PN023 - Data Protection & Information Governance Privacy Notice

Torfaen County Borough Council is committed to protecting your privacy when you use our services. This Privacy Notice is designed to give you information about the data we hold about you, how we use it, your rights in relation to it and the safeguards in place to protect it.

TCBC Service Area: Public Services Support Unit
Work area: Data Protection and Information Governance
Contact Details: dpa@torfaen.gov.uk - Data Protection Officer, Civic Centre, Pontypool, NP4 6YB
Privacy Notice Name: Data Protection and Information Governance

Data Controller: Torfaen County Borough Council, c/o Civic Centre, Pontypool, NP4 6YB

If you wish to raise a concern about the handling of your personal data, please contact the Data Protection Officer on 01495 762200 or email dpa@torfaen.gov.uk

The Data Protection and Information Governance team may process your data when dealing with UK GDPR Rights requests, information requests, data breaches or when providing guidance to other Service Areas within the Council.

Who provides your data to the Council?

The personal information we process is provided to us directly by you when you request a service or exercise your rights under UK GDPR, such as submitting a Subject Access Request (SAR).

AND

We receive personal information indirectly from persons or companies acting on your behalf, other departments within the Council and external agencies.

How does the Council collect this information?

Email
Telephone
Online forms
Written postal requests
Social Media
Secure file transfer

What information does the Council collect about you?

The Data Protection and Information Governance team collects:

Name
Address
Telephone number
Email address
Employment details (if Council employee)
Financial information
Proof of Identity such as Passport/Driving License/Utility bill
Information relating to Council services you have engaged with
Details of other persons included in requests
Forms of Authority from those you are acting on behalf of

Why does the Council process your personal data?

Under Article 6 of the UK General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

(e) We need it to perform a public task

Special categories of personal data

The Information Governance and Data Protection team do not purposely collect any special category or criminal data about service users or staff, but these may be contained in the information accessed during the process of providing services. These may include:

personal data revealing racial or ethnic origin
personal data revealing political opinions
personal data revealing religious or philosophical beliefs
personal data revealing trade union membership
data concerning health
data concerning a person’s sex life
data concerning a person’s sexual orientation

The Council collects this under Article 9 of the UK GDPR.

Where the Council collects criminal data, this is processed under Article 10 of the UK GDPR.

Who has access to your data?

Your data is shared internally only with the appropriate staff where it is necessary for the performance of their roles.

Your data may also be shared externally with organisations for UK GDPR compliance requirements or legal requirements such as the prevention and detection of crime. These may include, but not be limited to:

Information Commissioner’s Office (ICO)
Government Agencies
Police
HMRC

Where possible, data will be anonymised or redacted before sharing.

Apart from where previously stated, we do not pass your details to third parties unless we are lawfully required do so.

Is the Data transferred out of the UK?

How does the Council keep your data secure?

The Council has internal policies in place to ensure the data it processes is not lost, accidentally destroyed, misused or disclosed. Access to this data is restricted in accordance with the Council’s internal policies and in compliance with the UK GDPR.

Data will be stored securely in:

Secure network drives
Secure Cloud storage

Where the Council engages third parties to process personal data on its behalf, they do so on the basis of written instructions. These third parties are also under a duty of confidentiality and are obliged to implement appropriate measures to ensure the security of data.

How long does the Council keep your data?

The Council will hold your personal data only for the period that is necessary and will follow organisational and Local Authority standards in this area. At the end of the retention period the Council will securely destroy or dispose of the data in line with retention schedules.

For the purpose of Subject Access Requests (SARs) we hold the information for five years after closure

Are we making automated decisions/profiling with your data?

Your rights

You have a number of Rights you can exercise:

Access - to obtain a copy of your data on request
Rectification – to require the Council to change incorrect or incomplete data
Object, Restrict or Delete - under certain circumstances you can require the Council to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
Data portability – to receive and/or transmit data provided to the Council to other organisations (this applies in limited circumstances)
Withdraw your consent at any time (where consent has been given)
To know the consequences of failing to provide data to the Council
To know the existence of any Automated Decision-making, including profiling, and the consequences of this for you.
To lodge a complaint with a supervisory authority (Information Commissioners Office)

If you would like to exercise any of these rights, please contact: Data Protection Officer, Civic Centre, Pontypool, NP4 6YB, 01633 647467, dpa@torfaen.gov.uk

The Information Commissioner can be contacted at: The Information Commissioner’s Office (Wales), 2nd Floor, Churchill House, Churchill Way, Cardiff, CF10 2HH. Telephone 0330 414 6421 or e-mail Wales@ico.org.uk.

Last Modified: 17/07/2023 Back to top