Covid-19 (Coronavirus) Privacy Notice
This privacy notice explains how Ashford Borough Councils (ABC) data processing may differ with regard to the Covid-19 (coronavirus) Pandemic.
ABC and its Data Protection Officer can be contacted at:
The Data Protection Officer, Ashford Borough Council, International House, Dover Place, Ashford, TN23 1HU or via FOI@ashford.gov.uk.
The processing of personal data is governed, in the UK, by the General Data Protection Regulation (the “GDPR”) 2016 and any national implementing laws (Data Protection Act 18), regulations and secondary legislation, as amended or updated from time to time, and the regional supervisory authority is the Information Commissioner's Office.
We are registered with the Information Commissioner's Office with registration number Z8344724.
Processing activities
ABC already holds data regarding residents, employees, businesses and other stakeholders. You may have provided this information for a specific reason, normally ABC would seek to inform you that the data provided would be being used for a different purpose. Due to the rapidly emerging situation regarding the current pandemic this will not always be possible. If we already hold information regarding vulnerability as defined in the current guidance from the Government and Public Health England, we may share this for emergency planning purposes or to protect your vital interests by sharing with services both inside and outside the council.
Additionally we may in this current crisis need to ask you or be provided with personal information including sensitive personal information for example your age or if you have any underlying illnesses or are vulnerable, that you have not already supplied. This is so the council can assist and prioritise it's services.
We always aim to collect the minimum data necessary to achieve the purpose required.
Lawful bases for Processing
The legal bases for processing by the council as a public authority will be:
Substantial Public Interest (Public Interest)
Article 9 (2)(G) of the GDPR, processing is necessary for reasons of substantial public interest, on the basis of Union or Member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental right and interests of the data subject.
We are able to process data, both internally and externally, if it satisfies the Data Protection Act’s definition of ‘substantial public interest’ (Schedule 1, DPA18). Those most relevant include using data for
Statutory etc and government purpose
Support for individuals with a particular disability or medical condition
Safeguard children and individuals at risk, and
Safeguard the economic well-being of certain individuals
Statutory Obligation to Process Data (Public Interest, Legal Obligation)
GDPR allows us to process data if it is necessary to comply with the obligations set out in law. We are given many powers in different Acts which can be used in the context of emergency data processing. For example,
Care Act, this allows councils to process data to promote individual well-being, prevent the individual need for care and to support and promote the integration of health and social care
Children’s Act, this allows councils to process data to safeguard and promote the wellbeing of children
Homelessness Reduction Act (2017), this allows councils to process data as part of taking reasonable steps to help applicants secure accommodation
Civil Contingencies Act, this allows councils to process data as part of complying with our duty to plan and prepare for, advise about, respond to and recover from emergencies.
Vital Interests
Where processing is necessary in order to protect the vital interests of you or of another individual. For example, protecting someone or their property from imminent harm or damage.
Retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of your personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
How we protect your data
The data you provide is protected by rigorous measures and procedures to make sure it can't be seen, accessed by, or disclosed to anyone who shouldn't be allowed to see it. We provide training to staff who handle personal data and treat it as a disciplinary matter if they misuse or do not look after your personal data properly.
Your rights
Unless subject to an exemption under data protection legislation, you have the following rights:
- the right to access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to object to processing;
- the right to data portability;
- the right to complain to a supervisory authority; and
- the right to withdraw consent.
Right to Complain
We set ourselves high standards when it comes to protecting your personal data. For this reason, we take any complaints we receive from you about our use of your personal data very seriously and request that you bring any issues to our attention.
Where you are communicating with us for the purpose of making a complaint, we will only use your personal data to handle, investigate and respond to the complaint and to check on the level of service we provide.
If, having exhausted the complaint process, you are not content that your request or review has been dealt with correctly, you can appeal to the ICO to investigate the matter further by writing to:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF