Terms & Conditions

East Hertfordshire District Council Corporate Privacy Notice

 

East Hertfordshire District Council is registered as a data  controller with the Information Commissioner's Office  (registration number: Z6717508). 

East Hertfordshire District Council (“the Council”) understands that your privacy is  important to you and that you care about how your personal data is used. We respect and  value your privacy and will only collect and use personal data in ways that are described  here, and in a way that is consistent with our obligations and your rights under the law. 

The Council is the data controller for purposes of the Data Protection Act (2018), and the  retained EU Law version of The General Data Protection Regulation (EU) 2016/679 ("UK  GDPR") (the Data Protection Legislation). 

As a data controller, we have a responsibility to make sure you know why and how your  personal data is being collected. This is according to relevant data protection law. 

The primary laws which govern how the Council collects and uses your personal data are: 

• UK General Data Protection Regulations  

• Data Protection Act (DPA) (2018) 

1. How to contact us 

If you have questions about this privacy notice or about the use of your personal data,  please contact our Data Protection Officer at: 

Data Protection Officer 

East Herts District Council 

Wallfields 

Pegs Lane 

Hertford  

SG13 8EQ 

Or  

email: data.protection@eastherts.gov.uk 

call: 0127950 2148 

2. Personal data 

Personal data is defined as ‘any information relating to an identifiable living person who  can be directly or indirectly identified by reference to an identifier’. Personal data is, in 

 

simpler terms, any information about you that enables you to be identified. 

3. What does this notice cover? 

This Privacy Notice broadly explains how we use your personal data: how it is collected,  how it is held, and how it is processed. It also explains your rights under the law relating  to your personal data. As an overview, it applies to information we collect when you:  

• visit our website 

• register for an online account  

• register for and use our services 

• are referred to us by other persons, agencies or organisations 

• contact us with an enquiry or complaint 

• participate in publicity for the Council 

• are recorded on CCTV operated by the Council 

This Privacy Notice sets out the Council’s corporate privacy information. Where information is provided by you to individual council departments for any particular  service, you may receive a separate privacy notice setting out more specifically what  personal data we are seeking from you and why. 

4. How we collect your personal data 

We most commonly obtain your information directly from you to provide you with a  service, for example, when you register to pay council tax or when you register for council  services for example, applying for a license or to receive benefits etc.  

We may also obtain your information from a third party where, for example, you are  referred to us.  

We may collect the following categories of personal data from you: 

• personal contact details such as name, address, phone number, etc. • personal identifiers such as an NHS number 

• bank details  

• visual images, personal appearance and behaviour 

• personal or professional opinions about an individual 

• family details 

• employment 

• housing needs 

• lifestyle and social circumstances

3 

• pension or financial activity records 

• offences (including alleged offences) 

In addition to the above general personal data, we may collect special category data from  you. Special category data that we collect about you may include:  

• racial or ethnic origin 

• religious or philosophical beliefs 

• Trade Union membership 

• physical or mental health 

• genetic or biometric data for the purpose of uniquely identifying a natural  person 

• sexual life or orientation 

• political opinions 

5. How and why we use your personal data 

We may need to use your personal data to:  

• fulfil our duty to protect public funds that we administer and for the  prevention and detection of fraud and other lawful purposes;  

• carry out the purpose for which you provided the information, for example,  processing information given on a benefit claim form for the purpose of  handling your claim; 

• communicate with you through appropriate methods including email,  telephone or post. We use Royal Mail’s Click and Drop service to send post  to you and ensure your details remain secure and are destroyed in line with  our retention schedule; 

• allow us to provide services appropriate to your needs and highlighting any  services or additional assistance available to you;  

• inform our insight which allows us to analyse patterns and trends of service  usage. We use this insight for service and financial planning to help us  create policies and inform decision making; 

• ensure that we meet our duties, including obligations imposed on us under  legislation; 

• meet our law enforcement functions, for example, licensing and planning  enforcement and food safety where the Council is legally obliged to  undertake such processing; 

• comply with legal obligations, for example, the prevention and/or detection  of crime;  

• process financial transactions including grants, payments and benefits or  where we act on behalf of other government bodies; 

• allow us to verify your identity when seeking services from us and; • carry out any functions, where permitted, under the data protection  legislation.

4 

Under the data protection legislation, we must always have a lawful basis for using  personal data. Generally we collect and use personal data where:  

• you, or a legal representative, have given consent; 

• you have entered into a contract with us; 

• it is necessary to perform our statutory duties;  

• it is necessary to perform public tasks; 

• it is necessary to perform our legal obligations; 

• it is necessary to protect someone in an emergency; 

• it is to benefit society as a whole; 

• it is necessary to protect public health; 

• it is necessary for archiving, research, or statistical purposes.  

From time to time we may also seek your feedback on how we are performing or seek  your views on services which you have been using. 

Where we process your special category personal data, we are required to comply with  additional conditions in Schedule 1 of the Data Protection Act 2018. For example,  conditions relating to employment or substantial public interest. 

We will only use your personal data for the purpose(s) for which it was originally collected  unless we reasonably believe that another purpose is compatible with that or those  original purpose(s) and need to use your personal data for that purpose. If we do use your  personal data in this way and you need us to explain how the new purpose is compatible  with the original, please contact us using the details in Part 1. If we need to use your  personal data for a purpose that is unrelated to, or incompatible with, the purpose(s) for  which it was originally collected, we will inform you of this.  

In some circumstances, where permitted or required by law, we may process your  personal data without your knowledge or consent. This will only be done within the  bounds of the data protection legislation and your legal rights. 

6. Sharing of your personal data 

We use a range of organisations, also known as data processors, to help deliver our  services to you and to do this we may share your data with them. Where we have these  arrangements we may carry out an assurance assessment and ensure there is an  appropriate processing agreement in place to make sure that the organisation complies  with data protection law. 

We may routinely share your data with other data controllers where we have a legal basis  to do. Where this is required, we will arrange and regularly review an appropriate data  sharing agreement.

5 

Where required, we’ll complete a data protection impact assessment (DPIA) before we  share personal data to make sure we protect your privacy and comply with the law. 

We may also share your personal data when we feel there’s a good reason that’s more  important than protecting your privacy. This doesn’t happen often, but when we need to  share your information, it will be because one of the exemptions in the Data Protection  Act 2018 applies. For example: 

• for the purpose of prevention and detection of crime; 

• apprehension or prosecution of offenders; 

• assessment and collection of tax etc.; 

• information required to be disclosed by law. For example, if a court orders that we  provide the information; 

• functions designed to protect the public; 

• for the purpose of assisting in the prevention and detection of fraud. 

If you have given us your written permission your information may be shared with a  named friend or family member; a support worker or other individual authorised by you  or by the law to act on your behalf, such as a charity sector representative or power of  attorney. 

We may share information provided to us with other bodies responsible for auditing and  administrating public funds where undertaking a public function. We do this to prevent  and detect fraud.  

We participate in the Cabinet Office's National Fraud Initiative, a data matching exercise  to assist in the prevention and detection of fraud. We are required to provide particular  sets of data to the Minister for the Cabinet Office for matching for each exercise. For more  information, please see our fraud prevention page 

There may also be rare occasions when the risk to others is so great that we need to share  information straight away. If this is the case, we’ll make sure that we record what  information we share and our reasons for doing so. 

We will not use your personal data for marketing products or services without your prior  consent. 

7. Retention of your personal data 

We will not keep your personal data for any longer than is necessary in light of the  reason(s) for which it was first collected. Please see our retention schedule for more  information.

6 

8. Location of your personal data  

Your personal data is stored in the following ways and in the following locations: 

• The Council’s servers; 

• Third-party servers, operated by the Council’s service providers; • Computers permanently located in the Council’s premises at Wallfields, Pegs Lane,  Hertford and Charringtons House, The Causeway, Bishops Stortford; • Laptop computers and other mobile devices provided by the Council to its  employees; 

• Computers and mobile devices owned by employees, agents, and sub-contractors  used in accordance with the Council’s ICT user policies; 

• Physical records stored in the Council’s premises; 

• and on off-site archives used by the Council. 

We will not normally transfer any of your information outside of the UK; however, there  may be some rare occasions where your information leaves the UK in order to get to other  organisations or if it’s stored in a system outside of the UK. We will ensure additional protections on your information if it leaves the UK ranging from secure ways of  transferring data to ensuring we have a robust contract in place with that third party. 

We will take all practical steps to make sure your personal data is not sent to a country  that is not seen as ‘safe’ by the UK government. If we need to send your information to a  location outside the UK we’ll always seek advice from the Information Commissioner and  make you aware first.  

9. How we protect your data and keep it secure 

We will only make your information available to those who have a need to know in order  to perform their council role. Some examples of the security measures we use include: 

• training for our staff, making them aware of how to handle information securely,  and how and when to report when something goes wrong; 

• we can use encryption when data is being sent, meaning we scramble information  so other people cannot read it without access to an unlock key; 

• where possible we will anonymise your data. This means we will remove your  identity so the people working with your data will not know your identity; • controlling access to systems and networks allows us to stop people who are not  allowed to view your personal data, from getting access to it; 

• Regular testing of our technology and ways of working, including keeping up to  date on the latest security updates. 

7 

10.Your rights  

You have a number of rights in relation to your personal data. Please note that not all  rights are automatic and some may not be available in certain circumstances where a  lawful exemption applies.  

Under the data protection legislation, you have the following rights, which we will always  work to uphold: 

a) The right to be informed about our collection and use of your personal data.  This Privacy Notice should tell you everything you need to know, but you  can always contact us to find out more or to ask any questions using the  details in Part 1.  

b) The right to access the personal data we hold about you. If you want to know  what personal data we have about you, you can ask us for details of that  personal data and for a copy of it (where any such personal data is held).  This is known as a “subject access request” and for information on how to  make a request, please see our subject access request page. 

c) The right to have your personal data rectified if any of your personal data  held by us is inaccurate or incomplete. Please contact us using the details  in Part 1 to find out more. 

d) The right to be forgotten, i.e. the right to ask us to delete or otherwise  dispose of any of your personal data that we hold. Please contact us using  the details in Part 1 to find out more. 

e) The right to restrict (i.e. prevent) the processing of your personal data. 

f) The right to object to your personal data being used for a particular purpose  or purposes. 

g) The right to withdraw consent. This means that, if we are relying on your  consent as the legal basis for using your personal data, you are free to  withdraw that consent at any time and you can do this by either contacting  the service that requested your consent or the Council’s Data Protection  Officer.  

h) The right to data portability. This means that, if you have provided personal  data to us directly, we are using it with your consent or for the performance  of a contract, and that data is processed using automated means, you can  ask us for a copy of that personal data to re-use with another service or  business in many cases. 

i) Rights relating to automated decision-making and profiling. Where we  notify you that a significant decision has been taken about you without any  human input, you can request that we reconsider the decision or take a new  decision that is not taken solely by automated means. You also have the  right to object if you are being profiled, this means that decisions are made  about you based on certain things in your personal data. If the Council uses  your personal data to profile you, in order to deliver the most appropriate 

8 

service to you, you will be informed.  

For more information about our use of your personal data or exercising your rights as  outlined above, please contact us using the details provided in Part 1. 

It is important that your personal data is kept accurate and up-to-date. Please keep us  informed if any of the personal data we hold about you changes or if you notice any  inaccuracies in your data. 

Further information about your rights can also be obtained from the Information  Commissioner’s Office, the national regulator with responsibility for ensuring compliance  with data protection, using the details in part 12 below. 

11. Automated decision-making  

There are restrictions on decisions based solely on automated means without any human  involvement, including restrictions on profiling. It is not anticipated that your data will be  subject to automated decision making or profiling, however, if you have any queries,  please contact the Council’s Data Protection Officer. 

12. How to get advice or make a complaint  

We will always aim to answer your questions and respond to requests about your data  processing effectively and efficiently. 

If you have a concern about the way we are collecting or using your personal data or are  not satisfied with the way we handle your requests then please raise your concern with  us in the first instance to allow us to carry out an internal review.  

If you are still not satisfied or for independent advice about data protection, you can refer  your concerns to the Information Commissioner’s Office by using the contact details  below:  

Information Commissioner’s Office 

Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate  number.  

Email: casework@ico.org.uk 

Further guidance on the use of personal data can be found on the ICO’s website.

9 

13. Links to other websites 

www.eastherts.gov.uk contains links to other websites. Please be aware that the Council is not responsible for privacy practices on other websites and that this privacy notice only  applies to information collected by this website. 

14. Information collected through forms and cookies  

For more information on how we use cookies and your information on our website, please  see our privacy and cookie page.  

15.Changes to this privacy notice 

We may change this privacy notice from time to time. This may be necessary, for example,  if the law changes, or if we change our business in a way that affects personal data  protection. 

You will be notified of any changes through the Council’s data protection page.  This Privacy Notice was last updated October 2023.

10