Corporate privacy notice

Purpose of this notice

The London Borough of Croydon (LBC) is committed to protecting your privacy when you use our services. We are registered as a data controller with the Information Commissioner’s Office (ICO). This Privacy Notice explains how we use information about you and how we protect your privacy. At the top of this webpage you will see a list of the services we provide. Under each service is more detailed information about how we use your information for specific services, who we may share your information with and why.

How to contact us

  • We can be contacted at Croydon Council, Bernard Weatherhill House, 8 Mint Walk, Croydon, CR0 1EA. Telephone 020 8726 6000
     
  • We have a Data Protection Officer (DPO) who is responsible for informing and advising the Council on its data protection obligations and monitoring the Council’s internal compliance together with acting as a single point of contact for you and the ICO. If you wish to contact the Data Protection Officer, Billy Machekano, please email DPO@croydon.gov.uk or telephone on 0208 726 6000 and ask to speak with the Data Protection Officer.

Where can I get independent advice?

For independent advice about data protection you can contact the Information Commissioner’s Office at:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5A or email casework@ico.org.uk or call 0303 123 1113 or 01625 545 745

Do you know what personal information is?

Personal data can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify you.  Examples of personal data could be your name, address, telephone number, date of birth or financial information.

Did you know that some of your personal information might be “special”?

Some data is categorised as “special category data” and needs more protection due to its sensitivity. Often, it is information that is very personal to you and is likely to include:

  • racial or ethnic origin
  • religious or other beliefs of a similar nature
  • physical or mental health or condition
  • sexuality or sexual health
  • trade union membership
  • genetic/biometric data
  • political opinion
  • physical or mental health
  • criminal history

Why do we need to collect and use your personal information?

We may need to use some information about you to deliver services to you for example:

  • we can’t collect your rubbish if we don’t know your address
  • manage the services we provide to you
  • help investigate any complaints or worries you have about the services provided to you
  • keep track on spending on services
  • check the quality of services and
  • to help with research and planning new services

How the law allows the Council to use your personal information

The Council will process (that means collect, store and use) the personal information you provide to us in accordance with the law.

There are a number of legal reasons why we need to collect and use your personal information. Each privacy notice from the menu on the top explains for each service which legal reason(s) is being used to process your personal information

Generally we collect and use your personal information where:

  • you or your legal representative, have given consent
  • you have entered a contract with the Council
  • the data is necessary to perform our statutory duties or it is required by law
  • it is necessary to protect you or someone in an emergency
  • it is necessary to perform a task carried out  in the public interest

If we have consent to use your personal information, you have the right to remove the consent at any time. If you want to remove your consent, please contact informationmanagement@croydon.gov.uk and tell us which service you are using so we can deal with your request.

We only use what we need

Where we can, we will only collect and use your personal information for the specified purpose for which it was collected except where the law allows us to use it for another purpose. We shall keep your personal information accurate and updated. It shall not be kept longer than necessary and shall be relevant and not excessive in relation to the purpose or purposes for which it was collected.

If we do not need personal information we will keep your information anonymous. For example in a survey we may not need your contact details but only your survey responses. If we use your personal information for research and analysis we always keep you anonymous unless you have agreed that your personal information can be used for that research

Your Rights

The law gives you a number of rights to control what personal information we use and how it is used. .These are some of your rights:

You can ask for access to the information we hold about you

This applies to your personal information that is in both paper and electronic records. You can ask for your records by contacting the Information Management team at the Council at SAR@croydon.gov.uk.

When we receive a request in writing, we will give you access to everything we have recorded about you. However, we cannot let you see any part of your record which contains:

  • confidential information about other people or
  • data which is likely to cause serious harm or distress to you or likely to affect your physical or mental wellbeing or
  • if we think that giving you the information may stop us or any law enforcement agency from preventing or detecting a crime.

If you cannot ask for your records in writing we will make sure there are other ways that you can ask for your information. If you have any concerns regarding making a request in writing please telephone 020 8726 6000 and ask to speak to a member of the Information Management Team.

You can ask to change information you think is inaccurate

You should let us know if you disagree with something written on your file, we may not always be able to change or remove that information but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with it.

You can ask us to delete information (the “right to be forgotten”)

You have the right to ask us to delete your personal information for example where your personal information is no longer needed for the reason why it was collected in the first place or where you have withdrawn your consent for us to use your personal information and there is no legal obligation for the Council to use it. Where your personal information has been shared with others legally, we will use reasonable endeavours to make sure the 3rd party also deletes your data where you request this.

You can ask us to limit how we use your personal information

You have the right to ask us to restrict what we use your personal information for where for example  you have identified inaccurate information and have told us of it or where  you want us to restrict what we use it for rather than erase the information altogether.

You can ask to have your information moved to another provider (data portability)

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format; this only applies where we are using your personal information with your consent and not if we are using it under any other legal basis.

You have a right to ask for any computer made decisions to be explained to you and to request details of how we may have “risk profiled” you

You have the right to question decisions made about you by a computer unless it is required for any contract you have entered into, required by law or you have consented to it.

You also have the right to object if you are being “profiled”. Profiling is where decisions are made about you based on certain things in your personal information e.g. your health condition.

If and when the council uses your personal information to profile you, in order to deliver the most appropriate service to you, you will be informed.

You can exercise any of these rights by contacting us at informationmanagement@croydon.gov.uk and providing details of the right you wish to exercise and the service involved.

Who do we share your information with?

We use a range of organisations to either store personal information or help deliver our services to you. Where we have these arrangements there is always an agreement in place to make sure that the organisation complies with the law. We will often complete a data protection impact assessment (DPIA) before we share personal information to make sure we protect your privacy and comply with the law.

Sometimes we have a legal duty to share your personal information with other organisations. This may be because we need to give that data to the courts, including:

  • if we take a child into care;
  • if the court orders that we provide the information; and
  • if someone is taken into care under the mental health law.

We may also share your personal information when we feel there is good reason that is more important than your privacy. This does not happen often but we may share your information:

  • in order to find or stop a crime or fraud; or
  • if there are serious risks to the public, our staff or to other professionals;
  • to protect a child; or
  • to protect adults who are thought to be at risk for example if they are frail, confused or cannot understand what is happening to them.

For all these reasons the risk must be serious before we can override your right to privacy.

If we are worried about your physical safety or feel we need to take action to protect you from being harmed in other ways we will discuss this with you and if possible, get your permission to tell others about your situation before doing so.

We may still share your information if we believe the risk to others is serious enough to do so.

There may also be rare occasions when the risk to others is so great that we need to share information straight away.

If this is the case we will make sure that we record what information we share and our reasons for doing so. We will let you know what we have done and why if we think it is safe to do so.

Set out below is a list of organisations/bodies and individuals by way of example we may need to share your personal information with where this is necessary and required by law.

  • customers, service users and employees
  • representatives of customers, service users and employees
  • legal representatives
  • trade unions
  • current past and prospective employers
  • healthcare, social and welfare organisations
  • educators and examining bodies
  • providers of goods and services
  • data processors
  • local and central government
  • ombudsman and regulatory bodies
  • financial organisations
  • debt collection and tracing agencies
  • credit reference agencies
  • press and the media
  • law enforcement and prosecuting authorities
  • international law enforcement agencies and bodies
  • courts and tribunals
  • housing associations, landlords and tenants panels
  • charitable, religious and voluntary organisations
  • political organisations
  • elected members including members of parliament
  • survey and research organisations

More specific details are set out on the individual specific service notices at the top of this corporate privacy notice.

How do we protect your information?

We will do what we can to make sure we hold personal records about you (paper and electronic)  in a secure way and we will only make them available to those who have a right to see them.  Examples of our security processes include:

  • Encryption – meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what is called a “cypher”. The hidden information is said to then be “encrypted”.
  • Pseudonymisation – meaning that we will use a different name so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was you.
  • Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
  • Training our staff to make them aware of how to handle personal information and how and when to report when something goes wrong.
  • Regular testing of technology and upgrading security measures including keeping up to date on the latest security updates (commonly called “patches”)

You can find more information in our Security Policy by contacting informationmanagement@croydon.gov.uk.

If you think you need to report a suspected data breach this can be done by e mailing the Information Management Team direct at data.breach@croydon.gov.uk.

Where is your information stored?

The majority of your personal information is stored on systems in the UK. There are however some occasions where your information may leave the UK either in order to get to another organisation or if it’s stored in a system outside the EU. The Council will ensure there is additional protection if your personal information leaves the UK and ensure there are robust clauses in the contractual arrangements with any third party who processes personal information outside the EU.

How long do we keep your personal information?

We will not keep your personal information for longer than is necessary. Where your information is held for a set period of time this will always be supported by a legal reason. These reasons are set out in our document retention policy. If you wish to see the retention schedule you can send your request to informationmanagement@croydon.gov.uk.

Web site privacy provision

Croydon Council will endeavour to safeguard the privacy of its website visitors. The following information explains our website data processing practice.

Email messages

We are keen to ensure that we are providing our residents with services that they need. Consequently residents have the opportunity to opt-in to receiving occasional e-mail messages from the Council on matters that we consider may be of interest to you relating to services we provide.

Information to improve our site

We collect web statistics automatically about your visit to our site based on cookies and your IP address. This information is used to help us track what people are doing on the site so that we can improve it. We don't use this information to identify you as an individual and you will remain anonymous, unless you're asked to identify yourself by completing a form or an online transaction.

Cookies

If you complete our online registration process, or subsequently log in to the site, we will use cookies to remember your preferences during your current visit, and any future visits provided the cookie was not deleted in the interim. Cookies can be deleted at the end of each visit by logging out of the site. Your browser help text will contain information about how to refuse cookies from our site should you wish. Refusing cookies from our site will not affect your ability to perform online transactions, although we will not be able to display content that is relevant to you on certain pages, nor pre-fill forms with your name and contact details where relevant.

Cookies - further information

Some independent information about cookies is available here:

Online advertising privacy policy

We display adverts on our website to support the costs of providing online services. These are provided by a specialist public sector advertising agency and there is no cost to the council for displaying these adverts.

The Council Advertising Network is responsible for delivering advertising on this Croydon Council website. Please take a moment to read their privacy policy which includes cookie information and details on how to opt out: http://www.counciladvertising.net/can-privacy-policy.html

21 May 2018