To effectively deliver our services to Waverley residents and communities, we need to collect and process personal data about our residents, employees and other individuals.
We are committed to protecting your privacy. The following information explains how and why we use your personal information.
Who we are / Data Protection Officer
Waverley Borough Council is registered as a Data Controller with the Information Commissioner's Office (ICO). Our registration number is Z5031756. You can view it on the ICO Website. This complies with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR).
The council's address is: The Burys, Godalming, GU7 1HR. Telephone number 01483 523333.
Our Data Protection Officer makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please email the Data Protection Officer at firstname.lastname@example.org.
What is personal data?
Personal information can be anything that identifies and relates to a living person. This can include information that, when put together with other information, can then identify a person. For example, this could be your name and contact details.
Categories of 'special' personal information
Some information is 'special' and needs more protection due to its sensitivity. It is often information you would not want widely known and is very personal to you. This is likely to include anything that can reveal your:
- physical or mental health
- religious or philosophical beliefs
- sexuality and sexual health
- trade union membership
- political opinion
- genetic/biometric data
- criminal history.
Why we process your data (legal basis for processing)
We may need to use some information about you to:
- deliver services and support to you
- manage those services we provide to you
- train and manage the employment of our workers who deliver those services
- help investigate any worries or complaints you have about your services
- keep track of spending on services
- check the quality of services, and
- help with research and planning of new services.
How the law allows us to use your personal information
We need to collect and use your personal information for a number of legal reasons. Each service area within Waverley Borough Council might have a different legal reason for processing your data.
Generally, we collect and use personal information where:
- it is required by law
- it is necessary to perform our statutory duties
- you have entered into a contract with us
- you, or your legal representative, have given consent
- we need it to protect someone in an emergency
- it is necessary for employment purposes
- you have made your information publicly available
- we need it for legal cases
- it is to the benefit of society as a whole
- we need it to protect public health
- we need it for archiving, research, or statistical purposes.
Where we can, we will only collect and use personal information if we need it to deliver a service or meet a requirement.
If you have given us consent to use your personal information, you have the right to ask us to remove it at any time. If you want to remove your consent, please email email@example.com, telling us which personal information you would like us to remove so we can deal with your request.
Sharing and protecting your information
Who do we share your information with?
We will only collect and use personal information for the reason it was intended and for no other purpose. The council will not share any of the information that it holds about you with any third party, unless you have given your written consent, or if otherwise this is permitted by law.
We use a range of organisations to either store personal information or help deliver our services to you. Where we have these arrangements, there is always an agreement in place to make sure that the organisation complies with data protection law.
We carry out data protection impact assessments (DPIAs) before we share personal information to make sure we protect your privacy and comply with the law.
Sometimes we have a legal duty to provide personal information to other organisations. For example, we might receive a court order to provide information.
Crime and protection
We may also share your personal information when we feel there is a good reason that is more important than protecting your privacy. This doesn't happen often, but we may share your information:
- to find and stop crime and fraud
- if there are serious risks to the public, our staff or to other professionals
- to protect a child
- to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.
For all of these reasons the risk must be serious before we can override your right to privacy.
If we are worried about your physical safety, or feel we need to take action to protect you from being harmed in other ways, we'll discuss this with you. We will try to get your permission to tell others about your situation.
We may still share your information if we believe the risk to others is serious enough to do so. If this is the case, we'll make sure that we record what information we share and our reasons for doing so. We'll let you know what we've done and why if we think it is safe to do so.
How do we protect your information?
We'll do everything we can to make sure we hold records about you (on paper and electronically) in a secure way, and we'll only make them available to those who have a right to see them. Examples of our security include:
- Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what's called a 'cypher'. The hidden information is said to then be 'encrypted'
- Pseudonymisation, meaning that we'll use a different name so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours
- Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
- Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
- Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches).
Where in the world is your information?
The majority of personal information we hold about you is stored on systems in the UK. However, some of the organisations we work with, and pass information to, may store their information in and outside the EU.
If we need to transfer your data outside the UK, we make sure there are secure ways to transfer the information and that our contracts with third party suppliers include clauses about complying with the current data protection law.
We'll take all practical steps to make sure your personal information is not sent to a country that is not seen as 'safe' either by the UK or EU Governments.
How long we keep your personal information
It depends on what service it relates to and what the information is used for. There is often a legal reason for keeping your personal information for a set period of time.
Download our records retention schedule
Your rights under the new law
The enhanced data protection legislation introduced in May 2018 gives you a number of rights to control the personal information we use and how we use it. You can find further details on the ICO website under the individual rights section.
You will not always be able to exercise all the rights set out in the GDPR as they vary depending on why we collected the personal information. There are also some circumstances where your rights cannot be exercised because exemptions will apply. We will explain this in our response to you.
To be informed
You have the right to be informed about the collection and use of your personal data.
A privacy notice will be provided to you at the time your personal data is collected and will explain simply and clearly how and why we intend to process your data. This information will be on the website, on the form you complete (or it will confirm where the online privacy notice can be found) or you will be told verbally over the phone.
Access to your personal information
You have the right to get access to the personal information we hold about you.
We must provide a copy of your information to you free of charge. However, we may be able to charge a reasonable fee if a request is manifestly unfounded or excessive. We can charge a fee if you requires further copies of the information we have already provided to you. Any fee will be based on the administrative cost of providing the information to you.
Change inaccurate personal information
You should let us know if you think the data we hold about you is not accurate or is incomplete.
We may not always be able to change or remove that information, but we'll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.
Please email the Data Protection Officer at firstname.lastname@example.org.
Request the council to delete your information (right to be forgotten)
In some circumstances, you can ask for your personal information to be deleted. For example, where:
- Your personal information is no longer needed for the purpose it was collected.
- You have removed your consent for us to use your information and where there is no other legal reason for us to use it.
- There is no legal reason for the use of your information.
- Deleting the information is a legal requirement.
Where your personal information has been shared with others, we'll do what we can to make sure those using your personal information comply with your request.
Please note that we can't delete your information where:
- we're required to have it by law
- it is used for freedom of expression
- it is used for public health purposes
- it is for scientific or historical research, or statistical purposes, and deleting it would make the information unusable
- it is necessary for legal claims.
Request the council to restrict the processing of your information
You have the right to ask us to restrict the use of your personal information where:
- you have identified inaccurate information
- we have no legal reason to use that information, but you want us to restrict what we use it for, rather than erase the information altogether.
Where we have agreed to restrict use of your personal data, we'll inform you before we carry on using your personal information.
You have the right to ask us to stop using your personal information for any council service. However, if we approve your request, it may cause delays or prevent us delivering a service to you.
Where possible we'll seek to comply with your request, but we may need to hold or use information because we are required to by law.
Request personal information provided in a portable format - (data portability)
Where we have requested your permission to process your personal information, you have a right to receive the personal information you have provided to us in a portable format.
To reiterate, this only applies if we're using your personal information with consent (not if we're required to by law) and if decisions were made by a computer and not a human being.
It's likely that data portability won't apply to most of the services you receive from the council.
You may also request the council to provide your data directly to a third party, if technically feasible.
Please note this right only applies to data that is being processed electronically.
Object to the processing of your personal information
You have a right to object to the processing of your personal information.
You must tell us your circumstances justifying your objection to processing. Please be aware that we can still process personal information where there are compelling grounds, or it is necessary for legal claims.
You can also object separately to your data being used for direct marketing and for research. Your objection to your data being processed for a research purpose may be overridden if the council has public interest justification for this.
You can ask to have any computer made decisions explained to you and details of how we may have 'risk profiled' you
You have three rights in relation to automated decision taking, including profiling, where the result will have legal or other significant effects on you.
- The first is the right to prevent such a decision being taken. You can give the council written notice asking us not to take an automated decision.
- The second right applies where no such notice has been given. You must be informed by the council, as soon as is practicable in the circumstances, that an automated decision has been made.
- The third right relates to the options available to you on receiving notification of an automated decision. If you are unhappy that an automated decision has been taken, you have 21 days to ask the council to reconsider the decision or to take a new decision on a different basis
You have a right to withdraw your consent.
Where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time. We will always make it clear where we need your permission to undertake specific processing activities.
Please be aware that you will not be able to withdraw your consent if we do not rely on your permission to process your personal information i.e. to use a service we are required to provide by law.
How to access your information (Subject Access Request)
You have the right to ask for all the information we have about you. This is called a Data Subject Request. Find out more and make a Subject Access Request online:
Subject Access Request
Please see www.waverley.gov.uk/cookies for full details.
If you have any worries or questions about how we manage your personal information, please email our Data Protection Officer at email@example.com.
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO) at ico.org.uk or email firstname.lastname@example.org.