How Ashford Borough Council Uses Your Personal Data
We are Ashford Borough Council (ABC) and are a local authority which provides services to residents and businesses in Ashford, Tenterden and a large network of surrounding villages.
ABC is the Data Controller for the personal data it holds as set out in this policy. ABC’s Data Protection Officer can be contacted at: The Data Protection Officer, Ashford Borough Council, Civic Centre, Tannery Lane, Ashford TN23 1PL or via FOI@ashford.gov.uk
We are registered with the Information Commissioner’s Office (ICO) with registration number Z8344724.
Personal data relates to a living individual who can be identified from that data. Identification can be by the data alone or in conjunction with any other information in or likely to come into the data controller’s possession.
Some personal data is classed as “special categories of personal data” because it is considered to be more sensitive and therefore requires more protection. This includes information that identifies racial/ethnic origin, political opinions, religious/philosophical beliefs, sexual orientation and information regarding physical and mental health.
The processing of personal data is governed, in the UK, by the General Data Protection Regulation (the “GDPR”) 2016 and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, and the regional supervisory authority is the ICO. A new Data Protection Act is expected to be enacted in 2018.
We process personal data to enable us to provide a range of services to local people and businesses; as such we may require your personal data to:
- deliver public services
- contact you by post, email or telephone
- understand your needs to provide the services that you request
- understand what we can do for you and inform you of other relevant services and benefits
- obtain your opinion about our services
- update your customer record
- process financial transactions
- prevent and detect fraud and corruption in the use of public funds
- allow us to undertake statutory functions efficiently and effectively
- make sure we meet our statutory obligations including those related to diversity and equalities
The purpose of processing will be explained to you in more detail in a specific privacy notice, provided at the time your personal data is collected.
The law on data protection sets out a number of different reasons for which personal data may be collected and processed. Generally, the legal basis for processing by us as a public authority will be one of the following:
- Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the council
- Legal obligation: processing is necessary for compliance with the council’s legal obligation
- Contract: processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract
We may also on occasion process your personal data in the following circumstances:
- Consent: where you have given consent to the processing of your personal data for one or more specific purposes. For example, this is the basis likely to be used if you have signed up to receive any newsletters
- Legitimate interests: where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. This legal basis is not open to us when performing our statutory tasks, however where we are operating on a commercial basis then this legal basis may be utilised
- Vital Interests: where processing is necessary in order to protect the vital interests of you or of another individual. For example, protecting someone or their property from imminent harm or damage.
The legal basis relied upon will be explained to you in more detail in a specific privacy notice, provided at the time your personal data is collected
The data you provide is protected by rigorous measures and procedures to make sure it can’t be seen, or accessed by, or disclosed to anyone who shouldn’t be allowed to see it.
We provide training to staff who handle personal data and treat it as a disciplinary matter if they misuse or do not look after your personal data properly.
We conduct data protection impact assessments when making changes to processes or systems that hold your personal data.
We have a range of measures in place to protect the physical security of your data. For example, locked confidential waste bins and controlled physical access to our premises.
We have a range of rigorous measures in place to protect the electronic security of your data. For example, centralised firewalls and email filtering protect our network in conjunction with the Kent Public Service Network; patch management, vulnerability scanning and regular penetration testing all ensure the security of our systems; all mobile devices have full disk encryptions and utilise 2 factor remote authentication; and we are regularly audited and fully compliant to the Public Service Network code of connection.
We will investigate where we have found that your personal data may have or has been disclosed inappropriately (data breach) and attempt to recover any data lost. If any breach is likely to result in a risk to your rights or freedoms we will inform the ICO within 72hrs and should such breach result in a high risk to these freedoms we will contact you without undue delay.
It may sometimes be necessary to transfer personal data to countries outside the European Economic Area. Transfers will only take place when:
- There are procedures in place to ensure your data receives the same protection as if it were processed inside the European Economic Area; or
- With the consent of the data subject; or
- Where required by law
Depending on the purpose for which we process your personal data, we may share it with other organisations. For example, your personal data may be shared, where necessary, with other organisations that provide services on our behalf such as contractors carrying out repairs to council houses. In such cases, the personal data provided is only the minimum necessary to enable them to provide services to you.
We are signatories to the Kent and Medway Information Sharing Agreement, which provides the framework for sharing personal data between local public sector agencies, where there is a specified explicit and legitimate purpose to do so.
Where we will or may share your personal data with other organisations, this will be explained to you in more detail in a specific privacy notice, provided at the time your personal data is collected.
We will only retain your personal information for as long as necessary to fulfil the purposes for which we have collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of your personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and any applicable legal requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. We will retain and securely destroy your personal data in accordance with our data retention policy and applicable laws and regulations.
The length of time we will keep your personal data for will be explained to you in more detail in a specific privacy notice provided at the time your personal data is collected.
Unless subject to an exemption under the GDPR, you have the right to:
- Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it
- Request the correction of your personal data when incorrect, out of date or incomplete
- Request erasure of your personal data when there is no good reason for us to continue to process it
- Object to processing of your personal data where we are relying on a public task or legitimate interest legal basis to carry out that processing and there is something about your particular situation which makes you want to object to processing on these grounds. Please note this only applies in certain circumstances for example, direct marketing or where processing is for the purposes of scientific or historical research
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it
- Request the transfer of your personal data to another party. This would allow you to transfer your information to another local authority should you wish to do so. Please note this only applies where the processing is based on consent or is necessary for the performance of a contract with you, and in either case where we process the data by automated means
- To be informed of the processing of your personal data by automated means which results in a decision being made (without human intervention) that has a legal or similarly significant effect on you as an individual. Where these methods of processing are used, you have the right to ask for a council officer to review the decision
- Right to withdraw consent where we rely on your consent for a specific process you have the right to withdraw your consent at any time
You can contact us to request to exercise these rights at any time by contacting The Data Protection Officer, Ashford Borough Council, Civic Centre, Tannery Lane, Ashford TN23 1PL or via FOI@ashford.gov.uk
You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). We will usually need to request specific information from you to help us confirm your identity and ensure your right to access the data (or to exercise any of your other rights).
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act
We also use Google Analytics so that we can find out how many people visit various parts of the website. This information helps us to find out how effectively our website is working and how to improve it. We do not identify anyone, and we do not allow Google Analytics to identify anyone visiting our website.
We set ourselves high standards when it comes to protecting your personal data. For this reason, we take any complaints we receive from you about our use of your personal data very seriously and request that you bring any issues to our attention.
Where you are communicating with us for the purpose of making a complaint, we will only use your personal data to handle, investigate and respond to the complaint and to check on the level of service we provide.
If having exhausted the complaint process you are not content that your request or review has been dealt with correctly, you can appeal to the ICO to investigate the matter further by writing to:
Information Commissioner's Office
You can contact us by:
Post: The Data Protection Officer, Ashford Borough Council, Civic Centre, Tannery Lane, Ashford TN23 1PL
. We keep this privacy notice under regular review and we will place any updated versions on this page. This will help ensure that you are always aware of what data we collect and how we use it.Version: 1 Last Updated: 21/05/18