Data protection

Do you know what personal information is?

Personal information can be anything that identifies and relates to a living person.

This can include information that when put together with other information can then

identify a person. For example, this could be your name and contact details.

What type of personal data do we collect

We will collect information about you when you request or receive a service, we also collect information from people who contact us requesting information about

Middlesbrough, the Council, or themselves.

This information can include your name, address, email address, telephone number and other contact information that allow us to meet our organisational and statutory

obligations to you.

How we collect your personal data

We can collect your data in multiple ways, including:

• verbally
• paper
• telephone
• email
• online forms
• website cookies
• CCTV
• other forms of image and voice recordings

This data can be collected directly from you or may be gathered from other sources, we may also need to ask other agencies or organisations for relevant data about you in order to fulfil our legal responsibilities or provide services.

Did you know some of your personal information might be ‘special’?

Some information is ‘special’ and needs more protection due to its sensitivity. It’s often information you would not want widely known and is very personal to you. This is likely to include anything that can reveal your:

• sexuality or sexual health
• religious or philosophical beliefs
• ethnicity
• physical or mental health
• Trade Union membership
• political opinion
• genetic/biometric data
• criminal history

There are a number of legal reasons why we need to collect and use your personal information.

The privacy notice from each service explains which legal reasons are being used.

• you, or your legal representative, have given consent
• you have entered into a contract with us
• it is necessary to perform our statutory duties
• it is necessary to protect someone in an emergency
• it is required by law
• it is necessary for employment purposes
• it is necessary to deliver health or social care services
• you have made your information publicly available
• it is necessary for legal cases
• it is to the benefit of society as a whole
• it is necessary to protect public health
• it is necessary for archiving, research, or statistical purposes
• it is in our legitimate interests

If we have relied on consent to use your personal information, you have the right to remove it at any time. If you want to remove your consent, please contact our Data Protection Officer and tell us which service you’re using so we can deal with your request.

Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you.

If we have relied on legitimate interests to use your personal information, we will only do this where we do not have an existing legal duty or power covering the specific service that we are providing. Before using legitimate interest, we will first carry out an assessment to check that it is necessary and there is an appropriate balance between our interests and your rights.

When we collect personal data from you we will use it to provide you with services you have requested or require. We will not collect data from you that we do not need.

We will use the information you provide in order to:

• deliver our services – see our Statement of Public Task for further details
• maintain and update your customer records or contact details
• contact you where necessary
• obtain your opinion and feedback about the services we provide
• ensure that we fulfil our legal obligations

It may not always be possible to provide you with a services if you do not provide us with the information required to do so.

Where necessary we may share your information with other organisations and partners that provide services on our behalf. When this happens, the information provided is only the minimum necessary for them to provide that service to you. These organisations are required to keep your information safe and only use to provide a service to you.

The Council is also required by law to protect the public funds from fraud. More information is available from the National Fraud Initiative website.

Under the UK General Data Protection Regulations (GDPR) we have a legal duty to protect any information that we hold about you.

We take measures to safeguard your data and implement security standards and controls to prevent any unauthorised access to it.

Information which you have provided the council will be stored securely. It will only be used for the purpose(s) stated when the information was collected.

Some of the other measures that we use to ensure that your personal data is secure include data protection and security policies, information security incident reporting, data and device encryption, system and data access controls, user accounts and passwords, physical and environmental security, staff vetting practices, staff training and awareness, data back-ups, ICT network penetration testing, and business continuity and disaster recovery plans.

The amount of time data is kept before being disposed of will vary depending on why it was collected, how it is used, and in line with any applicable UK laws. Our retention and disposal schedule gives details about how long we keep data. This information will also be available from individual services own Privacy Notices.

The Council will only process your information overseas where the country it is transferred to has adequate data protection measures in place or where the suppliers are bound by model contract security clauses or where the supplier has signed up to an approved certification scheme or where requested by an external organisation under a legal requirement or at your request.

We will only send you information about our services and/or products if you have agreed for us to do so or we are sending you information in relation to similar services you have received in the past. You can opt out of this at any time by letting us know by unsubscribing or replying with your request.

You have the right to be given information about how and why we process your personal information. Where you have a choice about how your information will be used, we will ask you for consent. Where you do not have a choice (for example, because we have a legal obligation to process the data), we will provide you with a privacy notice. A privacy notice is a statement that explains how we use personal your information.

You have the right to be told whether we are processing your personal information and, if so, to be given the following information:

• the purposes of the processing;
• the categories of personal data concerned;
• who the information has been, or will be, disclosed to;
• how long the information will be kept for, or, if not possible, the criteria that will be used to determine the retention period;
• details of how to request that the Council corrects or deletes your information;
• details of how to object to the way the Council uses your information;
• how to make a complaint to the Information Commissioner’s Office;
• where the information came from, if it did not come directly from you; and
• whether any automated decision-making was involved and, if so, the logic and significance behind it.

You also have a right to be given a copy of the information. This is known as the right of subject access. Details on how to start this process are below.

Right to Rectification

If you believe that information we hold about you is inaccurate, you can contact us and let us know and we will try to put it right. You can also request that we complete any incomplete data. Once we have determined what we are going to do to rectify the data, we will contact you to let you know.

Right to Erasure

You can ask us to erase your personal data in the following circumstances:

• We no longer need the personal data for the purpose it was originally collected;
• You withdraw your consent and there is no other legal basis for the processing;
• You object to the processing and there are no overriding legitimate grounds for the processing;
• The personal data have been unlawfully processed;
• The personal data have to be erased for compliance with a legal obligation; and
• The personal data have been collected in relation to the offer of information society services (information society services are online services such as banking or social media sites). Once we have determined whether we are going to erase the data, we will contact you to let you know.

Right to restriction of processing

You can ask us to restrict the processing of your information in the following circumstances:

• You believe that the information is inaccurate and you want us to restrict processing until we determine whether it is indeed inaccurate;
• The processing is unlawful and you want us to restrict processing rather than erase it;
• We no longer need the information for the purpose we originally collected it but you need it in order to establish, exercise or defend a legal claim; and
• You have objected to the processing and you want us to restrict processing until we determine whether our legitimate interests in processing the data override your objection.

Once we have determined how we propose to restrict processing of the data, we will contact you to discuss and agree this with you. We will communicate this to anyone we have disclosed your personal data to, unless this proves impossible or would involve disproportionate effort.

The request to exercise the above rights can be done verbally or in writing. However, to handle your request more effectively, please complete the Exercise of Rights request form.

As allowed by exemptions in the Data Protection Act 2018, Middlesbrough Council may disclose personal information upon request for crime and taxation purposes (Schedule 2, Part 1, Paragraph 2 exemption), or in connection with legal proceedings (Schedule 2, Part 1, Paragraph 5 exemption).

Please note that we are not obliged to comply with such requests, but will consider requests on a case by case basis in line with the requirements of the Act.

If you require disclosure of information under these exemptions, the request for disclosure form must be completed in full and returned to the Data Protection Team via email at dataprotection@middlesbrough.gov.uk or
the address below.

If you have any concerns about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner's Office. Visit the website of the Information Commissioner's Office.