We are committed to protecting privacy. We are responsible for:
- handling personal data lawfully, fairly, securely and in a manner that safeguards privacy
- ensuring that individuals are able to exercise their statutory rights in relation to their personal data
Some of our teams have privacy policies that cover the specific services that they deliver. Service specific Privacy Policies
We will update this Privacy Notice from time to time as our practices change and as the law requires. We are registered with the Information Commissioner's Office as a data controller (Registration No. Z4644478).
We have a Data Protection Officer who is responsible for advising us on our data protection obligations and monitoring our compliance with those obligations.
The Data Protection Officer is our main point of contact for the Information Commissioner's Office.
Our Data Protection Officer can be contacted as follows:
- Data Protection Officer, South Lakeland District Council, South Lakeland House, Lowther Street, Kendal, Cumbria LA9 4DQ
- 01539 733 333
‘Personal data' means any information which relates to an identifiable living person. A person's name and contact details will be personal data, as will any information relating to their physical appearance, financial circumstances, cultural or social identity.
Photographs and online identifiers such as usernames and passwords can also fall within the definition of personal data.
We use personal data in circumstances where:
- you have provided consent
- you have entered into a contract with the Council
- it is necessary to comply with a legal obligation
- it is necessary to protect somebody's vital interests
- it is necessary for us to conduct the tasks that we carry out in the public interest or the exercise of our official authority; or
- it is necessary for the Council's or a third party's legitimate interests.
Some personal data is ‘special'. This means that it relates to a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexuality or sex life. It also includes genetic data and biometric data. Special personal data is subject to enhanced protection under data protection law.
We use special personal data in circumstances where:
- you have provided explicit consent
- it is necessary for the purposes of carrying out obligations and exercising rights in the field of employment, social security and social protection law
- it is necessary to protect somebody's vital interests
- you have manifestly made the information public
- it is necessary for the establishment, exercise or defence of legal claims
- it is necessary for reasons of substantial public interest
- it is necessary for the purposes of preventative or occupational medicine
- it is necessary for public health reasons; or
- it is necessary for scientific, historical or statistical reasons
Personal data relating to criminal convictions and children is also subject to enhanced protection.
More guidance on the legal protection afforded to data protection is available on the Information Commissioner's Office's website.
How we use personal data
We use personal data to manage and deliver public services, monitor quality and efficiency of public services, identify public service needs, research and organise new services, prevent and detect fraud and corruption and ensure that we meet our legal obligations.
Our public services include licensing, housing, planning, building control, street scene, parking, public protection, revenue and benefits, elections and democratic services. We also provide an economic development service.
Our public services also include the functions of corporate communications, legal services, finance, information governance, human resources, policy, consultation and performance, premises and safety, ICT and asset management.
Our website and customer access services provide access to the our services.
Sharing you personal data
We will normally notify you in advance if we are going to share your personal data with a third party.
We may share personal data between our teams to provide our services. We may also share data with central government, courts and tribunals, police and other law enforcement and prosecuting agencies, and other local authorities. In certain circumstances we may also share information with banks and building societies, insolvency practitioners, credit referencing agencies, housing associations and private landlords, citizens advice bureaux and other support agencies.
We may share personal data with our software providers, our contractors and our external advisors (who process data on our behalf) to the extent necessary for them to assist us in providing our services. We would share this in the conduct of the tasks that we carry out in the public interest.
At no time will your information be passed to organisations for marketing or sales purposes or for any commercial use without your prior express consent. We will not use your personal data for direct marketing without your prior consent.
We may share personal data where required by law for the purpose of the prevention or detection of crime, the apprehension or prosecution of offenders and the assessment or collection of a tax or duty or an imposition of similar nature. We would share this information because of a legal obligation.
The data protection legislation contains other exemptions which permit or require us to share information in certain circumstances.
How long we keep your data
We will not keep personal data for longer than is strictly necessary. Personal data will ordinarily be kept in accordance with the timescales set out in our Records Retention Policy and Records Retention Schedule.
There will be occasions when grounds exist for personal data to be held for longer than specified in our Records Retention Policy and Records Retention Schedule. In these circumstances the timescales for keeping and destroying of the data will be decided on a case by case basis.
How we protect your personal data
Our aim is not to be intrusive, and we will not ask for irrelevant or unnecessary information. The information that you provide will be subject to rigorous measures and procedures to make sure it cannot be accessed by, or disclosed to, anyone who should not see it.
Measures will include encryption, pseudonymisation, access control and system testing. We have a Data Protection Policy and an Information Security Policy. These define our commitments and responsibilities to privacy and cover a range of information security areas.
We provide initial and refresher training to all staff on how to handle personal data.
We will not keep your information longer than is necessary and when we dispose of physical or digital records we will do so in a secure way.
Where we are considering using new or potentially intrusive technologies that could impact on individual privacy we will undertake a Data Protection Impact Assessment (DPIA), which may be subject to review and approval by the Information Commissioner's Office.
Where we keep your personal data
The personal data that we collect will ordinarily be kept on our own servers based in the United Kingdom.
In some circumstances, information may be held on third party servers located outside of the EEA. Foe example where we are using a web-based service to send surveys or newsletters to its service users.
Information will only be held on third party servers outside of the EEA where either the European Commission has made a decision that the destination ensures an adequate level of protection for personal data; or in the absence of an adequacy decision, we are able to provide appropriate safeguards and ensure that enforceable data subject rights and effective legal remedies for data subjects are available.
Your personal data rights
Your right to be informed
At the point when we collect your personal data we will provide you with access to our privacy notice containing various details about how we use your personal data, including our purpose for processing the personal data, the categories of people with whom we will share the information, and our lawful basis for processing the information.
Your right to access your personal data (“Subject Access Request")
You have the right to obtain from the Council confirmation as to whether or not we are processing personal data concerning you, and where that is the case, access to that personal data and certain other details about our use of that personal data.
Your right to have your personal data rectified if it is inaccurate
You can ask us to change your personal information you think is inaccurate. We may not always be able to change or remove that information, but we will correct purely factual inaccuracies and may include your comments in the record to show that you disagree with it. Where your data has been shared with others, we will do what we can to make sure that recipients also comply with your request. Please also see "Your right to ask us to restrict our use of your personal data" below, which may be relevant during any period between your submission of a request for rectification and our determination of that request.
Your right to be forgotten
You can ask use to erase your personal data where:
- it is no longer necessary for us to process it
- we are processing the data on the basis of your consent alone (i.e. we are not processing the data on the basis of our statutory functions, etc.) and you have withdrawn your consent
- we are processing the data on the basis of our statutory functions, and you have objected to our use of your data (see "Your right to object to our processing of your personal data" below), and we have accepted your objection
- we have processed the data unlawfully; or
- there is a legal obligation (e.g. a court order) requiring us to erase the data
Where your personal information has been shared with others, we'll do what we can to make sure those using your personal information comply with your request for erasure.
Please note that the right to be forgotten is subject to limitations and exemptions.
Your right to ask us to restrict our use of your personal data
You have the right to object to our use of your personal data, on grounds relating to your particular situation, where we are using your data on the basis of either a legal obligation, our tasks carried out in the public interest or the exercise of our official authority.
On receipt of an objection, we must cease using the data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or we require use of the data for the establishment, exercise or defence of legal claims.
Your right to ask us to have your personal data sent to somebody else
You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability. This only applies if we're using your data on the basis of your consent alone (i.e. not as part of our statutory functions) and if processing is carried out by automated means.
It is likely that this right will not apply to most of the services that you receive from the Council.
Your right not to be subject to decision-making made solely by a machine
You have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly affects you. This includes the right to have automated decisions explained to you and the right to question the automated decisions that have been made.
Your right to complain
See our contact details page for details of how to complain.
In addition to our own complaints procedure, if you have concerns about how we have used your personal data, then you have the right to complain to the Information Commissioner's Office, whose details are as follows:
- Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- 0303 123 1113 (local rate) or 01625 545 745 (national rate)