Privacy
How Ashford Borough Council Uses Your Personal Data
This privacy policy explains how Ashford Borough Council (as a Data Controller) collects, uses and protects your personal data.
+ Who we are
We are Ashford Borough Council (ABC) and are a local authority which provides services to residents and businesses in Ashford, Tenterden and a large network of surrounding villages.
ABC is the Data Controller for the personal data it holds as set out in this policy. ABC’s Data Protection Officer can be contacted at: The Data Protection Officer, Ashford Borough Council, International House, Dover Place, Ashford, Kent, TN23 1HU or via FOI@ashford.gov.uk.
We are registered with the Information Commissioner’s Office (ICO) with registration number Z8344724.
ABC is the Data Controller for the personal data it holds as set out in this policy. ABC’s Data Protection Officer can be contacted at: The Data Protection Officer, Ashford Borough Council, International House, Dover Place, Ashford, Kent, TN23 1HU or via FOI@ashford.gov.uk.
We are registered with the Information Commissioner’s Office (ICO) with registration number Z8344724.
+ Your personal data - what is it?
Personal data refers to information about a living person who can be identified from that data, either on its own or when combined with other information that the data controller already holds or is likely to obtain.
Some personal data is classed as “special categories of personal data” because it is considered to be more sensitive and therefore requires more protection. This includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data where used for identification, health data, and data concerning a person’s sex life or sexual orientation.
The processing of personal data is governed in the UK by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection legislation, including the Data (Use and Access) Act 2025 where relevant. The supervisory authority for data protection matters is the Information Commissioner’s Office (ICO).
Some personal data is classed as “special categories of personal data” because it is considered to be more sensitive and therefore requires more protection. This includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data where used for identification, health data, and data concerning a person’s sex life or sexual orientation.
The processing of personal data is governed in the UK by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection legislation, including the Data (Use and Access) Act 2025 where relevant. The supervisory authority for data protection matters is the Information Commissioner’s Office (ICO).
+ Why we collect and use your personal data
We process personal data to enable us to provide a range of services to local people and businesses; as such we may require your personal data to:
- deliver public services
- contact you by post, email or telephone
- understand your needs to provide the services that you request
- understand what we can do for you and inform you of other relevant services and benefits
- obtain your opinion about our services
- update your customer record
- process financial transactions
- prevent and detect fraud and corruption in the use of public funds
- allow us to undertake statutory functions efficiently and effectively
- make sure we meet our statutory obligations including those related to diversity and equalities
+ Our lawful basis for using your data
The law on data protection sets out a number of different reasons for which personal data may be collected and processed. Generally, the legal basis for processing by us as a public authority will be one of the following:
- Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the council
- Legal obligation: processing is necessary for compliance with the council’s legal obligation
- Contract: processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract
- Consent: where you have given consent to the processing of your personal data for one or more specific purposes. For example, this is the basis likely to be used if you have signed up to receive any newsletters
- Legitimate interests: where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. This legal basis is not open to us when performing our statutory tasks, however where we are operating on a commercial basis then this legal basis may be utilised
- Vital Interests: where processing is necessary in order to protect the vital interests of you or of another individual. For example, protecting someone or their property from imminent harm or damage. The legal basis relied upon will be explained to you in more detail in a specific privacy notice, provided at the time your personal data is collected
+ How we protect your data
The data you provide is protected by rigorous measures and procedures to make sure it cannot be seen, accessed, altered or disclosed by anyone who is not authorised to do so.
We provide training to staff who handle personal data and treat it as a disciplinary matter if they misuse or do not look after your personal data properly.
We provide training to staff who handle personal data and treat it as a disciplinary matter if they misuse or fail to look after your personal data properly..
We conduct data protection impact assessments when making changes to processes or systems that hold your personal data.
We have a range of measures in place to protect the physical security of your data. For example, locked confidential waste bins and controlled physical access to our premises.
We also have a range of technical and organisational measures in place to protect the electronic security of your data. For example, firewalls, email filtering, patch management, vulnerability scanning, penetration testing, encryption, access controls, multi-factor authentication where appropriate, system monitoring and regular security review arrangements.
We take personal data breaches very seriously. If we become aware of a personal data breach, we will assess it promptly, take steps to contain and mitigate the impact, investigate the cause, keep appropriate records, and implement any necessary remedial action to reduce the risk of recurrence. Where required by law, we will report a personal data breach to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to your rights and freedoms, we will also inform you without undue delay unless a lawful exception applies.
We provide training to staff who handle personal data and treat it as a disciplinary matter if they misuse or do not look after your personal data properly.
We provide training to staff who handle personal data and treat it as a disciplinary matter if they misuse or fail to look after your personal data properly..
We conduct data protection impact assessments when making changes to processes or systems that hold your personal data.
We have a range of measures in place to protect the physical security of your data. For example, locked confidential waste bins and controlled physical access to our premises.
We also have a range of technical and organisational measures in place to protect the electronic security of your data. For example, firewalls, email filtering, patch management, vulnerability scanning, penetration testing, encryption, access controls, multi-factor authentication where appropriate, system monitoring and regular security review arrangements.
We take personal data breaches very seriously. If we become aware of a personal data breach, we will assess it promptly, take steps to contain and mitigate the impact, investigate the cause, keep appropriate records, and implement any necessary remedial action to reduce the risk of recurrence. Where required by law, we will report a personal data breach to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to your rights and freedoms, we will also inform you without undue delay unless a lawful exception applies.
+ Protecting your data outside the European Economic Area
It may sometimes be necessary to transfer personal data to countries outside the European Economic Area. Transfers will only take place when:
- There are procedures in place to ensure your data receives the same protection as if it were processed inside the European Economic Area; or
- With the consent of the data subject; or
- Where required by law
+ Sharing your personal data
Depending on the purpose for which we process your personal data, we may share it with other organisations. For example, your personal data may be shared, where necessary, with other organisations that provide services on our behalf such as contractors carrying out repairs to council houses. In such cases, the personal data provided will be limited to the minimum necessary to enable them to provide services to you.
Where another organisation processes personal data on our behalf, we will ensure appropriate contractual controls are in place. This includes the data processing requirements set out in Article 28 of the UK GDPR, so that processors and contractors are only permitted to act on our documented instructions, keep the data secure, restrict access to authorised personnel, assist us to meet our legal obligations, and return or securely delete personal data when the contract ends, where appropriate.
We are signatories to the Kent and Medway Information Sharing Agreement, which provides the framework for sharing personal data between local public sector agencies, where there is a specified explicit and legitimate purpose to do so.
Where we will or may share your personal data with other organisations, this will be explained to you in more detail in a specific privacy notice, provided at the time your personal data is collected.
Where another organisation processes personal data on our behalf, we will ensure appropriate contractual controls are in place. This includes the data processing requirements set out in Article 28 of the UK GDPR, so that processors and contractors are only permitted to act on our documented instructions, keep the data secure, restrict access to authorised personnel, assist us to meet our legal obligations, and return or securely delete personal data when the contract ends, where appropriate.
We are signatories to the Kent and Medway Information Sharing Agreement, which provides the framework for sharing personal data between local public sector agencies, where there is a specified explicit and legitimate purpose to do so.
Where we will or may share your personal data with other organisations, this will be explained to you in more detail in a specific privacy notice, provided at the time your personal data is collected.
+ How long we keep your personal data for
We will only retain your personal information for as long as necessary to fulfil the purposes for which we have collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of your personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and any applicable legal requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. We will retain and securely destroy your personal data in accordance with our data retention policy and applicable laws and regulations.
The length of time we will keep your personal data for will be explained to you in more detail in a specific privacy notice provided at the time your personal data is collected.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of your personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and any applicable legal requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. We will retain and securely destroy your personal data in accordance with our data retention policy and applicable laws and regulations.
The length of time we will keep your personal data for will be explained to you in more detail in a specific privacy notice provided at the time your personal data is collected.
+ Your rights
Unless subject to an exemption under the GDPR, you have the right to:
You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). We will usually need to request specific information from you to help us confirm your identity and ensure your right to access the data (or to exercise any of your other rights).
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
- Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it
- Request the correction of your personal data when incorrect, out of date or incomplete
- Request erasure of your personal data when there is no good reason for us to continue to process it
- Object to processing of your personal data where we are relying on a public task or legitimate interest legal basis to carry out that processing and there is something about your particular situation which makes you want to object to processing on these grounds. Please note this only applies in certain circumstances for example, direct marketing or where processing is for the purposes of scientific or historical research
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it
- Request the transfer of your personal data to another party. This would allow you to transfer your information to another local authority should you wish to do so. Please note this only applies where the processing is based on consent or is necessary for the performance of a contract with you, and in either case where we process the data by automated means
- To be informed of the processing of your personal data by automated means which results in a decision being made (without human intervention) that has a legal or similarly significant effect on you as an individual. Where these methods of processing are used, you have the right to ask for a council officer to review the decision
- Right to withdraw consent where we rely on your consent for a specific process you have the right to withdraw your consent at any time
You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). We will usually need to request specific information from you to help us confirm your identity and ensure your right to access the data (or to exercise any of your other rights).
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
+ Links to service specific privacy notices
This privacy notice is an overarching notice which describes the generic terms under which your personal data will be processed. At any point where we collect personal data, a purpose-specific privacy notice will be provided. Below are links to some key, area-specific privacy notices. For other individual privacy notices for specific functions please contact the Data Protection Officer.
Public Space CCTV Privacy Notice
Electoral Register Privacy Notice
AshfordFOR Privacy Notice
Love Ashford Privacy Notice
Job Applicant Privacy Notice
Councillors' Privacy Notice
Housing Services Privacy Notice
Housing Services Tenant and Landlord Privacy Notice
Visit Ashford and Tenterden Privacy Notice
Planning Privacy Notice
Counter Fraud Privacy Notice
Council Tax and Benefits Privacy Notice
Insurance Privacy Notice
Enforcement Team Privacy Notice
Parking Services Privacy Notice
Recycling and Refuse Service Privacy Notice
Covid-19 (Coronavirus) Privacy Notice
Homes for Ukraine Privacy Notice
Public Space CCTV Privacy Notice
Electoral Register Privacy Notice
AshfordFOR Privacy Notice
Love Ashford Privacy Notice
Job Applicant Privacy Notice
Councillors' Privacy Notice
Housing Services Privacy Notice
Housing Services Tenant and Landlord Privacy Notice
Visit Ashford and Tenterden Privacy Notice
Planning Privacy Notice
Counter Fraud Privacy Notice
Council Tax and Benefits Privacy Notice
Insurance Privacy Notice
Enforcement Team Privacy Notice
Parking Services Privacy Notice
Recycling and Refuse Service Privacy Notice
Covid-19 (Coronavirus) Privacy Notice
Homes for Ukraine Privacy Notice
+ Cookies
Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. Read detailed information on the cookies we use and the purposes for which we use them.
We also use Google Analytics so that we can find out how many people visit various parts of the website. This information helps us to find out how effectively our website is working and how to improve it. We do not identify anyone, and we do not allow Google Analytics to identify anyone visiting our website.
We also use Google Analytics so that we can find out how many people visit various parts of the website. This information helps us to find out how effectively our website is working and how to improve it. We do not identify anyone, and we do not allow Google Analytics to identify anyone visiting our website.
+ Right to complain
We set ourselves high standards when it comes to protecting your personal data. For this reason, we take any complaints we receive from you about our use of your personal data very seriously and request that you bring any issues to our attention.
Where you are communicating with us for the purpose of making a complaint, we will only use your personal data to handle, investigate and respond to the complaint and to check on the level of service we provide.
We operate a complaints process for concerns about how we handle personal data and information rights matters, in line with applicable legal requirements including those introduced by the Data (Use and Access) Act. Further details about our information rights arrangements and how to raise a concern can be found on our information rights page.
If having exhausted the complaint process you are not content that your request or review has been dealt with correctly, you can appeal to the ICO to investigate the matter further by writing to:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Where you are communicating with us for the purpose of making a complaint, we will only use your personal data to handle, investigate and respond to the complaint and to check on the level of service we provide.
We operate a complaints process for concerns about how we handle personal data and information rights matters, in line with applicable legal requirements including those introduced by the Data (Use and Access) Act. Further details about our information rights arrangements and how to raise a concern can be found on our information rights page.
If having exhausted the complaint process you are not content that your request or review has been dealt with correctly, you can appeal to the ICO to investigate the matter further by writing to:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
+ How to contact us
You can contact us by:
Post: The Data Protection Officer, Ashford Borough Council, International House, Dover Place, Ashford, Kent TN23 1HU
Email: FOI@ashford.gov.uk. We keep this privacy notice under regular review and we will place any updated versions on this page. This will help ensure that you are always aware of what data we collect and how we use it.
Version: 2
Last Updated: 22/05/2026
Post: The Data Protection Officer, Ashford Borough Council, International House, Dover Place, Ashford, Kent TN23 1HU
Email: FOI@ashford.gov.uk. We keep this privacy notice under regular review and we will place any updated versions on this page. This will help ensure that you are always aware of what data we collect and how we use it.
Version: 2
Last Updated: 22/05/2026
Page 2 of 5
