Resilience Service privacy notice

This privacy notice provides information on how Norfolk County Council's Resilience Team (the Team) uses your personal information for emergency planning and business continuity planning as more particularly set out below.

By 'use' we mean the various ways your personal information may be processed including storing and sharing the information.

Further details

We also provide the following details in our general privacy notice on our website:

• Who we are
• How long we use your information for
• Your rights under the UK General Data Protection Regulation (the GDPR), and
• How to exercise them.

You can also ask us for a copy of this information.

What we use your personal information for

We use your personal information primarily to:

• Undertake emergency planning and response particularly:
  • coordinating the countywide Emergency Response & Recovery to an incident in Norfolk with various external emergency roles/agencies
  • create and maintain emergency plans alongside other agencies (such as Control of Major Accident Hazard Plans).
• Ensure business continuity particularly:
  • maintaining the continuity of Norfolk County Council's services
  • dealing with incidents which may impact business continuity
• Undertake training and exercises particularly:
  • creating, training and exercising emergency response plans and promoting resilience
  • enabling Community Resilience Local Planning to initiate effective response & recovery district Community Resilience plans shared with the Team; communications establishment.
  • Enabling community resilience by undertaking local planning and creating local communication plans
  • supporting the use of Emergency Response and Recovery Plans during incidents, including role training & exercising of plans, live or tabletop;
  • providing training to
    • Norfolk County Council
    • the Norfolk Resilience Forum
    • member organisations (NRF members, eg. Police, Fire, Ambulance, District Councils)
  • exercising Control of Major Accident Hazard (COMAH) Plans (this includes retaining and where necessary using emergency contacts and communications);
  • training and exercising internal business continuity plans at the service, departmental and corporate level

We also use this information to assess the quality of our services and evaluate and improve our policies and procedures.

We may also use information in other ways compatible with the above.

The information we collect and use

The information we may collect and use may include your:

• Contact details - your address, email address and phone number
• Current employment details if you are a member of another organisation or business
• Contractual information if you are contracted to provide a service or assistance in an emergency
• Vehicle Registration Number where your vehicle forms part of an emergency response plan.

We also may collect health information including any disabilities and medical conditions you may have. This information is classed as "special category data" under the GDPR. We may only collect these types of data when it is relevant and for the purposes described above.

The GDPR includes safeguards to protect the use of your special category data. Further details can be found on our website in the document named 'Special category data and criminal offences data policy' which sets out our procedures for compliance with the principles of the GDPR and the retention and erasure of this information.

Who provides this information

The information we hold includes information you have provided to us.

We may also receive information from:

• Operational staff
• Managers
• Other Norfolk County Council departments or services
• Business continuity plan owners and updater
• HR
• IT administrators
• Facilities-management staff
• Elected members (Councillors and Members of Parliament)
• Volunteer
• Wholly-owned companies eg Norse
• Part-funded or partially integrated organisations
• Co-located teams or teams working in partnership - Norfolk Resilience Forum
• Law enforcement agency - the police
• Health bodies - Care Commissioning Groups, NHS Trusts, GP surgeries
• Government department or agency - the Environment Agency, the Health and Safety Executive
• Residential service provider - care homes, domiciliary care, home helps
• Transport service providers
• Support agencies
• External companies
• National independent bodies
• NGOs
• Schools, academies, colleges
• Other businesses/employers
• Voluntary organisations, charities etc
• Public
• Other emergency services - Norfolk Fire and Rescue Service, Coastguard
• Armed forces

Who we share your information with?

We may also share your personal information with other organisations and public bodies, in particular:

• Statutory bodies (Environment Agency, police, parish councils, district councils)
• Other local authorities
• Elected members
• Other emergency services, armed forces, organisations and businesses responding to a local or national incident or emergency
• Volunteers responding to a local or national incident or emergency

We may also share your information across different departments of Norfolk County Council, where it is necessary for our public tasks or functions to do so.

We may share this information without your specific consent where it is reasonable and necessary to do so to fulfil our public tasks or it is otherwise in the substantial public interest to do so. The law imposes safeguards to protect your privacy in these circumstances.

Your personal information will also be given to third parties contracted by the County Council to provide a service to the County Council. These service providers are known as data processors and have a legal obligation under GDPR and to the County Council to look after your personal information and only use it for providing that service. In particular, the County Council has entered into a contract with:

• Norse

How the law protects you and the legal basis for processing your information

We have legal grounds to process this information because it is necessary to comply with a legal duty or fulfil a public task. This includes under the:

• Civil Contingencies Act 2004
• Control of Major Accident Hazards Regulations 2015
• Military Aid to the Civil Authorities (MACA)
• Equality Act 2010 - when providing training (eg identifying if individuals require reasonable adjustments).

We also process personal information where it is necessary for the performance of a contract (eg lease, licence, service and maintenance contract).

We have legal grounds to process special category data where it is necessary for reasons in the substantial public interest. This will include where it is necessary to carry out any of our statutory functions. The statutory functions are as set out above.

How long will we keep your personal information for

When the information is no longer needed for the above purposes, it will be securely deleted or destroyed.

If we need to use your information for research or reports, your information will be anonymised and any information taken from notes (handwritten or typed) during any consultation sessions will be securely destroyed. The information will continue to be used in a summarised and anonymised form in any research reports or papers that are published. The anonymised information in the papers may be of historic interest and may be held in public archives indefinitely.

How we keep your information

The information is stored in hardcopy (securely filed and marked for use solely in emergency situation) and/or electronically on Norfolk County Council's secure records management system.

Information is also securely stored in other mediums, including email accounts and in paper files.

We do not process your information outside of the European Economic Area.

Automated decision making

We do not make automated decisions about you.

Changes to this notice

We may amend this privacy notice at any time so please review it frequently. The date below will be amended each time this notice is updated.

This notice was updated in March 2022