Surrey County Council is committed to protecting your privacy when you use our services. The Privacy Notice below explains how we use information about you and how we protect your privacy.
What is personal data?
Your personal data can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify a person. For example, this could be your name and contact details. Some information is 'special' (special category data) and needs more protection due to its sensitivity.
What is special category data?
It's often information you would not want widely known and is very personal to you. This is likely to include anything that can reveal your:
- sexuality and sexual health
- religious or philosophical beliefs
- ethnic origin
- physical or mental health
- trade union membership
- political opinion
- genetic data
- biometric data
- criminal history
Why does Surrey County Council need your personal data?
For some of our services, we need to use your personal data so that we can deliver our range of statutory services to support you. Quite often we will need to contact you in order to communicate with you, to investigate any concerns or complaints you have about our services and as part of our continuous improvement to deliver better services. We need your data to help with research and planning of new services.
There are many pieces of legislation that require us to use your personal data. The main ones for the council are the Local Government Acts and the Localism Act 2011, but there are many more. In most cases there is a law that says we must or we can process your data and we can do so without your consent or permission.
For some services we process your data under a contract for example: providing transport for your child, your blue badge etc. Where we do not directly provide the service, we may need to pass your personal data onto the organisations/providers that do so. These providers are under contract and have to keep your details safe and secure, and are used only to provide the service. Our website has a list of contracts and the companies that we deal with.
How the law allows us to use your personal data
There are a number of legal reasons why we need to collect and use your personal information.
Our service specific privacy notices explain for each service which legal reason is being used. Generally we collect and use personal data where:
- you, or your legal representative, have given consent
- you have entered into a contract with us
- it is necessary to perform our statutory duties
- it is necessary to protect someone in an emergency
- it is required by law
- it is necessary for employment purposes
- it is necessary to deliver health or social care services
- you have made your information publicly available
- it is necessary for legal cases
- it is to the benefit of society as a whole
- it is necessary to protect public health
- it is necessary for archiving, research, or statistical purposes
If we have consent to use your personal information, you have the right to remove it at any time. If you want to remove your consent, please contact the specific service that you are in communication with who will deal with your request.
Using your information for a specified purpose
We take careful consideration to only collect and use personal information if we need it to deliver a service or meet a requirement. There will be instances where we will anonymise your data. For example, in a survey we may not need your contact details we'll only collect your survey responses. Please be aware that there is a possibility we will use your personal data for research and statistical analysis purposes.
Please be reassured that we handle the use and collection of your personal data seriously and that we don't sell your personal information to anyone else.
Conditions for criminal offence data, enforcement investigations and prosecutions
Where we are undertaking an investigation we are processing personal information under Part III of the Data Protection Act 2018 (DPA) for law enforcement purposes. The six law enforcement purposes are broadly the same as those in GDPR. Transparency requirements are not as strict, due to the potential to prejudice an ongoing investigation in certain circumstances.
When processing sensitive data, we must be able to demonstrate that the processing is strictly necessary and satisfy one of the conditions in Schedule 8 of the DPA or is based on consent.
The law gives you a number of rights to control your personal data when it is used by us:
- The right to be informed – this privacy notice is part of your right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The right of access means you can ask for access to the information we hold on you
When we receive a request from you in writing, we will in most cases give you access to what we've recorded about you. However there are circumstances and exceptions where this is not possible as the examples below:
- Where there is confidential information about other people; or
- Where a duty of confidentiality exist; or
- Where there is personal data that a professional thinks will cause serious harm to your or someone else's physical or mental wellbeing; or
- Where we have to consider the provisions of access to a deceased persons personal data; or
- If we think that giving you the information may stop us from preventing or detecting a crime
This applies to personal information that is in both paper and electronic records. Access to your personal data can be made via the online form.
The right of rectification means you can ask to change information you think is inaccurate
If you disagree with something written on your file please write to the appropriate service. However please be aware that we may not always be able to change or remove that information. What we will do is we'll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.
The right to erasure means you can ask to delete information (this is known as the 'right to be forgotten')
In some circumstances you can ask for your personal information to be deleted. For example:
- Where your personal information is no longer needed for the reason why it was collected in the first place
- Where you have removed your consent for us to use your information (where there is no other legal reason for us to use it)
- Where there is no legal reason for the use of your information
- Where deleting the information is a legal requirement
Where your personal information has been shared with others, we'll do what we can to make sure those using your personal information comply with your request for erasure.
Please note that we can't delete your information where:
- we're required to have it by law
- it is used for freedom of expression
- it is for public health purposes
- it is for, scientific or historical research, or statistical purposes where it would make information unusable
- it is necessary for legal claims
The right to restrict processing means you can ask to limit what we use your personal data for
You have the right to ask us to restrict what we use your personal information for where:
- you have identified inaccurate information, and have told us of it
- where we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether
When information is restricted it can't be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it's for important public interests of the UK.
Where restriction of use has been granted, we'll inform you before we carry on using your personal information.
You have the right to ask us to stop using your personal information for any council service. However, if this request is approved this may cause delays or prevent us delivering that service. Please be aware we may need to hold or use information because we are required to do so by law.
The right to data portability means you can ask to have your information moved to another provider (data portability)
You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.
However this only applies if we're using your personal information with consent (not if we're required to do so by law) and if decisions were made by a computer and not a human being.
It's likely that data portability won't apply to most of the services you receive from the council.
The right to object means you have the right to object to the processing of your personal data where the following applies:
- where the processing is based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling);
- where the processing is used for the purposes of scientific/historical research and statistics.
Please note that there are circumstances where your objection will not apply:
- where there are compelling legitimate grounds for the processing
- the processing is for legal claims
- where we are conducting research where the processing of personal data is necessary for the performance of a public interest task
Rights in relation to automated decision making and profiling means you can ask to have any computer-made decisions explained to you
You have the right to question decisions made about you by a computer, unless it's required for any contract you have entered into, required by law, or you've consented to it. You also have the right to object if you are being 'profiled'. Profiling is where decisions are made about you based on certain things in your personal information, such as your health conditions.
If and when Surrey County Council uses your personal information to profile you, in order to deliver the most appropriate service to you, you will be informed through notification or our service specific Privacy Notices.
Who do we share your information with?
We work with a range of partner organisations to help deliver our services to you. Where we have these arrangements there is always an agreement in place to make sure that the organisation complies with data protection law.
Sometimes we have a legal duty to provide personal information to other organisations. For example, we need to give personal data to the courts, including:
- if we take a child into care;
- if the court orders that we provide the information; and
- if someone is taken into care under mental health law.
We may also share your personal information when we feel there's a good reason to override the protection of your privacy. This doesn't happen often, but we may share your information:
- in order to prevent crime and fraud; or
- if there are serious risks to the public, our staff or to other professionals; or
- to protect vulnerable children and adults
For all of these reasons the risk must be serious before we can override your right to privacy.
If we're worried about your physical safety or feel we need to take action to protect you from being harmed in other ways, we'll discuss this with you and, if possible, get your permission to tell others about your situation before doing so.
We may still share your information if we believe the risk to others is serious enough to do so.
There may also be occasions when the risk to others is so great that we need to share information straight away, for example in an emergency situation or crises management.
If this is the case, we'll make sure that we record what information we share and our reasons for doing so. We'll let you know what we've done and why if we think it is safe to do so.
The Surrey Multi-Agency Information Sharing Protocol (MAISP) has been established to support the County Council and other partners to share data safely and lawfully. Please see how we share information with other organisations for further information.
How long do we keep your personal information?
We often keep your personal data for audit purposes, legal reasons and best practice records management guidelines. There are set periods of time for keeping information which we incorporate where applicable as part of our Records Management Policy and Retention Schedules. This ranges from months for some records to decades for more sensitive records.
How do we protect and keep your information secure?
We take the protection of your personal data seriously whether it be electronic or paper records. Examples of our security include:
- Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password).
- Verification processes in place to seek to validate and verify information
- Pseudonymisation, meaning that we'll use a different name so we can hide parts of your personal information from view.
- Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
- Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
- Regular testing of our technology and ways of working including keeping up to date on the latest security updates
Where is your information held?
The majority of personal information is stored on systems in the UK or EU. But there are some occasions where your information may leave the UK or EU either in order to get to another organisation or if it's stored in a system outside of the UK or EU.
In order to provide efficient and value for money services, we may use third parties located in other countries to help us run our functions and process your personal data outside of the UK/EU (state country/countries). Where this includes countries outside the European Union ("EU") and to countries that do not have laws that provide specific protection for personal data, we will take steps to ensure all personal data is provided with adequate protection and that all transfers of personal data outside the EU are done lawfully.
Where we transfer personal data outside of the EU to a country not determined by the European Commission as providing an adequate level of protection for personal data, the transfers will be under an agreement which covers the EU requirements for the transfer of personal data outside the EU, such as the European Commission approved standard contractual clauses.
Use of CCTV
We have installed CCTV systems in some of our locations used by members of the public, for the purposes of public safety and the prevention and detection of crime. In these locations signs are prominently displayed notifying you that CCTV is in operation and providing you with details of who to contact for further information about them.
We will only disclose CCTV images to third parties for the purposes as stated above of public safety and the prevention and detection of crime.
We have also installed CCTV on all our Fire Brigade emergency and training vehicles, for the purpose of monitoring driver behaviour and ensuring the safety of both members of the public and staff in the event of an incident.
Images captured by CCTV will not be kept for longer than is necessary.
We use Body Worn Cameras overtly for the purposes of e.g. deterring verbal and physical abuse to staff, capturing evidence for prosecutions, monitoring emergency incidents and to assist in capturing evidence of breaches of planning control.
Please note that Surrey County Council does not administer CCTV cameras in town centres or on the public highway. This is primarily administered by other local authorities such as the districts and boroughs or the police.
If you email us we will make a record of your contact and your email address. For security reasons we advise you keep the amount of confidential information you send to us via email to a minimum.
We use third-party web analytics tools to help us monitor how people use our websites.
Your IP address will be collected for the purpose of distinguishing between internal (staff) and external (public) usage. We do not associate your IP address with anything that is personally identifiable, so your use of our websites will remain anonymous to us.
The Council Advertising Network (CAN) is responsible for delivering external advertising on some parts of the Surrey County Council website.
Advertisers use technologies, such as cookies, and process personal data, such as IP addresses and cookie identifiers, to personalise ads and content based on your interests, measure the performance of ads and content, and derive insights about the audiences who saw ads and content.
You can also clear the cookies on your computer and read the guidance from the Information Commissioner about your right to erasure. Requests to remove personal information can also be submitted to the individual advertising platforms that we're currently working with:
It may be useful to know that for all other websites, the WebChoices tool provides a list of over 130 internet advertisers and advertising technology companies. You can choose individual advertisers or can opt of all interest-based or behavioural advertising using this tool.
Please note that using WebChoices or a direct opt-out link to opt out will not necessarily prevent advertising from being displayed on your browser. It will, however, stop advertisers from providing interest-based or behavioural advertising so you will see advertising that is not targeted/tailored to your browsing history.
Things you can do to help us:
- tell us when any of your personal details change;
- tell us when you believe your personal information has been compromised
The Data Protection Officer
The role of the Data Protection Officer is to manage the council's compliance with data protection legislation, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as an escalation point for data subjects and the supervisory authority.
If you have any concerns or questions about how your personal information is handled please contact Surrey County Council's Data Protection Officer by emailing DPO@surreycc.gov.uk
Alternatively please contact our service directly by emailing email@example.com or you can make a complaint or compliment about one of our services.
Where can I get advice?
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO) at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Alternatively, visit the ICO website or email firstname.lastname@example.org.
Personal data is information that relates to a living individual who can be either:
- identified from that data or
- can be identified from the information combined with any other information that is in the possession of the person or organisation holding the information
Basic personal data includes name, address, date of birth, telephone numbers, and bank account details. Special category data (sensitive personal data) includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, physical or mental health conditions, sex life or sexual orientation.
Data controller means the organisation that determines how data is processed. Surrey County Council is the data controller for personal data that it processes. We are legally required to comply with the Data Protection Principles.
Processing of personal data is defined very widely in data protection legislation. It covers all actions and processes involved in obtaining, recording, holding and carrying out any set of operations on, storing or destroying personal data.
Data subject is any living individual who is the subject of personal data.
Changes to this privacy notice
We keep our privacy notice under regular review.
This privacy notice is v1.6 and was published on 23 October 2020.