we may not be able to comply with your request or we may only be able to do so partially. For example, when we are required to hold your personal information by law to perform a public task we may not be able to delete or destroy it.
For more detailed advice on your rights visit the Information Commissioner's Office (ICO).
How we keep your information secure
All personal information we record is stored securely and in accordance with the Data Protection Act 2018 and the UK GDPR.
Most of the information we hold about you is held on secure internal systems. The rest is held on secure third party systems or with secure information storage companies where we have carried out checks to ensure they are secure and have contracts in place which detail their data protection obligations.
Although the majority of personal information we hold is stored on systems in the UK, as previously mentioned most of it is held on our secure internal systems, there may be some occasions when your information may be transferred to another organisation or be stored on a system based outside of the UK.
We will have additional protections on your information if it leaves the UK, ranging from secure ways of transferring information to ensuring we have a robust contract in place with the third party involved and we will always follow the guidance from the ICO.
In order to provide you with assurance that we will hold your personal information securely we achieved the ISO 27001 Information Security Management accreditation. This is an internationally recognised information security standard, which is externally audited on a regular basis to ensure we comply. We also meet NHS information management standards through its NHS Information Governance Toolkit accreditation.
Find out more about our information security policies, and ISO accreditation and related guidance.
How long we keep your information
We do not, ordinarily, keep your personal information indefinitely. The length of time we keep personal information varies depending upon why we collected the information and any rules relating to keeping it. If there are no specific rules we may keep personal information for shorter periods.
For more information on the length of time we keep your personal information, please see our records retention schedules.
Who to contact about the information we hold about you
If you have any queries, concerns or complaints, relating to you, about how we obtain, use, store or share your personal information, or if you wish to make a request relating to your individual rights under the new legislation, please contact us:
email: access2info@derbyshire.gov.uk
Data Protection Officer
County Hall
Matlock
Derbyshire
DE4 3AG
If you're not satisfied with our response, you can contact the Information Commissioner's Office with your concerns.
Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate).
Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Information Commissioners Office (ICO)has further advice and guidance on the new data protection laws.