To effectively deliver our services to Waverley residents and communities, we need to collect and process personal data about our residents, employees and other individuals.

We are committed to protecting your privacy. The following information explains how and why we use your personal information.

Use the links below to find out more. 

1. Who we are / Data Protection Officer

2. What is personal data?

3. Why we process your data (legal basis for processing)

4. Sharing and protecting your information

5. How long we keep your personal information

6. Your rights under the new law

7. How to access your information (Subject Access Request)

8. How we use cookies

9. More information


1. Who we are / Data Protection Officer

Waverley Borough Council is registered as a Data Controller with the Information Commissioner's Office (ICO). Our registration number is Z5031756. You can view it on the ICO Website. This complies with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR).

Our Data Protection Officer makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please email the Data Protection Officer at dpo@waverley.gov.uk.

Back to top


2. What is personal data?

Personal information can be anything that identifies and relates to a living person. This can include information that, when put together with other information, can then identify a person. For example, this could be your name and contact details. 

Categories of 'special' personal information

Some information is 'special' and needs more protection due to its sensitivity. It is often information you would not want widely known and is very personal to you. This is likely to include anything that can reveal your:

  • physical or mental health
  • religious or philosophical beliefs
  • ethnicity
  • sexuality and sexual health
  • trade union membership
  • political opinion
  • genetic/biometric data
  • criminal history.

Back to top


3. Why we process your data (legal basis for processing)

Why do we need your personal information?

We may need to use some information about you to:

  • deliver services and support to you
  • manage those services we provide to you
  • train and manage the employment of our workers who deliver those services
  • help investigate any worries or complaints you have about your services
  • keep track of spending on services
  • check the quality of services, and
  • help with research and planning of new services.

How the law allows us to use your personal information

We need to collect and use your personal information for a number of legal reasons. Each service area within Waverley Borough Council might have a different legal reason for processing your data.

Generally, we collect and use personal information where:

  • it is required by law
  • it is necessary to perform our statutory duties
  • you have entered into a contract with us
  • you, or your legal representative, have given consent
  • we need it to protect someone in an emergency
  • it is necessary for employment purposes
  • you have made your information publicly available
  • we need it for legal cases
  • it is to the benefit of society as a whole
  • we need it to protect public health
  • we need it for archiving, research, or statistical purposes.

Where we can, we will only collect and use personal information if we need it to deliver a service or meet a requirement.  

If you have given us consent to use your personal information, you have the right to ask us to remove it at any time. If you want to remove your consent, please email dpo@waverley.gov.uk, telling us which personal information you would like us to remove so we can deal with your request.

Back to top


4. Sharing and protecting your information

Who do we share your information with?

We will only collect and use personal information for the reason it was intended and for no other purpose. The council will not share any of the information that it holds about you with any third party, unless you have given your written consent, or if otherwise this is permitted by law.

Our suppliers

We use a range of organisations to either store personal information or help deliver our services to you. Where we have these arrangements, there is always an agreement in place to make sure that the organisation complies with data protection law. 

We carry out data protection impact assessments (DPIAs) before we share personal information to make sure we protect your privacy and comply with the law.

Legal duty

Sometimes we have a legal duty to provide personal information to other organisations. For example, we might receive a court order to provide information.

Crime and protection 

We may also share your personal information when we feel there is a good reason that is more important than protecting your privacy. This doesn't happen often, but we may share your information:

  • to find and stop crime and fraud 
  • if there are serious risks to the public, our staff or to other professionals
  • to protect a child
  • to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them. 

For all of these reasons the risk must be serious before we can override your right to privacy. 

Your safety

If we are worried about your physical safety, or feel we need to take action to protect you from being harmed in other ways, we'll discuss this with you. We will try to get your permission to tell others about your situation.

We may still share your information if we believe the risk to others is serious enough to do so.  

If this is the case, we'll make sure that we record what information we share and our reasons for doing so. We'll let you know what we've done and why if we think it is safe to do so.

How do we protect your information?

We'll do everything we can to make sure we hold records about you (on paper and electronically) in a secure way, and we'll only make them available to those who have a right to see them. Examples of our security include:

  • Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what's called a 'cypher'. The hidden information is said to then be 'encrypted'
  • Pseudonymisation, meaning that we'll use a different name so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours
  • Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
  • Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
  • Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches).

Where in the world is your information?

The majority of personal information we hold about you is stored on systems in the UK. However, some of the organisations we work with, and pass information to, may store their information in and outside the EU. 

If we need to transfer your data outside the UK, we make sure there are secure ways to transfer the information and that our contracts with third party suppliers include clauses about complying with the current data protection law.

We'll take all practical steps to make sure your personal information is not sent to a country that is not seen as 'safe' either by the UK or EU Governments.

Back to top


5. How long we keep your personal information

It depends on what service it relates to and what the information is used for. There is often a legal reason for keeping your personal information for a set period of time.

This ranges from two years for some records to decades for other records.

Back to top


6. Your rights under the new law

The enhanced data protection legislation introduced in May 2018 gives you a number of rights to control the personal information we use and how we use it. You can find further details on the ICO website under the individual rights section.

We have also listed below the main changes to the legislation giving you additional rights about how we handle your personal data:

You can ask to change information you think is inaccurate

You should let us know if you think the data we hold about you is not accurate.

We may not always be able to change or remove that information, but we'll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.  

Please email the Data Protection Officer at dpo@waverley.gov.uk.

You can ask to delete information (right to be forgotten)

In some circumstances, you can ask for your personal information to be deleted. For example, where:

  • Your personal information is no longer needed for the purpose it was collected.
  • You have removed your consent for us to use your information and where there is no other legal reason for us to use it.
  • There is no legal reason for the use of your information.
  • Deleting the information is a legal requirement.

Where your personal information has been shared with others, we'll do what we can to make sure those using your personal information comply with your request.

Please note that we can't delete your information where:

  • we're required to have it by law
  • it is used for freedom of expression 
  • it is used for public health purposes
  • it is for scientific or historical research, or statistical purposes, and deleting it would make the information unusable
  • it is necessary for legal claims.

You can ask to limit what we use your personal data for

You have the right to ask us to restrict what we use your personal information for where:

  • you have identified inaccurate information, and have told us about it
  • we have no legal reason to use that information, but you want us to restrict what we use it for, rather than erase the information altogether.

Where we have agreed to restrict the uses of your personal data, we'll inform you before we carry on using your personal information.

You have the right to ask us to stop using your personal information for any council service. However, if we approve your request, it may cause delays or prevent us delivering a service to you. 

Where possible we'll seek to comply with your request, but we may need to hold or use information because we are required to by law.

You can ask to have your information moved to another provider (data portability)

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.

However, this only applies if we're using your personal information with consent (not if we're required to by law) and if decisions were made by a computer and not a human being. 

It's likely that data portability won't apply to most of the services you receive from the council. 

You can ask to have any computer made decisions explained to you and details of how we may have 'risk profiled' you.

You have the right to question decisions made about you by a computer, unless it's required for any contract you have entered into, required by law, or you've consented to it. 

You also have the right to object if you are being 'profiled'. Profiling is where decisions are made about you based on certain things in your personal information, eg your health conditions. 

We will inform you if we plan to use your personal information to profile you.  We would do this to deliver the most appropriate service to you. 

If you have concerns about automated decision making, or profiling, please email the Data Protection Officer at dpo@waverley.gov.uk, who'll be able to advise you about how we are using your information.  

Back to top


7. How to access your information (Subject Access Request)

You have the right to ask for all the information we have about you. This is called a Data Subject Request. Find out more and make a Subject Access Request online.

Back to top


8. How we use cookies

Please see www.waverley.gov.uk/cookies for full details.

Back to top


9. More information

If you have any worries or questions about how we manage your personal information, please email our Data Protection Officer at dpo@waverley.gov.uk.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO) at ico.org.uk or email casework@ico.org.uk

Back to top

Page owner: Vanessa de Chazal. Last updated: 06/11/2018 12:20