What this document is for
This privacy notice provides details on how Norfolk County Council’s concessionary fares service uses your personal information for passes to residents who are above the qualifying age and disabled passes to applicants who meet the relevant qualifying criteria.
By ‘use’ we mean the various ways it may be processed, including storing and sharing the information.
We also provide the following details in our general privacy notice on our website:
- Who we are
- How long we use your information for
- Your rights under the UK General Data Protection Regulation (the GDPR) and
- How to exercise them
You can also ask us for a copy of this information.
What we use your information for
We use your personal information to:
- process applications and replacement requests
- provide the concessionary fares service
- contact you about the concessionary fares service
- assess the quality of our services and evaluate and improve our policies and procedures
We may also use your information in other ways compatible with the above.
What personal data we collect and use about you
We collect and use:
- your name, address and date of birth
- your contact details
- proof that you live in Norfolk
- your photograph
- for age related passes - proof of your date of birth
- for disabled passes - proof of disability living allowance (if relevant)
- for disabled passes - proof of war pensioners’ mobility supplement (if relevant)
- for disabled passes - details of existing blue badge (if relevant)
We may also require proof of any disabilities and other health information. This information is classed as “special category data” under the GDPR. We may only collect these data when it is relevant and for the purposes described above.
The GDPR includes safeguards to protect the use of your special category data. Further details can be found on our website in the document named ‘Special category data and criminal offences data policy’ which sets out our procedures for compliance with the principles of the GDPR and the retention and erasure of this information.
Who provides this information
We receive this information from you.
Who we share your information with
We may share your information across different departments of the County Council where it is necessary for our public tasks or functions to do so. In particular, we cross reference Blue Badge information with an application for a disabled pass if the evidence provided for seeking a disabled pass is the holding of a Blue Badge.
Your personal information may also be given to third parties contracted by the County Council to provide a service to the County Council. These service providers are known as data processors and have a legal obligation under GDPR and to the County Council to look after your personal information and only use it for providing that service. In particular, the County Council has entered into a contract with the national Unicard system as part of the English National Concessionary Travel Scheme and Euclid to provide concessionary travel passes.
How the law protects you and the legal basis for processing your information
We have legal grounds under the GDPR to process this information because it is necessary for the performance of a task carried out in the public interest and the task or function has a clear basis in law under the Transport Act 2000.
We have legal grounds to process (including share) special category data because it is necessary for reasons in the substantial public interest and in the exercise of a statutory function under the Transport Act 2000.
How long will we keep your personal information for
The Unicard system will keep the information electronically for 2 years after which time it will be securely deleted. We will also keep any paper documents for 6 months after which it will be securely destroyed.
How we keep your information
The information is stored electronically, on the County Council’s records management system, known as CRM and the national Unicard system as part of the English National Concessionary Travel Scheme. Additionally, information is securely stored in other mediums, including email accounts and in paper files.
We do not process your information outside of the UK and European Economic Area.
Automated decision making
We do not make automated decisions about you.
Changes to this notice
We may amend this privacy notice at any time so please review it frequently. The date below will be amended each time this notice is updated.
This notice was updated on 7 July 2022.