Policies & Procedures - East Midlands Combined County Authority

The East Midlands Combined County Authority (EMCCA) is registered as a data controller with the Information Commissioner’s Office (registration number: insert ICO registration number). The Information Commissioner’s Office is the regulator for data protection in the UK.

Our website is provided by Purpose Media. EMCCA is the controller of personal data obtained via our website, meaning we are the organisation legally responsible for deciding how and for what purposes it is used.

We are committed to ensuring that personal information is processed fairly, lawfully and securely in accordance with data protection laws.

This privacy policy contains important information about how and why we collect, store, use and share any information relating to personal data. It also explains your rights in relation to your personal data and how to contact us or a relevant regulator in the event you have a complaint.

Given the nature of our website, we do not expect to collect the personal data of anyone under 13 years old. If you are aware that any personal data of anyone under 13 years old has been shared with our website please let us know so that we can delete that data.

This version of our privacy policy is primarily written for adults, including parents and guardians of child users.

What this policy applies to

This privacy policy relates to information the Combined Authority collects and receives when you use our services and our website.

Throughout our website we may link to other websites owned and operated by certain trusted third parties. Those third party websites may also gather information about you in accordance with their own separate privacy policies. For privacy information relating to those third party websites, please consult their privacy policies as appropriate.

Why we use your personal information

We may need to use your personal information so that we can deliver a range of services to you and in the activities and functions we are required to carry out as a Combined County Authority.

For example in:

Skills and Employment
Registration services
Managing and monitoring those services
Service planning
Management forecasting
Dealing with and investigation of enquiries and complaints
Responding to requests for information
Supporting and managing workers; for instance, recruitment, provision of HR, payroll and occupational health services
Health and Safety
Complying with legal requirements or Court Orders
Legal proceedings and advice
Administering the Local Government Pension Scheme
Reporting to Government, professional and supervisory authorities
Carrying out Disclosure and Barring Service checks
Data matching under local and national fraud prevention initiatives
Crime prevention and prosecution of offenders
Law enforcement functions that may result in criminal investigations or prosecutions
Archiving records
Historical and statistical research
Equal opportunity and diversity monitoring
Decision making
Responding to Members’ enquiries

Personal data we collect about you

Personal information (sometimes referred to as personal data) is any information that enables the identification a living individual, either directly or indirectly. The personal data we collect about you depends on the particular activities delivered.

We will collect and use the following personal data about you:

Name,
Address,
Telephone number,
Email address,
Date of birth,
Telephone recordings of calls made to us
Passport number,
National Insurance number
Family information
Lifestyle and social circumstances
Financial details
Employment and education details
Housing needs / providers
Licenses or permits held
victim’s / witness’s details
Individual’s carers or their representatives
Online browsing activity
Staff, people contracted to provide a service
Business activities
Unique identifier such as a travel card number
Offenders and suspected offenders
Complainants, enquirers or their representatives
Professional advisers and consultants
Service user case file information
Traders and others subject to inspection
People captured by CCTV: images, personal appearance and behaviour
Social media comments, etc

How your personal data is collected

We collect personal data from you directly when you:

Use our services
Send us feedback
Complete customer surveys or participate in competitions via our website
Apply for a job or you are our current and former employee
Participate in publicity for the Combined Authority
Are recorded on CCTV systems operated by the combined Authority

and indirectly, when you

When you visit our website; we will collect information indirectly using the technologies explained in the section on ‘Cookies’
Through complaints
Are referred to us by other persons, agencies or organisations
From authorised third parties such as your legal representatives, Trade union representatives, etc

How the law allows us to use your personal data

Under the UK GDPR and Data Protection Act 2018, we can only use your personal data when we have a lawful basis for doing so. We collect or use your personal data:

With consent

Where you or your legal representative have given consent, and this consent has not been withdrawn

Without Consent

There are certain circumstances where we may use your personal information without your permission.

These include when:

We have a duty to protect a child, a vulnerable adult or yourself or the public
For the prevention and detection of a crime
The assessment of any tax or duty
If we are required to do so by any court or law

There are also several legal reasons why we need to collect and use your personal information

Such as the following:

To comply with our legal and regulatory obligations under various laws
Where it is required by law, or necessary for legal cases
Where it is it is necessary to perform our public tasks
It is necessary to protect someone in an emergency or to protect public health. For example, sharing details from your care records or medical condition with a medical professional in an emergency
Where you have entered into a contract with us, for the performance of that contract with you or to take steps at your request before entering into a contract,
Where it is necessary to pursue a legitimate interest or those of a third party for example Statistical analysis to help us understand our region.

A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see ‘How to contact us’ below).

Special category personal data

Certain personal data we collect is treated as a special category. Special category information which is likely to include anything that can reveal your:

Racial or ethnic origin;
Political opinions;
Religious or philosophical beliefs;
Trade union membership;
Genetic data;
Biometric data (where used for identification purposes);
Physical or mental health;
Sex life or sexuality.

In order to collect or use this type of information, additional protections apply under data protection law. The Combined County Authority does so in any of the following circumstances:

where it is necessary to comply with employment, social security or social protection laws
where we have your explicit consent to use the particular special category information about you
where it is necessary for legal claims
when it is information which has already been made public by you
it is in the public interest for public health reasons
it is necessary for medical diagnosis purposes
where it is necessary for social care or health care purposes
it is necessary for archiving, statistical and research purposes
where it is necessary for the assessment of the working capacity of an employee
where it is necessary for employment and social security and social protection law;
the use of special category information about you is necessary to protect you or someone else in an emergency; or
where it is necessary to perform our public tasks which are in the substantial public interest for :
- performing a statutory function
- for the administration of justice
- the provision of counselling or other confidential services
- the prevention or detection of crime
- fraud prevention or protecting the public against dishonesty or other improper conduct
- for insurance purposes or occupational pensions
- for obtaining legal advice or for the purposes of legal proceedings
- for responding to Councillors’ enquiries
- for equal opportunity and diversity monitoring purposes;
- for research and archiving purposes;
- where the information has already been made public by the individual concerned.

Criminal offence data

In some limited circumstances we may also need to collect and use criminal convictions or offences information about you. We may do so where:

it is in the substantial public interest
it is necessary for any legal claims
it is necessary to protect you or someone else in an emergency
it is information, which is already in the public domain, or
we have your explicit consent to use criminal history information about you

Who we share your personal data with

The County Authority routinely share your personal information with third parties that support the Combined Authority in the delivery of the service to you. It will also do so when its carrying out any of its statutory functions or, where appropriate, with other third parties such as our service providers.

We only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you.

We or the third parties mentioned above occasionally also share personal data with include:

our external auditors, in which case the recipient of the information will be bound by confidentiality obligations
our professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations
law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations
Other Local Authorities and Constituent Councils including partner agencies
other parties or their professional advisers in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering etc
organisations involved in the prevention of crime, or fraud.
Other relevant third parties where there is a serious risk to the public, our staff or other professionals.
Other third parties when we need to protect vulnerable children and adults.

We will not share your personal data with any other third party for marketing purposes.

Data Matching and Auditing

We are required by law to protect the public funds we administer. We may use personal information in the prevention and detection of crime. We may share the information with other bodies that are responsible for auditing or administering public fuds including the Department for Work and pensions, other Local Authorities, HM Revenue and Customs and the Police.

The Combined Authority uses data matching from different sources to aid processing of large volumes of information. We use this as a useful way to improve our services e.g detect fraud, and compliance with Data Protection law for example by identifying inaccurate or out of date information.

How long your personal data will be kept

We will not keep your personal data for longer than we need it for the purpose for which it is used.

retention periods vary between our services and different types of personal data. However, these periods will be in line with legal requirements or industry guidelines.

Following the end of the of the relevant retention period, we will delete or anonymise your personal data.

Transferring your personal data out of the UK and EEA

Most personal information we collect is stored on electronic systems in the UK and European Economic Area. For example, some personal information may be stored on computer services located in the European Economic Area (EEA).

Generally, personal information in our control will not be sent outside EEA, unless stored within cloud-based computer services. If this is done appropriate assessments, procedures and technologies will be put in place to maintain the security of all personal information processed outside of the EEA.

We will take appropriate steps to make sure we hold records about you in a secure way, including:

all employees, and those acting on our behalf, who have access to your personal information or are associated with the handling of that data are obliged to respect the confidentiality of your personal information.
all employees, and those acting on our behalf, undergo annual mandatory information security and data protection training.

Keeping your personal data secure

The Combined County Authority have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine need to access it.

We also have procedures in place to deal with any suspected and actual data security breaches. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

We utilise encryption methods, verification processes and train staff on how to securely handle information and what to do if something goes wrong.

Automated decision making

Automated decision making’ is when decisions are made about you by a computer, without any human involvement. If any of our services carry out any automated decision making using your personal information, this will be explained in the service specific privacy notice.

‘Risk profiling’ is where decisions are made about you based on certain things in your personal information, e.g., your health conditions.

If we use your personal information to profile you to deliver the most appropriate service, we will tell you.

If you are concerned about us using automated decision making or profiling, you can get help from the Data Protection Officer (DPO) who will be able to explain to you how we are using your information.

Your rights

Data Protection Laws provide you with rights to your personal data held by the Combined County Authority. Some of the rights do not apply automatically and may not be available in certain circumstances where a lawful exception applies.

The following are your rights to your personal information which you can usually exercise free of charge:

The UK GDPR gives you the following rights over your personal information.

The right to be informed how your personal data is being used or collected.
The right to access your personal data
The right to rectification of your personal data if the information we hold in relation to you is inaccurate or incomplete.
The right to be forgotten which allows you to have your personal data erased, if we no longer have a legitimate use for it.
The right to restrict processing which allows a temporary halt to processing your personal data while you contest the accuracy of the information the way it is processed.
The right to data portability
The right to object to the processing of your personal data. You have an absolute right to stop your data being used for direct marketing. In other cases where the right to object applies, we may be able to continue using your data if we have a compelling reason for doing so.
You can ask not to be subject to any decision based solely on automated processing, including profiling that ends up significantly affecting you. You could even request human intervention in such a decision making process.

For more information on the UK GDPR and your rights go to the Information Commissioners website.

If you would like to exercise any of those rights, please contact the Information Governance Team below: ‘How to complain and contact us’.

When contacting us please:

Provide enough information to identify yourself eg your full name, address and customer or matter reference number and any additional identity information we may reasonably request from you, and
Let us know which right(s) you want to exercise and the information to which your request relates

Cookies and other tracking technologies

A cookie is a small text file which is placed onto your device (eg computer, smartphone or other electronic device) when you use our website. We use cookies on our website. These cookies help us recognise you and your device and store some information about your preferences or past actions.

For further information on cookies please see our [insert link to Cookie Policy].

How to complain and contact us

If you have any queries or concerns about our use of your personal data, please contact the Combined County Authority’s Data Protection Officer at:

Data Protection Officer

East Midlands Combined County Authority

Northern Gateway Enterprise Centre

Saltergate

Chesterfield

S40 1UT

Email: InformationGovernance@eastmidsdevo.org.uk

Telephone: 0115 8044922

You also have the right to lodge a complaint with:

The Information Commissioner’s Office is an independent body set up to uphold information rights in the UK. You can contact them through the Information Commissioners Office website, at https://ico.org.uk/make-a-complaint or by telephone helpline on 0303 123 1113, or in writing to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire,
SK9 5AF

Changes to this privacy policy

This Privacy Notice is regularly reviewed; however, you are advised to check this pate from time to time for any updates to this notice.

Do you need extra help?

If you would like this policy in another format (for example audio, large print, braille) please contact the Information Governance Team at insert email address

What are you looking for?

Our Privacy Policy