Information about how we gather and use information to support our services.
We gather and process information to deliver services to citizens and communities, to carry out our statutory functions and ensure that:
- services can be delivered effectively and efficiently
- employment relationships with our staff are managed
We'll do this in accordance with the Data Protection Act 2018 and in compliance with our obligations we're registered as a data controller with the Information Commissioner's Office (ICO) under registration Z7145991.
What's personal data?
Personal data is information about a living person that means we can work out who they are, such as their name, address, telephone number, date of birth, bank details and so on. This can include written letters or emails, photographs, and audio and video recordings.
Some data is called special category data. This includes details of ethnic origin, religious beliefs, sexual orientation, trade union membership, health data, and biometric such as fingerprints and facial recognition, and genetic data such as DNA.
Why we collect, use and store your information
We're required to process personal data lawfully and our Data Protection Policy sets out our commitment as to how we'll comply with the Data Protection Act 2018.
As a local authority, we've a lawful basis for gathering and processing information:
- where necessary for the delivery of services
- to ensure that we undertake our statutory functions and public tasks when required to do so by law, including those relating to diversity and equalities
- to safeguard public safety
- where there is a risk of harm or in an emergency situations
Where we need your consent we'll ask for it.
For some services, we need to use your personal data to get in touch with you and deliver services. For example, we use your data to:
- provide our services and anything we must do by law
- undertake our regulatory, licensing and enforcement roles, which we have to do by law
- make payments, grants and benefits
- spot fraud
- listen to your ideas about our services
- tell you about our services
If personal data is subject to an automatic decision making process (by a computer) then we'll inform you of this in our individual service privacy notices. Any automatic decision making results will be subject to a final decision by a council officer.
Providing personal information
To ensure that your personal information is reliable, accurate and up to date, it's expected when providing information that you:
- provide us with accurate information
- inform us as soon as possible if there's any changes to your personal information
Steps we take to keep your personal data safe and secure
We've a responsibility to keep your information safe and we respect your privacy. All of our employees are required to undertake data protection and information security training to ensure that personal data is processed in accordance with data protection principles.
We'll not disclose personal information to third parties for marketing purposes without your consent or use your personal data in a way that may cause damage or harm to you.
Information is processed by the council in the UK or in the EU. However, we'll inform you within our Services Privacy Notices of any instances where this may not be the case.
How long we keep your personal data
There are factors that can affect how long we keep your personal data for. This includes:
- your personal data rights
- where a record including your information forms evidence gathered as part of an investigation
- where a record including your information is selected for permanent preservation
We'll only hold your personal data for as long as is necessary for business purposes or if we're required to keep it by law.
You can find out how long we keep information and data within our retention schedule.
Within the council we may share your information between our services:
- so that the information held about you is up to date
- to allow us to improve our services to you
We may need to share your information with other people and organisations who'll carry out activities on our behalf. Where this happens we'll ensure satisfactory protection by ensuring contracts and sharing agreements are in place that define the security controls that stipulate data is held safely and securely.
Fraud detection and prevention
We're required by law to protect the public funds we administer and there are circumstances under which we're legally required to disclose information. These purposes are
- performing statutory enforcement notices
- disclosures required by law
- detecting/preventing crime and/or fraud
- auditing and/or administering public funds
We may share information provided to bodies responsible for auditing or administering public funds, in order to prevent and detect fraud. Organisations include:
- the Cabinet Office
- other local authorities
- Audit Scotland
- the Police
We may use data matching to help us identify people who need additional support or if a potential incident affects us. This may require us to share information with partner organisations to respond to the incident.
Test and Protect
Test and Protect was launched across Scotland on the 28 May 2020 and aims to prevent the spread of Covid-19 in the community.
We need to gather contact information from customers and visitors at our premises, which may be passed to the NHS Test and Protect Service, in the event that an incidence of Covid-19 is identified.
The information that you provide will be held securely and will be destroyed after 21 days, and will only be used if requested by NHS Scotland or statutory partners.
More information about the lawful basis for processing your personal data and information during the pandemic can be found in our Covid-19 privacy notice.
Council service privacy notices
You can find out more details about how our services use your personal data within their separate privacy notices.
You've certain rights over your personal data. Some of these rights are only available in certain circumstances and are usually dependant on the legal basis upon which we hold your data.
Depending on why we need to process your personal data, you'll have rights to how your information is used. You'll find further information about how our various services use your personal data within our service privacy notices.
We've a lawful basis for the gathering and processing of information necessary for the delivery of critical services. You've the right to request that we stop processing your personal data in relation to any of our services. However, this may cause delays or prevent us delivering a service to you.
Where possible, we'll seek to comply with such requests, but this may not be possible where we are required to do so by law. For example, to safeguard public safety, where there is a risk of harm or in emegency situations.
Where we rely on your consent to process information you've the right to withdraw this consent at any time. Details of how to withdraw your consent will be given to you at the time you provide your consent.
You can ask to see what data we hold about you and ask to be sent a copy. This is called a subject access request.
Subject Access Requests are free of charge. However, where a request is manifestly unfounded or excessive then we may ask for a reasonable fee to cover administrative costs associated with your request.
We endeavour to respond to enquiries within 30 days of their submission. If the matter is complex we may need more time, but you'll will be informed of this.
You can also ask us to:
- correct your data if you think it's wrong (right to rectification)
- delete your personal data in certain circumstances (right to erasure)
- stop using your data if you think it's wrong or we shouldn't have it (right to restriction)
- stop using your data if you think we no longer should be using it (right to object)
- transfer the information you gave us from one organisation to another or give it to you. This right only applies if processing is based on consent or in talks about entering into a contract and the processing is automated (right to data portability)
- consider any complaint you have about how we have used your data
You can visit the ICO website to learn more about you data rights.
In addition you've the right to:
- not be subject to a decision that's based solely on automated processing if the decision affects your legal rights or other equally important matters. For example, e-recruiting practices without human intervention.
- understand the reasons behind decisions made about you by automated processing and the possible consequences of the decisions
- object to profiling in certain situations including direct marketing
Requests for information or complaints
Please consult our data protection page for details of how to submit a request for your personal data.
Should you wish to make a complaint about how your personal data or information has been managed, you can contact our Data Protection Officer by email email@example.com or write to:
Data Protection Officer
East Renfrewshire Council
For independent advice or to lodge a complaint about data protection, privacy or data sharing issues, you can write to the Information Commissioner's Office (ICO) at:
Information Commissioner's Office
Alternatively, you can phone 0303 123 1113 or email firstname.lastname@example.org.
Links to other websites and cookies
Where we provide links to other websites, we're not responsible for the content as these are provided purely as a courtesy.
We accept no liability in respect of the content nor the availability of the linked websites. You should read their privacy notices to learn how they deal with your information.
Changes to this privacy statement
We'll keep our privacy notice under regular review to reflect changes in our services, feedback from our service users and to comply with changes in the law.