Personal data breach investigations notice

Find out how Stirling Council uses personal data by checking the Council’s website at the following address:

https://www.stirling.gov.uk/privacy-statement/

Our website contains a Register of Data Processing which lists all the different ways
in which the Council uses personal data.

This Privacy Notice provides more information about just one of those processes.

The Council has a Data Protection Officer to make sure it is complying with data protection laws.

They can be contacted at:

Data Protection Officer
Stirling Council
Old Viewforth
14-20 Pitt Terrace
Stirling
FK8 2ET

Email: dataprotection@stirling.gov.uk
Telephone: 01786 404040

The Council is required to investigate breaches and potential breaches of data protection legislation.

Personal data is processed in order to conduct the information incident investigation.

Collected for correspondence purposes. Shared for investigation purposes. Stored and destroyed according to retention schedule.

Personal data may relate to the person reporting the data breach. Investigation of the breach may involve processing any personal data already held by the Council in relation to its services.

We process this personal data to comply with astatutory obligation. In this case, Data Protection legislation requires us to investigate personal data breaches and, if necessary, report them to the Information Commissioner.

We may be notified about an information incident by an external party or by an employee of Stirling Council. The notifier will supply their own personal data. The investigation will involve personal data already held by the organisation.

Electronic - Shared drive (excel spreadsheets, correspondence folders), Outlook Paper – Records centre.

Information will be retained for the current financial year plus 3 years.

We may need to share personal data with the Information Commissioner if the breach is reportable.

You have the following rights under data protection laws. If you have a request under any of these rights, you can make a subject access request.

Access to your information

You have the right to request a copy of the personal information that we hold about you. This is known as a subject access request and is free of charge.  We must respond within one month, although this can be extended to three months if the information is complex.

Correcting your information

We want to make sure that your personal information is accurate, complete and up to date. Therefore you may ask us to correct any personal information about you that you believe does not meet these standards.

Deleting your information

You have the right to ask us to delete personal information about you where:

• you think that we no longer need to hold the information for the purposes for which it was originally obtained
• we are using that information with your consent and you have withdrawn your consent - see the 'withdrawing consent to using your information' section below.  Please note that in general we do not rely on consent as the legal basis for processing your personal information
• you have a genuine objection to our use of your personal information - see 'objecting to how we may use your information' below
• our use of your personal information is contrary to law or our other legal obligations.

Objecting to how we may use your information

You have the right at any time to tell us to stop using your personal information for direct marketing purposes, profiling or research purposes. 

Restricting how we may use your information 

In some cases, you may ask us to restrict how we use your personal information.  This right might apply, for example, where we are checking the accuracy of personal information that we hold about you or we are assessing the objection you have made to our use of your information. 

This right might also apply if we no longer have a basis for using your personal information - but you don't want us to delete the data.  Where this right is realistically applied will mean that we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.

Withdrawing consent to use your information

Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.

Your request to transfer your data

If we are processing your personal information with your consent or as part of a contract with you, and it is held in an accessible and machine-readable format, you have a right to ask us to transmit it to another organisation. This is known as the right to data portability.

Our profiling or automated decision-making processes

We make some use of automated decision-making processes but very little use of profiling.  Where these techniques are used, this will be explained in the specific privacy statements relating to those functions, together with a description of the reason involved in any automated decision-making.

If you want to complain about or comment on how we have processed your personal information, you should email dataprotection@stirling.gov.uk

If you are still unhappy with how the council handled your complaint, you can contact the UK Information Commissioner's Office at:

The Information Commissioner,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF

Phone: 0303 123 1113

You can find further information on the Information Commissioners Office website.