Privacy notice for COVID-19
Data protection and COVID-19
This privacy notice is an addendum to the council’s main privacy notices, and it explains how Rossendale Borough Council (as Data Controller) may use your personal data, specifically in relation to the COVID-19 (coronavirus) pandemic.
You may have already provided information for a specific reason, and the council would usually seek to inform you that the data provided would be used for a different purpose. Due to the rapidly emerging situation regarding the current pandemic, this will not always be possible. If we already hold information regarding vulnerability, we may share this for emergency planning purposes or to protect your vital interests by sharing with services both inside and outside the council.
The Information Commissioner’s Office has published guidance on data handling during the pandemic.
In this current crisis, we may need to ask you for sensitive personal information that you have not already supplied, including your age or if you have any underlying illnesses or are vulnerable. This is so the Council can assist and prioritise its services.
Your personal data
Personal data relates to a living individual who can be identified from that data. Some of your personal data is classed as ‘special personal data’ because this information is more sensitive for example health information, ethnicity and religion and so on.
Why we may need to share your personal data
In this current pandemic, we may share your information with other public authorities, emergency services, and other stakeholders as necessary and only when necessary in a proportionate and secure manner. Contact with you to obtain consent before sharing will not be required for all the reasons described in this notice. Please be assured that protection of personal data remains a priority at this time after the health and safety of everyone.
We will only share your personal information where the law allows, and we always aim to share the minimum data necessary to achieve the purpose required. Further, the information will only be used for the purposes listed and retained for limited specific times.
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 allow us to share information for a wide variety of reasons. These are known as our ‘legal bases to process data’.
Data protection laws are written to facilitate valid information sharing, especially in times of emergency which often requires more collaborative working. The legal bases for processing data at the council during the COVID 19 pandemic are as follows:
- Fulfil an explicit statutory or government purpose
- Protect the public
- Satisfy external regulatory requirements
- Provide extra support for individuals with a disability or medical condition
- Safeguard children and individuals at risk, and
- Safeguard the economic well-being of certain individuals.
We also have a duty to comply with the obligations set out in other legislation. The list below shows some common examples, but is not exhaustive:
- Care Act (2014) – this allows councils to share data to promote individual wellbeing, support individual need for care and promote the integration of health and social care.
- Children’s Act (1989) – this allows councils to share data to safeguard and promote the wellbeing of children.
- Homelessness Reduction Act (2017) – this allows councils to share data as part of taking reasonable steps to help applications secure accommodation.
- Digital Economy Act (2017) – this allows councils to disclose information to improve public service delivery or to help reduce debt owed to Rossendale Borough Council.
- Civil Contingencies Act 2004 Part 1 Local Arrangements for Civil Protection – Civil Protection - Disclosure of information 6 (1) A Minister of the Crown may make regulations requiring or permitting the 'provider' to disclose information on request to another person or body listed in any Part of that schedule known as the 'recipient'.
Elements of the data protection law applicable at this time
The council will apply the following sections of the General Data Protection Regulation and Data Protection Act 2018 (other elements may be applied dependent upon emerging events):
General Data Protection Regulation (GDPR):
- Article 6 (1) (c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
- Article 6 (1) (d) – processing is necessary in order to protect the vital interests of the data subject or of another natural (living) person.
- Recital (more detailed explanation) 46 – The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
- Article 6 (1) (e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Article 9 – Processing of special categories of personal data
- Article 9 (2) (c) – processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
- Article 9 (2) (g) – processing is necessary for reasons of substantial public interest.
- Article 9 (2) (h) - processing is necessary for the purposes of preventative or occupational medicine, where is it necessary for the provision of social care, the provision of health care or treatment or for the management of a health or social care system.
- Article 9 (2) (i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against cross-border threats to health or ensuring high standards of quality and safety of health care.
Data Protection Act 2018 (DPA):
Part 2, Chapter 2
- Section 7 (2) – Data Controller that is 'public authority' or 'public body' for the purposes of GDPR when performing a task carried out in the public interest or in the exercise of official authority vested in it.
- Section 8 – Lawfulness of processing: public interest
SCHEDULE 1, (Special categories of Personal Data), Part 1 (Conditions relating to Employment, Health and Research etc.),
This condition is met if the processing is:
- necessary for the reasons of public interest in the area of public health and
- carried out by:
- or under the responsibility of a health professional, or
- another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
SCHEDULE 1, (Special categories of Personal Data), Part 2, Substantial Public Interest Conditions
Paragraph 16, Support for individuals with a disability or medical condition
This condition is met if the processing:
- can reasonably be carried out without the consent of the data subject
COVID-19 Grants / Financial Support
How we will use your information
We will use your information to assess your application for any grant / financial support that you apply for. We will confirm information about you and your account from credit referencing agencies to confirm account validity and your identity. If you provide false or inaccurate information, we will record this.
Rossendale and other fraud prevention agencies may use and search these records to prevent fraud and money laundering.
What are the new services
Equifax Bank Account Verifier provides the ability to verify ownership of a bank account. It does this by linking the sort code and account number to the consumer’s name and address. This can be used as a means of confirming identity, validating payment details in order to reduce the risk of fraud or to satisfy paperless Direct Debit compliance requirements. The service includes:
- Bank Account Verifier – validity checks on the supplied sort code and bank account number based on data held by Equifax;
- Bank Check – confirmation check on the supplied bank code and sort number based on BACS data;
- Include Linked Addresses - this will include linked addresses within the search, possibly revealing additional addresses unknown by the searcher. Only addresses where there is definite data for the individual will be returned;
- Telephone Number Retrieval - provides the landline number from the BT OSIS database, if such a number is available and associated with the subject. Ex-directory numbers will not be returned;
- Home Telephone Check – confirmation check on the supplied telephone number and STD code against the BT OSIS database.
TransUnion Call Validate
The TU consumer bank account verification service delivers the following functionality:
- Confirmation that the consumer bank account is genuine, with information returned on the issuing bank, along with details of the payment services that bank account can support;
- Attempted linking of the presented individual and consumer bank account to the same individual and consumer bank account within the TU credit bureau database;
- An ‘Ownership Fraud Alert’ where the presented consumer bank account might be linked to another individual. Compliant consumer bank account ownership data is returned. For example, the presented account may belong to a spouse or partner in the same household (so may be acceptable) or belong to another individual, in a different location (is likely to be fraudulent);
Attempted linking of the presented individual and consumer bank account to other TU available bank account data, not present within traditional credit referencing
Rossendale Borough Council provides a wide range of services. To provide some of these services we need to collect and use appropriate personal information; this may be collected either in person, over the phone, via email or through the forms on our website.
This Privacy Notice only covers Rossendale Borough Council websites. It does not cover links within this site to other externally operated websites. If you transfer to another site, please read the Privacy Notice or Statement relating to their information.
When you contact us, we may ask you for personal information such as your name, address, postcode etc. We will only use this information to provide you with the service you have requested. If we need to use the information for any additional purposes or uses, we will let you know when we collect it. Sometimes we have to share or confirm personal information with other organisations; if we need to do this, we will make it clear to you on the forms, you complete to give us your information.
When you use these websites, you are agreeing to this statement and any additional statements on individual pages within the sites. We may change this information without notice, so you should revisit this page and any other relevant pages from time to time.
We are committed to compliance with Data Protection legislation. We will make every effort to keep your personal information safe, accurate, up to date and keep it for no longer than is necessary.
Data Protection Statement
Any personal information provided will be treated in accordance with the General Data Protection Regulation and only used for the purposes stated when we collect the information.
In addition to the purposes we state when we collect the information, it will also be processed in line with purposes identified on our Data Protection Registration held by Information Commissioner’s Office.
It will only be shared within the Council if another department needs to respond to a specific query or question and for those purposes required by law.
Under the Act, we have a legal duty to protect any information that we collect from you and we treat all the information you provide in confidence. We take measures to safeguard your data and apply security standards and controls to prevent any unauthorised access to it.
For a guide to data protection visit the Information Commissioner’s website. You are entitled to copies of any personal information that Rossendale Borough Council hold about you.
Fair Processing Notice
How Rossendale Borough Council may use your details
We collect, process, and hold personal data in order to provide public services. The information may be collected on paper, online forms, by telephone, email, CCTV or by members of our staff, or one of our partners.
We need to collect and process your information for the following purposes:
- To deliver public services.
- To ensure we meet our legal obligations.
- To provide the service you requested.
- To monitor and improve performance in responding to your service request.
- To obtain your opinion about our services.
- To contact you by post, email or telephone.
- To process financial transactions.
- To prevent and detect fraud or crime.
- To collect monies owed to the Council.
We may process your information overseas using services that are hosted inside the European Economic Area, but only with data processing agreements that meet our obligations under the Data Protection Act.
We will only keep your information for as long as it is required. The retention period is either set by law or by our information retention policies. Once your information is no longer required, it will be destroyed securely and confidentially.
We will inform you if we record or monitor any telephone calls you make to us. We do not record any financial card details if you make payments to us over the telephone.
If you email Rossendale, we may keep a record of your contact, your email address, and the email. For security reasons we will not include confidential information about you in any emails we may send to you, unless you consent to this.
We suggest that you keep to a minimum the amount of confidential information you send to us via email. Emails sent through the internet may not be secure. They could be intercepted and read by someone else. Please consider this before you send personal or sensitive information by unencrypted email.
Our secure-server software ‘encrypts’ all your personal information including your name and address, and credit or debit card numbers if you make an online payment. This means your information is converted to bits of code that is unreadable to other people, websites or organisations. We translate the code back into information for our use. If you make an online payment, we transmit the entire credit or debit card number to the appropriate card company.
General access to Rossendale Borough Council’s public web site (www.rossendale.gov.uk) does not store or capture personal information, but logs your Internet Protocol (IP) address and details of which version of web browser you are using.
Rossendale Borough Council’s public website may request personal information when you:
- Complete an online form or survey
- Sign up for an account on any Rossendale.gov site
- Apply for a job vacancy
- Make an online payment
- View and comment on Planning information
- Send you an email with details on how to change your password if you forget it
Respecting your privacy
We respect your privacy. Information you provide, or that is gathered automatically, helps us monitor our service and provide the services you are entitled to as a resident of Rossendale or visitor to our website.
We will request proof of identity before we give you any personal information this includes all subject access requests.
Please protect against unauthorised access to your passwords and to your computer or mobile device. You should always log out of secure sites – especially when you use a shared computer.
We aim to have a secure and reliable website, and use appropriate security technology to protect any sensitive personal data we process about you. Your use of the internet, and this website, is entirely at your own risk. We have no responsibility or liability for the security of personal information transmitted over the internet.
Rossendale do not make your personal details available to other companies for marketing purposes, but we may share those details with partner organisations that we use to help deliver services. We may also share non-personal details with those organisations, for use in compiling statistics for example.
If requested we may share information with law-enforcement or government authorities, for a criminal investigation.
If you’re require more information on cookies click https://www.rossendale.gov.uk/cookies
These sites may collect information about your internet activity, including if your visit to our site (even if you do not click on the button if you are logged on to their site). You should check the privacy and cookies policy of each of these sites to see how they use your information and find out how to opt out and delete such information.
Our website does not require you to input personal data to use it. You may however volunteer personal data such as your name, email address to book services make payments, and request information about our services. That information is required to deal with your query appropriately.
Your rights under the EU General Data Protection Regulations (GDPR).
·The Right to be informed
You have the right to be informed about how your data is processed, via Privacy Notices such as this.
·The Right of Access
You have the right to access the personal information we hold about you.
·The Right to Rectification
We endeavour to ensure that information we hold about you is correct and up to date. You may find that the information we hold is no longer accurate. Please contact the Council to have the information corrected.
·The Right to Erasure
You have the right to have your personal data erased and to prevent processing in specific circumstances:
- Where the data is no longer necessary in relation to the purpose for which it was originally collected
- When you withdraw consent for the data to be processed
- When you object to the processing of the data and there is no overriding legitimate interest for continuing the processing
- Your data was unlawfully processed
- Your information has to be erased in order to comply with a legal obligation
However, we may refuse to comply with your request for erasure for the following reason:
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority
- The exercise or defence of legal claims
- To exercise the right of freedom of expression and information
- For public health purposes in the public interest
- Archiving purposes in the public interest, scientific interest, historical interest or statistical purposes
·The Right to Restrict Processing
You have the right to ask us to stop the processing of your personal data. However, this may cause delays or prevent us providing/delivering a service to you.
·The Right to Data Portability
You have the right to request your personal data in a structured, commonly used, machine-readable format.
·The Right to Object
You have the right to object to your personal data being processed at any time.
·Rights in Relation to Automated Decision Making Including Profiling
You have the right to insist on human intervention if a decision is based on the result of automated processing.
Information Security Incident
Should you wish to report or suspect a security incident in relation to the personal information we hold about you please contact the Council’s Data Protection Officer (details below).
For further information about the use of your information or to request a copy of your personal information held by Rossendale Borough Council, please contact:
Data Protection Officer
Rossendale Borough Council
Changes to this privacy notice
We will regularly review and update this privacy notice to comply with changes in Data Protection legislation and to reflect changes in our services.