Data protection law controls how organisations, businesses and the government use your personal information.
At Brentwood we keep all of your records on secure computer systems and in secure manual filing systems. We will tell you:
- how we use this information
- who we might share it with
Asking for your information
You can ask us for a copy of all the personal information that we hold about you. This could be from our computer systems or paper files.
By law, you have the right to get:
- confirmation that information about you is being processed
- access to your personal information
A request for this information is called a 'subject access request'.
You can download our guide to data protection and your rights below.
For more about your data protection rights, go to the Information Commissioner's Office website.
Data sharing to detect fraud
It is estimated that fraud costs UK local government more than £2 billion per year.
Councils and other public bodies across Essex are working together to reduce this problem. The work includes sharing information from a number of databases held by all councils in Essex.
The law allows us to share the information we hold on individuals and organisations to detect and prevent fraud.
One example of fraud concerns the council tax single person discount, which reduces council tax bills by 25% for adults who live on their own. We are aware some people claim discounts to which they are not entitled – for example, where individuals in a new relationship allow their partner to move in with them, but do not tell us of this change in their circumstances.
We will carry out 'data matching' to help detect and prevent fraud. This is when computer records of an individual are compared between different databases. These could be our own databases, or with a database in a different organisation.
Data matching helps us find fraudulent claims and fraudulent payments.
Data we will share to detect and prevent fraud
We will share data with Essex councils and other public bodies, from the following services:
- adults' and children's social care
- Blue Badge parking
- council tax
- housing – existing tenants, waiting lists, homelessness
- housing benefit
- national non-domestic rates
- planning and building control
- residents' parking permits
- taxi licensing
From these services, we will share the following items of personal data:
- date of birth
- National Insurance number – where held
- income data – where held
- dates of occupation and vacation of property – where held
Our information sharing protocol is our data sharing agreement with the organisations we work with.
Our basic legal requirement is to make sure you know what we intend to do with your information and who it will be shared with.
There may be times when we share your information with those who work on our behalf to provide you with the service you need.
Sometimes we may need to ask other agencies or organisations for relevant information about you, to fulfil our legal responsibilities or to provide services. For example, this could be to enable them to carry out their legal duties, or where it is necessary to prevent harm to yourself or other individuals.
We have a duty to:
- keep sufficient information to provide services and fulfil our legal responsibilities
- keep your records secure and accurate
- keep your information only for as long as is required
You can help us by:
- letting us know when you change address or name
- telling us if any of the information we hold about you is wrong
- allowing us to share as much information about you as we need to
We will only process your personal data if either:
- you have given consent to the processing
- you have entered into a contract with us or on your request we are taking steps to entering into a contract with you
- we must comply with a legal obligation
- we must protect your vital interests or those of another person
- we must carry out a task that is in the public interest
- we must pursue our legitimate interests or those of a third party
'Personal data' is any information about a person where the information includes details that can be used to identify the person – for example, by name, location, a reference number or a description.
Special categories of personal data
Some types of data are classified in special categories – for example:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- sex life or sexual orientation
- health data
- genetic data
- biometric data for the purpose of uniquely identifying a person
We will only process special categories of personal data if either:
- you have given explicit consent to the processing
- we must carry out tasks under employment, social security or social collective law
- we must protect the vital interests of a person who is physically or legally unable to give consent
- processing relates only to members or former members of the council – or those who have regular contact with it in connection with those purposes – and provided there is no disclosure to a third party without consent
- data has already been made public by the individual
- we must establish, exercise or defend a legal claim
- processing is necessary for reasons of substantial public interest
- processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of law or a contract with a health professional
- we must protect the public interest in public health
- we must enable archiving of data that has a public interest – that is, scientific research, historical research or for statistical purposes
Criminal offence data
We are a 'competent authority' for the purposes of law enforcement, and are required to process criminal offence data. Departments that must process criminal offence data include our Youth Offending service and Corporate Fraud service.
Criminal offence data is personal data that relates to criminal convictions, including types of data about criminal allegations, proceedings or convictions that would have been classed as 'sensitive personal data' under the Data Protection Act 2018.
Criminal records disclosed during the recruitment process are not processed as criminal offence data for the purposes of law enforcement.
Law enforcement purposes refer to the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threat to public security.
We will only process criminal offence data if:
- one of the conditions listed for 'sensitive personal data' above applies
- we are processing the data in an official capacity, or have specific legal authorisation and are compliant with additional safeguards set out in data protection legislation
Why we collect and store personal data
For some of our services we need your data so we can get in touch with you, or provide the service. We always try to make sure the information we collect is correct and isn't an invasion of your privacy.
When we don't directly provide the service, we may need to pass your personal data to the people who do provide the service. They must keep your details safe and secure, and use them only to fulfil your request. We will usually only pass your sensitive personal data onto a third party once we have your permission, unless we are legally required to do so.
How long we keep your information
In some instances the law sets the length of time information has to be kept. In most cases, however, we use our discretion to make sure we don't keep records for longer than we need to.
We will always try to keep your personal data secure, whether it is held on paper or electronically. Our privacy statement is our commitment to you when you access our services online.
Using your personal data
We will use the information you provide:
- for the provision of council services
- for regulatory, licensing and enforcement functions
- for all financial transactions, including payments, grants and benefits
- to ask your opinion on our products and services, where you have given us permission
- to make sure we meet our legal obligations, including those related to diversity and equal opportunity
- to train our employees
- to investigate any complaints you might have about services we deliver
- to keep track of spending on our services
- to help with research and planning of new services
Profiling and automated decision-making
Profiling means any form of automated processing that uses of personal data to:
- evaluate certain personal aspects relating to a person
- analyse or predict aspects of a person’s economic and health situation, reliability, personal preferences and interests
Automated-decision making means any processing that is carried out by automated means without any human review element in the decision-making. For example; carrying out credit checks searches to detect and reduce fraud.
We may use your information from the services with which you engage to create a single view and profile of you. This will help us better understand your specific needs and make sure we are providing the right and efficient services to you in accordance with your needs. If will also create one accurate record of your basic personal data across all our services, with details such as:
- your name
- date of birth
- email address
- changes in circumstances
Profiling will be carried out only when necessary to provide you with the service you requested, or where required by law, or where the law allows. We will notify you if we do this and will ask for your consent where required.
You have the right to:
- be informed about how and why your data is being processed
- access the data held about you
- request changes to be made if the data we hold about you is wrong
- request that the data we hold about you be deleted, in certain circumstances
- request that we limit the processing of your data, in certain circumstances
- data portability – this means we may be able to transfer the data we hold about you to another organisation
- object to your data being processed, in certain circumstances
- withdraw your consent
- complain about the way your data has been processed
- be told if decisions are being made using automated methods or if profiling is taking place
You should contact us using the details at the end of this page if you would like to:
- make a request for your data to be changed, deleted or transferred to another supplier
- withdraw the consent you have given to us to process your information – withdrawing consent may have an impact on the services we are able to provide to you
- complain about the way your data has been handled
- make another request with regards to the list of rights above
How we accept your data
Sometimes someone may call us on your behalf. We will accept calls in good faith and record information we are told about on your record. If we need to send a staff member out to investigate or fix anything, we will.
Sometimes we find the calls were a hoax, or misleading. We do not wish to put bureaucracy in the way of services, however, by refusing to act in good faith – especially in an emergency.
Although we may take calls about you or your account, we will not talk about you or your account with anyone but you unless you have given us permission to do so.
You should contact us immediately if you suspect someone unauthorised has called us and put incorrect information on your record.
Information sharing protocol
Sharing information about individuals between organisations is often essential to keep people safe, or make sure they get the best services.
The information sharing protocol below is our agreement with the organisations that we work with.
This protocol sets out the obligations on staff in public, voluntary and independent sectors:
- to share or disclose information about clients
- to maintain confidentiality
It does not impose any new obligations. It reflects current regulations and legislation. This document is an overarching information sharing protocol for the Thurrock community. Individual organisations will need to agree individual protocols that deal with more specific issues – eg crime and disorder or the sharing of information about children. Individual protocols will need to refer to and be compatible with the requirements of this protocol.
2. Organisations covered by this protocol
This protocol has been developed to meet the information security requirements for sharing person identifiable information across the organisations listed.
This overarching protocol contains the various requirements, from both legal and government, regarding safe and secure handling of information. It is supplemented by the individual policies and operational protocols of the organisations signing up to this overarching protocol. Each organisation will need to address the requirements for ensuring the secure and confidential sharing of person identifiable information internally. Each organisation will also need to ensure that these requirements are communicated to staff that provide advice and information to clients either directly or indirectly.
The signatories to this protocol recognise the importance of sharing person identifiable information for the purpose of improving client services, protecting the public and responding to statutory requirements. They also recognise the importance of having clear guidelines to follow and ensuring that this information is shared in a secure and confidential manner and in accordance with the law, including the common law of confidentiality, the Data Protection Act 2018 (DPA), the Human Rights Act 1998 (HRA) and for the health and social care community, Caldicott recommendations. This protocol will explain the principles that must be followed to ensure the proper and safe exchange of information between organisations.
5. Legal requirements
There are legal requirements that must be considered and complied with to ensure an individual's rights are respected. Standards and procedures are in place to ensure the organisations involved do not breach these legal requirements.
There is no single source of law that regulates the powers that a public body has to use and to share person identifiable information. The collection, use and disclosure of personal information are governed by a number of different areas of law.
The main pieces of legislation governing an individual's rights are:
- Computer Misuse Act 1990
- The General Data Protection Regulation
- Human Rights Act 1998
- The Data Protection Act 2018
- Crime and Disorder Act 1998
- Freedom of Information Act 2000
- Regulation of Investigatory Powers Act 2000
6. Designated officers
Person-identifiable information must be exchanged only between Designated Information Sharing Officers*. All organisations should have a Designated Officer responsible for information security and confidentiality. For the purposes of information sharing a Designated Officer can be nominated to process or initiate requests for person identifiable information made between organisations.
Health and social care organisations are likely to have a Caldicott Guardian whose role will be the same as a Designated Officer. Other organisations might have an individual with specific responsibility for information management who would act as the Designated Officer.
*The exception to the above is the routine sharing of person-identifiable information (refer to 7.1 for more details). The Designated Officer will need to make an initial assessment only on whether information can be shared routinely or not (in reference to the Data Protection Act 1998).
7. Sharing of information
Organisations may only share person identifiable information about their clients in accordance with the 8 data protection principles contained within the Data Protection Act 2018.
To obtain, use, disclose, share or destroy person-identifiable information, a condition in schedule 2 of the Data Protection Act 2018must be met.
In addition, if the information being used, disclosed, shared or destroyed is sensitive (section 7.2), a condition in schedule 3 of the Data Protection Act 2018 must also be met.
The person requiring information from another organisation should submit their request in writing through the Designated Officer.
7.1 Routine and non-routine information sharing
A routine disclosure of person identifiable information is one that happens as a matter of course and is usually essential for the smooth running of a service – for example, information from the Benefits Section to the Department of Work and Pensions; although as per section 6, the Designated Officer still needs to assess whether the routine sharing of the information in question is necessary or not.
Where it has been assessed that routine disclosures of person identifiable information are appropriate, they should be logged and regularly reviewed by the Designated Officer.
If there is a possibility that routine sharing could take place, clients will need to be made aware that their information may be shared in this way and for what purpose(s). Unless for exceptional reasons (refer to 7.4), client consent will still be required.
If the client refuses to give consent or only gives consent to the sharing of certain information, the client must be made aware of how the service they receive may be affected – for example, the client may no longer be able to receive the service in question.
Non-routine sharing of information is sharing that does not happen as a matter of course – for example, police requests for information. Non-routine sharing must be authorised every time by the Designated Officer.
7.2 Sensitive information
The organisations/agencies signing up to the protocol agree to recognise the sensitivity of information about the following:
- racial or ethnic origin
- political opinions
- religious or other similar beliefs
- trade union membership
- physical and mental health
- criminal offences and proceedings
Organisations/agencies are required to adhere to a condition in Schedule 2 and Schedule 3 of the DPA 1998 in respect of such information.
The Data Protection Act 1998 specifies that personal identifiable information should only be used for specific purposes and shared only for justifiable reasons.
Consent is required from all persons whose information is to be shared with other organisations unless there are statutory grounds or other overriding justification for doing so (see exemptions 7.4).
This protocol recommends that consent should be in permanent form (ie written) and should not be assumed or implied. Obtaining 'explicit' written consent minimises the margin of error or confusion. Explicit consent should always be gained (subject to exemption) in relation to the sharing of person identifiable information classed under the Data Protection Act 1998 as sensitive (schedule 3).
The consent gained should be sufficient to cover the needs of a particular 'piece of work' or situation. If the situation or remit of the work changes, the original consent gained may no longer be sufficient.
In seeking consent to disclose personal information to another agency party to this protocol, the individual will need to be made fully aware of:
- the nature of the information that will be shared
- who the information will be shared with
- the purposes for which the information will be used
- other relevant details including their right to withhold or withdraw consent
- the potential consequences of not sharing information
In addition to the above, the organisation sharing the information should:
- anonymise or pseudo-anonymise the data wherever possible
- keep disclosures proportionate
- ensure that there is a justifiable need to know
Consent to disclose person identifiable information should be limited to the duration of the 'piece of work'.
Once the 'piece of work' has been completed, the consent given will be deemed to have lapsed.
Consent must be gained again if a similar or subsequent piece of work needs to be undertaken.
If the client decides to withdraw the consent that has originally been given or places a restriction upon personal information to be shared, no further personal information should be disclosed (unless an exemption applies) – this should be conveyed to any other agency involved.
If the client does withdraw their consent, any impact on the service that they are receiving must be explained and recorded.
7.4 Exemptions to gaining consent
There will be a limited number of situations when consent will not be required in order to share person-identifiable information about the client.
The advice and authorisation of the Information Manager / Designated Officer must always be sought prior to the sharing of information without consent taking place.
The main circumstances where sharing without consent occurs are:
- where there is concern that informing them about the disclosure would be likely to cause harm (including serious self-harm) to an individual, and information needs to be disclosed in order to protect that individual or others in society
- where informing the client would be likely to prejudice the detection and prevention of crime
- where informing the client would be likely to mean national security would be compromised
- where informing the client would be likely to prejudice regulatory functions conferred by enactment
- where disclosure is required by enactment, or for legal proceedings.
Organisations signing up to this protocol should be clear about what information should be withheld from the client, in line with Data Protection Act exemptions listed above.
Police requests for personal identifiable information should be processed through the designated officer and must be on a section 29 request form.
7.5 Recording of disclosure
Both organisations/agencies disclosing and those receiving disclosed information should have procedures in place for recording the details of the information including:
- request for sharing should be from a Designated Officer or authorised person
- reason for information being disclosed
- if without consent, justification and who authorised
- who gave the information
- who received the information
8. Onward transmission of person identifiable information
The disclosing organisation retains ownership of the data and any recipient must undertake not to disclose it without the consent of the data owner. Organisations should have procedures in place to ensure the safe and secure transportation of person identifiable information.
9. Organisational responsibility
Each organisation will ensure that:
- all staff are made aware of information security and confidentiality issues and the need to follow this protocol
- the Designated Officer is widely known within the organisation
- requests for information are responded to within a reasonable time scale, as agreed in local/specific protocols
10. Review of this protocol
The provisions of this protocol will be regularly reviewed – no longer than every 2 years.
The Regulation of Investigatory Powers Act 2000 (RIPA) regulates how local councils carry out investigations.
Types of investigation include:
- surveillance – for example, CCTV recordings
- interception of communications – for example, private emails
- covert human intelligence sources – for example, someone who forms a relationship with another person to get information
Subject access request
You can ask us for a copy of all the personal information that we hold about you. A request for this information is called a 'subject access request'.
You must provide photo identification (ID) when you make a subject access request. This helps us make sure we give the information to the right person and not someone trying to impersonate you.
It will help us find your information if you:
- include full details about yourself – for example, date of birth, account numbers, previous addresses
- tell us which information you are looking for
The right of access to any personal information the council holds about yourself. To request a copy of this information you must make a subject access request in writing, either via our online form below:
You can also ask for the information in writing, by post, by email or verbally.
The Data Protection Officer
Corporate Support Service
Brentwood Borough Council
Essex CM15 8AY
We will provide you with one copy of the information free of charge.
By law, we can charge a 'reasonable fee' or refuse to respond when requests are 'manifestly unfounded or excessive' – for example, repeated requests for the same information within the same year. The fee amount will be based on the cost of providing the information.
Responding to your request
Usually we will send you the information within 20 working days of receiving your application and photo ID. We may extend this by a further 40 working days if requests are complex or numerous. When we need to do this, we will tell you within 20 working days and explain why it's necessary.
If your request is made online, we will send you the information in a common electronic format.
If you need the information to be printed, we will send you a single copy free of charge. If you need more copies, there will be a charge to cover our costs.
Refusing your request
Your request will be refused if:
- it is not received online or in writing
- you do not provide an acceptable form of ID
- your request identical to a recent request to which we've already responded
- we consider the request to be manifestly unfounded or excessive
We will explain our reasons for refusing – and your right to complain – within 20 working days.
Information we cannot provide
There are certain circumstances when, by law, we will not be able to provide you with copies of your personal information. When we make this decision, we will explain the reason.
Examples of information we cannot provide include:
- references provided by us in confidence to a third-party
- information relating to an on-going council restructure that could result in redundancies or changes to employment terms
- social care or health records in situations where we believe disclosure could cause serious harm to the physical or mental health of the individual – this decision would be made by a qualified social worker or health professional