Norfolk County Council (the County Council) is committed to protecting the privacy and security of your personal information. By personal information, we mean information which, by itself or with other data available to the County Council, can be used to identify you.
The General Data Protection Regulations (GDPR) amend the Data Protection Act 1998 as from 25 May 2018 and this notice has been produced in compliance with the GDPR.
In summary, this privacy notice:
This privacy notice covers personal information we collect about:
The County Council) is the "data controller" for the personal information held by the County Council. This means that we are responsible for deciding how we “process” (that is, collect, hold, use and disclose) your personal information.
Our address is Norfolk County Council, County Hall, Martineau Lane, Norwich NR1 2UA.
The County Council’s Data Protection Officer (DPO) is Geoff Connell.
Personal information can include, but is not limited to, your name, address, telephone number, date of birth, and bank details which can be found within records that the County Council holds which may include electronic records, letters, emails, photographs, audio recordings and video recordings. It does not include information where the identity has been removed and you cannot be identified by this information and by any other information held by the County Council (anonymous information).
We may also hold more sensitive personal data known as “special categories” of data along with information relating to criminal offences and criminal convictions. This includes details of ethnic origin, religious beliefs, sexual orientation, trade union membership, health data, and biometric (eg fingerprints, facial recognition) and genetic (eg DNA) data and requires a higher level of protection.
Read the County Council’s policy in respect of special category data and information relating to criminal offences, setting out our procedures for compliance with the principles of the GDPR and the retention and erasure of this data.
We may collect personal information about you from yourself directly or other individuals or organisations.
You can see more detail the kind of information we hold about you in relation to each County Council service and who we receive that information from can be found in our privacy notices for council service areas.
We use your personal information to:
In some cases, you may be under a statutory or contractual obligation to provide information to the County Council. Further detail of where this applies and the consequences of not providing it, together with information about why we use your personal data in relation to each of the County Council’s services can be found in our privacy notices for council service areas.
The GDPR places a legal obligation on us to process your personal information in accordance with the following data protection principles in that your personal data must be:
There must also be a lawful basis for processing personal information – a justifiable reason for us to collect, store, use and disclose your personal information. Our lawful basis for doing so will depend on what services we are providing to you, and what type of information we process about you, for example, an additional basis is required for ‘special category’ data described above.
The basis we process your information will include:
We also process special category information and information about convictions. The grounds for the processing this information differs from the grounds set out above. We have therefore set out our grounds for processing in relation to each County Council service and this can be found in our privacy notices for council service areas.
We may share your data with other services within the County Council so that we can keep our information on you as up-to-date as possible and so that we can improve our services to you. For example, if you tell the Customer Services Team that you have moved, they will update your records and inform other parts of the County Council that may be providing you with a service. Details of where we will do this can be found by clicking on the following link: Privacy notices for council service areas
We may also share your personal data with, and receive your personal data from, organisations and individuals outside of the County Council. Further detail about data sharing in relation to each County Council service can be found in our privacy notices for council service areas.
Additionally, your personal information can be provided to a third party contracted by the County Council to provide a service to the Council or directly to you. These service providers are known as data processors and also have a legal obligation under GDPR and to the County Council to look after your personal information and only use it for providing that service. An example of this is the County Council uses a case management system operated by a data processor for its social care services.
Your personal information may be transferred outside of the UK and the European Economic Area. While some countries have adequate legal protections for personal data, in other countries steps will be necessary to ensure appropriate safeguards apply to the information. These include imposing contractual obligations to ensure that these safeguards apply. You can find details of what information the County Council may transfer to countries outside of the European Economic Area and the safeguards that apply in our privacy notices for council service areas.
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To work out the right retention period for personal data, we consider the following matters:
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Once you are no longer require services from us, we will retain and securely destroy your personal information in accordance with our data retention schedule.
In some areas, to improve the efficiency and effectiveness of services, the County Council uses automated decision-making processes, including profiling. When an automated decision is made about you that is significant (one that has a legal effect, or otherwise significantly affects you) you will be notified of this, together with your rights to challenge this decision.
Details of where and how the Council carries out automated decisions can be found in our privacy notices for council service areas.
It is important that the personal information we hold about you is accurate and current.
Please keep us informed if your personal information changes during your working relationship with us. You can do to help us with this by:
You have the following rights (but note, these rights do not apply in all circumstances):
If you want to exercise any of these rights, please contact the Information Compliance Team by:
If you have any questions about this privacy notice or how we handle your personal information, you can write to the DPO by letter to the DPO, Norfolk County Council, County Hall, Martineau Lane, Norwich NR1 2DH or by email to firstname.lastname@example.org.
You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. The ICO can be contacted:
Where this notice applies to information collected or processed on a website, please note this privacy notice only applies to the County Council’s website and ceases to apply when you leave our pages. If you follow links to other organisations websites, even if you follow a link which we have provided, it is suggested you take the time to read the privacy notices on the websites you visit.
We keep this privacy notice under regular review and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
This notice was last updated in July 2018.