Epping Forest District Council is a data controller pursuant to the General Data Protection Regulation 2016 (the ‘GDPR’). This means that the Council decides how your personal data is processed and for what purposes. The Council is committed to protecting your personal and respecting your right to privacy.
The Council will obtain information about you when you contact the authority, when you request the provision of specific services or when you use its website or other forms of communication, such as the completion of an online form.
What information do we collect about you?
Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the GDPR and its principles.
The types of personal information that the Council collects about you might include your name, address, email address, IP address, and other information that is relevant to the enquiry that you make or the service that you request. This may include financial information and payment card information when making any payments or accessing certain applications to the Council. If you make a payment online, your payment account information is not held by the Council, as this information is collected by our third party payment processors who specialise in the secure online capture and processing of credit/debit card transactions.
Why do we collect this information and how will it be used?
The Council provides a wide range of services. In order to do this, it has to collect certain information and details about people who contact it or request the provision of such services.
The information that the Council collects will only be used for the purpose for which you have provided it and for the provision of services that you request. Your information will not be used for any other purpose unless you have given your consent, or this is otherwise required or permitted by law.
If you choose to give the Council your personal information, it will use that information to respond to your enquiry and will only pass your details to another organisation if it is required by law or that organisation is relevant to your enquiry. The Council does not collect or sell personal information for commercial purposes and will not share your information with third-parties for marketing purposes.
We comply with our obligations under the GDPR, by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting it from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. We use leading technologies and encryption software to safeguard your data, and keep strict security standards to prevent any unauthorised access.
How long do we keep your information?
The Council will only keep your personal data for as long as is necessary for the purpose for which we are processing it, unless we have a legitimate reason for keeping it, for example, any legal requirement to keep the data for a set time period.
Where legislation does not dictate a specific retention period, we have adopted a retention policy to ensure that no data is kept for longer than necessary after processing has taken place. Where we do not need to continue to process your personal data, it will be securely destroyed.
The lawful basis for processing your personal data
Depending on how we are processing your personal data, will determine the legal basis for processing. Generally, the legal bases for processing by the Council as a public authority will be for us to perform a task in the public interest. Where the purpose for processing your personal data has changed, we will seek your consent. In certain circumstances, you will be able to withdraw your consent to the processing of your personal data.
The Council strives to meet the highest standards when collecting and using personal information. For this reason, it takes any complaints about such matters very seriously. The Council encourages people to bring it to its attention any instances where its collection or use of personal data is considered to be unfair, misleading or inappropriate.
If you wish to make a complaint about the way the Council has processed your personal information, you should contact the Data Protection Officer.
You can access the personal data that the Council holds about you by submitting a Subject Access Request. This request must be in writing and clearly specify the information that you require. An application form is available on the Council’s website to assist you to submit a request.
There are various other rights that you can exercise as an individual in relation to the information that the Council collects and holds about you, including
- the right to be informed
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making and profiling
Information about each of these rights is available on the data protection page of the Council’s website at www.eppingforestdc.gov.uk/contact-us/data-protection.
Disclosure of personal informartion
Depending on the purpose for which we originally obtained your personal data and the use to which it is to be put, it may be shared with other organisations. For example, personal data may be shared, where necessary, with other organisations that provide services on our behalf. In such cases, the personal data provided is only the minimum necessary to enable them to provide services to you.
The Council will not generally disclose personal data without your consent. However, there may be occasions when it may need to share personal information with other relevant bodies. The Council may pass your information to other agencies or organisations such as the Department for Work and Pensions or HM Revenue and Customs, where this is required by law.
The Council may check information that you have provided, or information about you that someone else has provided, with other information that it holds. The Council may also obtain information about you from other organisations, or disclose information to such organisations, to
- prevent or detect crime
- protect public funds
- make sure information is correct
Such third parties include government departments, local authorities and private-sector companies such as banks, organisations that may lend you money and companies that assist the Council in fraud detection and prevention, such as Credit Reference Agencies.
The Council will not give information about you to anyone else, or use information about you for other purposes, unless the law allows it to. Where we require your consent to share or disclose your personal data, we will seek your consent.
Transferring your information outside of Europe
The Council may transfer your personal data to countries outside the European Union (EU), which may not have similar data protection laws to the United Kingdom. If The Council transfers your information outside of the EU in this way, it will take steps to ensure that appropriate security measures are in place to ensuring that your privacy rights continue to be protected as outlined in this Policy. If you use our services while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.
Link to other websites
The Council is not responsible for the privacy practices of other websites, even if you access them using links from the Council’s website. In addition, if you linked to the Council’s website from a third party site, the Council is not responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of such third party site.
The Council keep this privacy notice under regular review. This privacy notice was last updated on 30 April 2018.