Privacy notice for Information Governance

Who we are and what we do

The Information Governance team provides you, the public, with advice and guidance on information and records management and deals with your requests to access information under the following legislation:

• Freedom of Information Act 2000 (FOI)
• Environmental Information Regulations 2004 (EIR)
• Data Protection Act 2018 (DPA) / UK General Data Protection Regulations

For the purposes of data protection, Durham County Council is the Data Controller.

The type of personal information we collect and how we collect it

When gathering and using personal information, we will comply with the data protection principles.

For a request made under the FOIA/EIR, we collect the following personal information:

• your name
• your contact information - email, postal and in some cases contact number

For a request made under the DPA, we collect the following personal information:

• your name
• your contact information - email, postal and in some cases contact number
• date of birth
• proof of your identity (ID) - passport, driving licence or other form of ID
• proof of your address - utility bill, bank statement, tenancy agreement, or other document
• any other relevant personal information for identifying and locating your personal data on our systems.

Additionally, if you are applying on behalf of a child, we require the following personal information:

• written proof of your parental responsibility or legal guardianship

If you are applying on behalf of someone else, we require the following:

• written proof of the person's consent or a Lasting Power of Attorney

We collect this information from you as part of your application in writing through the online form on our Freedom of Information (FOI) requests page or via email to the Information Governance team. For Environmental Information Regulation requests this collection can be in writing through the online form on our Environmental Information Regulations (EIR) requests page or via email or verbally over the phone.

How we use your personal information

We use your information in the following ways:

• to respond to requests made under access to information legislation including the Freedom of Information Act, Environmental Information Regulations and Data Protection Act (including Subject Access Requests)
• to investigate complaints and concerns about the council's handling of personal information, including requests for rectification or deletion of personal data
• to investigate and take action on information security incidents including data breaches that include personal data
• to respond to requests for disclosure of confidential information
• to provide advice and guidance on data protection issues
• to monitor our own performance in responding to your request - this may include our contacting you with a customer satisfaction survey

We may not be able to provide the service unless you have provided us with enough information.

Some of our services use Artificial Intelligence (AI) tools to support us in our service delivery.

What our lawful basis is to obtain and use your personal information

The following are the lawful basis Article 6 of the UK General Data Protection Regulation (UK GDPR) for processing your personal information:

• 6 (c) processing is necessary for compliance with a legal obligation to which the controller is subject.
• 6 (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• 6 (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

We do not ask for, or need, special category data from you (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, genetic/biometric information) to progress your request for information, complaint, enquiry or comments.

However, if you provide it to us voluntarily, we will only use that information if it is vital either to your request for information, complaint, enquiry or comments and/or is to comply with a special requirement that you may have.

We rely on the following lawful basis under UK GDPR:

• Article 9(2)(g) - Reasons of substantial public interest. We rely on the 'regulative requirements' purposes condition from Schedule 1 of the Data Protection Act 2018 when relying on Article 9(2)(g) to process your special category data.

Reasons we may share your personal information

We may need to share your personal information with other services within the council (only where necessary) in order to handle your request.

We may also share your personal information with third party organisations if you have asked us to, for example, if we do not hold the information, but we know who does. We would only share the information on your instruction.

We may need to consult third party organisations on the suitability of disclosure, examples include when requests for information relate to persons or bodies who are not the applicant and/or the public authority; or when disclosure of information is likely to affect the interests of persons or bodies who are not the applicant or the authority. We will only share information where we have a legal or contractual obligation to do so.

In certain circumstances your personal information may be shared with third party organisations where we have a statutory obligation to do so. Examples include sharing information with the police or other law enforcement agencies for the purposes of prevention or detection of crime, or for legal proceedings.

If you make a complaint to the Information Commissioners Office (ICO), we may share your personal information to manage your complaint or in response to a request from the ICO.

Microsoft Office 365 is the platform used for many of the council's desktop and collaboration services. This cloud-based suite updates our previous versions of Microsoft Office and introduces new tools for a more collaborative working environment. View Microsoft's privacy information.

Processing personal information outside of the UK/EU

Your personal data is stored on our IT infrastructure and shared with our data processors, Microsoft and Amazon Web Services. It may be transferred and stored securely in the UK and European Economic Area (EEA). If your data is stored outside the UK and EEA, it will have equivalent legal protection through Model Contract Clauses.

Personal data stored within our secure Case Management System is held within the UK.

We can share information outside of this area when there is an adequacy determination in place. The EU uses the term 'adequacy' to describe other countries, territories, sectors or international organisations that it deems to provide an 'essentially equivalent' level of data protection for people's rights and freedoms.

How your information is kept secure

The security of your personal information is important to us. This is why we follow a range of security policies and procedures to control and safeguard access to, and use of, your personal information.

Your information will be stored within our secure Case Management System which is accessible only to permitted staff directly involved in case management.

We have multiple policies in place that define our commitments and responsibilities to your privacy and cover a range of information and technology security areas.

We also provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or do not look after your personal information properly.

How long we keep your information for

We will not keep your information longer than it is needed or the law says we can. We will dispose of paper records or delete any electronic personal information in a secure way.

Depending on the type of request you make to us we will keep your personal information in a case file in accordance with our corporate retention guidelines.

Our Records management page provides more details of records management and information within the council.

Marketing

At no time will your information be passed to organisations external to us and our partners for marketing or sales purposes or for any commercial use without your prior express consent.

Your information rights

Your information rights are set out in the law. Subject to some legal exceptions, you have the right:

• Your right of access - you have the right to ask us for copies of your personal information. This is also known as a Subject Access Request (SAR). You can make a SAR by completing the online form on our Find out what information we hold about you page.
• Your right to rectification - you have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances.
• Your right to restrict processing - you have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Your right to object to processing - you have the right to object to the processing of your personal information in certain circumstances.

How your rights work depends on the legal basis for collecting and using your personal information. The following rights are modified depending on the legal basis:

Further information

Our Data Protection Officer (DPO) provides help and guidance to make sure we apply the best standards to protecting your personal information. If something goes wrong with your personal information, or you have questions about how we process your data, please contact our Information Governance team at inforights@durham.gov.uk or write to:

DPO
Durham County Council
PO BOX 274
Stanley
County Durham
DH8 1HG

If we have not been able to deal with your complaint, you can also contact the Information Commissioner.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745

You also have the right to request a copy of the personal information the council holds about you. To do this, you can apply online or download an application form from our Data Protection & Freedom of Information page or you can contact the data protection team at inforights@durham.gov.uk.

To learn more about these rights please see Information Commissioner's Office: Individual rights - guidance and resources. If you require general information about the Data Protection Act, information is available at Information Commissioner's Office: Individual rights - guidance and resources. Additionally, any complaints can be escalated beyond the ICO as outlined in GDPR Article 77 and GDPR Article 79.