Access to Information Privacy Notice

 This privacy notice tells you how East Hertfordshire District Council collects and uses your personal information in accordance with Access to Information requests.

The type of personal information we collect

We currently collect and process the following information:

  • Your name and surname 
  • Address
  • Email address
  • Your request 
  • In responding to subject access requests (SARs), we may process any information on you held by the council 

How we get your personal information
and why we have it

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • When a request is made for information under the Freedom of Information Act, Environmental Information Regulations or Re-use of Public Sector Information Regulations 
  • When a subject access request is made under the Data Protection Act 2018, UK General Data Protection Regulation (UK GDPR), or the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019

We use the information that you have given us in order to answer requests for information made under the relevant access to information legislation. We will only use your personal information when the law allows us to or where it is necessary to do so for the purposes of one or more of our functions. Most commonly, we will use your personal information where: 

  • We need to comply with a legal obligation 
  • It’s necessary for the performance of a task carried out in the public interest or in the exercise of our official authority as a public body.
  • To help us confirm your identity when you contact us or access our services 
  • To provide and improve services to you
  • In limited circumstances we will ask you for your consent to use your personal information, but your consent is not required if any of the above apply

Data Sharing

Your personal information may be shared within the council so that your request can be answered. It may be shared with the department’s legal service in order to seek advice regarding your request. Your information may be shared with the Information Commissioner’s Office (ICO) in relation to any complaint made to the commissioner. 
We share your information with Digital Interactive, our third party processer in order to coordinate and respond to your request. Digital interactive provide the software we use to process access to information requests and cannot access your information.  
We will not:

  • sell or rent your information  to third parties
  • share your information with third parties for marketing purposes
  • use your personal information in analytics

We will also share your information if we are required to do so by law or regulation, for example, by court order, or to prevent fraud or other crime.

Our lawful basis for processing your information 

Under the UK GDPR, the lawful bases we rely on for processing your information are: 

  • We have a legal obligation placed on us as a data controller;  
  • We need it to perform a public task;
  • We have a legitimate public interest;
  • We have your consent which you can remove at any time by contacting the council’s data protection officer.

Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.

We will, if necessary, process special categories of personal information in the following circumstances:

  • where we need to carry out our legal obligations and it is in line with our Policy for Handling Personal Data
  • where it is in line with our Policy for Handling Personal Data, it is substantially in the public interest to do so and necessary for:
    • performing our functions as a public authority
    • the prevention, investigation, detection or prosecution of criminal offences
  • where we have your explicit consent to do so, you may remove your consent at any time by contacting the council’s data protection officer using ‘our contact details’ below. We do not require your explicit consent where any of the above apply

International data transfers

We do not share your information with countries outside of the UK without ensuring that sufficient safeguards are in place that are equivalent to the UK GDPR. For this reason, we do not share your data internationally. 

Automated decision making 

There are restrictions on automated decisions based solely on automated means without any human involvement, including restrictions on profiling. Your data will not be subject to automated decision making or profiling for this purpose, however, if you have any queries about this, please contact the council’s Data Protection Officer using ‘our contact details’ below. 

How we store your personal information 

Please see the Corporate Privacy Notice

How long we keep your information 

We will retain your information for a period of three years after which it will be securely destroyed or deleted. This ensures that we only keep your information for as long as is required for the purposes of access to information requests. For further information, please see our Retention Schedule. 

Your data protection rights

Please see the Corporate Privacy Notice

Our contact details 

Please see the Corporate Privacy Notice

How to complain

Please see the Corporate Privacy Notice.