Corporate Privacy Notice
We have updated our Corporate Privacy Notice below
East Hertfordshire District Council is registered as a data controller with the Information Commissioner's Office (registration number: Z6717508).
East Hertfordshire District Council (“the Council”) understands that your privacy is important to you and that you care about how your personal data is used. We respect and value your privacy and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.
The Council is the data controller for purposes of the Data Protection Act (2018), and the retained EU Law version of The General Data Protection Regulation (EU) 2016/679 ("UK GDPR") (the Data Protection Legislation).
As a data controller, we have a responsibility to make sure you know why and how your personal data is being collected. This is according to relevant data protection law.
The primary laws which govern how the Council collects and uses your personal data are:
If you have questions about this privacy notice or about the use of your personal data, please contact our Data Protection Officer at:
Data Protection Officer
East Herts District Council
Personal data is defined as ‘any information relating to an identifiable living person who can be directly or indirectly identified by reference to an identifier’. Personal data is, in simpler terms, any information about you that enables you to be identified.
This Privacy Notice explains how we use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data. As an overview, it applies to information we collect when you:
- visit our website
- register for an online account
- register for and use our services
- are referred to us by other persons, agencies or organisations
- contact us with an enquiry or complaint
- participate in publicity for the Council
- are recorded on CCTV operated by the Council
This Privacy Notice sets out the Council’s corporate privacy information. Where information is provided by you to individual council departments for any particular service, you may receive a separate privacy notice setting out more specifically what personal data we are seeking from you and why. For more on service specific privacy information please see our Privacy Notices page.
We most commonly obtain your information directly from you to provide you with a service, for example, when you register to pay council tax, when you register for council services or when you apply for services for example, applying for a licence or to receive benefits etc.
We may also obtain your information from a third party where, for example, you are referred to us.
We may collect the following categories of personal data from you:
- personal contact details such as name, address, phone number, etc.
- personal identifiers such as an NHS number
- bank details
- visual images, personal appearance and behaviour
- personal or professional opinions about an individual
- family details
- housing needs
- lifestyle and social circumstances
- pension or financial activity records
- offences (including alleged offences)
In addition to the above general personal data, we may collect special category data from you. Special category data that we collect about you may include:
- racial or ethnic origin
- religious or philosophical beliefs
- Trade Union membership
- physical or mental health
- genetic or biometric data for the purpose of uniquely identifying a natural person
- sexual life or orientation
- political opinions
We may need to use your personal data to:
- fulfil our duty to protect public funds that we administer and for the prevention and detection of fraud and other lawful purposes;
- carry out the purpose for which you provided the information, for example, processing information given on a benefit claim form for the purpose of handling your claim;
- allow us to communicate and provide services appropriate to your needs and highlighting any services or additional assistance available to you;
- inform our insight which allows us to analyse patterns and trends of service usage. We use this insight for service and financial planning to help us create policies and inform decision making;
- ensure that we meet our duties, including obligations imposed on us under the Equality and Health and Safety Acts;
- meet our law enforcement functions, for example, licensing and planning enforcement and food safety where the Council is legally obliged to undertake such processing;
- comply with legal obligations, for example, the prevention and/or detection of crime;
- process financial transactions including grants, payments and benefits or where we act on behalf of other government bodies;
- allow us to verify your identity when seeking services from us and;
- carry out any functions, where permitted, under the data protection legislation.
Under the data protection legislation, we must always have a lawful basis for using personal data. Generally we collect and use personal data where:
- you, or a legal representative, have given consent;
- you have entered into a contract with us;
- it is necessary to perform our statutory duties;
- it is necessary to perform public tasks;
- it is necessary to perform our legal obligations;
- it is necessary to protect someone in an emergency;
- you have made your information publicly available;
- it is to benefit society as a whole;
- it is necessary to protect public health;
- it is necessary for archiving, research, or statistical purposes.
From time to time we may also seek your feedback on how we are performing or seek your views on services which you have been using.
Where we process your special category personal data, then we are required to comply with additional conditions in Schedule 1 of the Data Protection Act 2018. For example, conditions relating to employment or substantial public interest.
We will only use your personal data for the purpose(s) for which it was originally collected unless we reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal data for that purpose. If we do use your personal data in this way and you need us to explain how the new purpose is compatible with the original, please contact us using the details in Part 1. If we need to use your personal data for a purpose that is unrelated to, or incompatible with, the purpose(s) for which it was originally collected, we will inform you of this.
In some circumstances, where permitted or required by law, we may process your personal data without your knowledge or consent. This will only be done within the bounds of the data protection legislation and your legal rights.
We use a range of organisations, also known as data processors, to help deliver our services to you and to do this we may share your data with them. Where we have these arrangements there is an appropriate processing agreement in place to make sure that the organisation complies with data protection law.
We may routinely share your data with other data controllers where we have a legal basis to do. Where this is required, we will arrange and regularly review an appropriate data sharing agreement.
Where required, we’ll complete a data protection impact assessment (DPIA) before we share personal data to make sure we protect your privacy and comply with the law.
We may also share your personal data when we feel there’s a good reason that’s more important than protecting your privacy. This doesn’t often happen, but when we need to share your information, it will be because one of the exemptions in the Data Protection Act 2018 applies. For example:
- for the purpose of prevention and detection of crime;
- apprehension or prosecution of offenders;
- assessment and collection of tax etc.;
- information required to be disclosed by law. For example, if a court orders that we provide the information;
- functions designed to protect the public;
- for the purpose of assisting in the prevention and detection of fraud.
If you have given us your written permission your information may be shared with a named friend or family member; a support worker or other individual authorised by you or by the law to act on your behalf, such as a charity sector representative or power of attorney.
We may share information provided to us with other bodies responsible for auditing and administrating public funds where undertaking a public function. We do this to prevent and detect fraud.
We participate in the Cabinet Office's National Fraud Initiative, a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise. For more information, please see our Fraud Prevention & Data Matching page
There may also be rare occasions when the risk to others is so great that we need to share information straight away. If this is the case, we’ll make sure that we record what information we share and our reasons for doing so.
We will not use your personal data for marketing products or services without your prior consent.
Your personal data is stored in the following ways and in the following locations:
- The Council’s servers;
- Third-party servers, operated by the Council’s service providers;
- Computers permanently located in the Council’s premises at Wallfields, Pegs Lane, Hertford and Charringtons House, The Causeway, Bishops Stortford;
- Laptop computers and other mobile devices provided by the Council to its employees;
- Computers and mobile devices owned by employees, agents, and sub-contractors used in accordance with the Council’s ICT user policies;
- Physical records stored in the Council’s premises;
- and on off-site archives used by the Council.
We will not normally transfer any of your information outside of the UK; however, there may be some rare occasions where your information leaves the UK in order to get to other organisations or if it’s stored in a system outside of the UK. We have additional protections on your information if it leaves the UK ranging from secure ways of transferring data to ensuring we have a robust contract in place with that third party.
We will take all practical steps to make sure your personal data is not sent to a country that is not seen as ‘safe’ by the UK government. If we need to send your information to a location outside the UK we’ll always seek advice from the Information Commissioner and make you aware first.
We will only make your information available to those who have a need to know in order to perform their council role. Some examples of the security measures we use include:
- training for our staff, making them aware of how to handle information securely, and how and when to report when something goes wrong;
- we can use encryption when data is being sent, meaning we scramble information so other people cannot read it without access to an unlock key;
- where possible we will anonymise your data. This means we will remove your identity so the people working with your data will not know your identity;
- controlling access to systems and networks allows us to stop people who are not allowed to view your personal data, from getting access to it;
- Regular testing of our technology and ways of working, including keeping up to date on the latest security updates (called patches).
You have a number of rights in relation to your personal data. Please note that not all rights are automatic and some may not be available in certain circumstances where a lawful exemption applies.
Under the data protection legislation, you have the following rights, which we will always work to uphold:
a) The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 1.
b) The right to access the personal data we hold about you. If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request” and for information on how to make a request, please see our Subject Access Requests page.
c) The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 1 to find out more.
d) The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of your personal data that we hold. Please contact us using the details in Part 1 to find out more.
e) The right to restrict (i.e. prevent) the processing of your personal data.
f) The right to object to your personal data being used for a particular purpose or purposes.
g) The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time and you can do this by either contacting the service that requested your consent or the Council’s Data Protection Officer.
h) The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
i) Rights relating to automated decision-making and profiling. Where we notify you that a significant decision has been taken about you without any human input, you can request that we reconsider the decision or take a new decision that is not taken solely by automated means. You also have the right to object if you are being profiled, this means that decisions are made about you based on certain things in your personal data. If the Council uses your personal data to profile you, in order to deliver the most appropriate service to you, you will be informed.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 1.
It is important that your personal data is kept accurate and up-to-date. Please keep us informed if any of the personal data we hold about you changes or if you notice any inaccuracies in your data.
Further information about your rights can also be obtained from the Information Commissioner’s Office, the national regulator with responsibility for ensuring compliance with data protection, using the details in part 11 below.
There are restrictions on decisions based solely on automated means without any human involvement, including restrictions on profiling. It is not anticipated that your data will be subject to automated decision making or profiling, however, if you have any queries, please contact the Council’s Data Protection Officer.
We will always aim to answer your questions and respond to requests about your data processing effectively and efficiently.
If you have a concern about the way we are collecting or using your personal data or are not satisfied with the way we handle your requests then please raise your concern with us in the first instance to allow us to carry out an internal review.
If you are still not satisfied or for independent advice about data protection, you can refer your concerns to the Information Commissioner’s Office by using the contact details below:
Information Commissioner’s Office
Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Further guidance on the use of personal data can be found on the ICO’s website.
www.eastherts.gov.uk contains links to other websites. Please be aware that the Council is not responsible for privacy practices on other websites and that this privacy notice only applies to information collected by this website.
We may change this privacy notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.
You will be notified of any changes through the Council’s Data Protection page.
This Privacy Notice was last updated June 2021.