How we manage your personal data
Stirling Council needs to collect, store, use, share and dispose of personal data to deliver services as a local authority. Together, those activities are referred to as data processing.
On 1 January 2021 the transition period for the UK leaving the EU came to an end. The GDPR (General Data Protection Regulation) will be retained in UK domestic law. The ‘UK GDPR’ will sit alongside an amended version of the Data Protection Act 2018. We refer to this legislation as data protection laws.
When we collect personal data, we must tell you why we need it, and what we will do with it. This information is called a privacy notice.
This privacy notice explains how we process your personal information as a council. More specific information will also be provided by council services when you use them, and can also be found in our Register of Data Processing.
Data controller
Organisations or individuals that determine how your personal information will be processed are known as data controllers. Data controllers must, by law, pay a fee to register with the Information Commissioner, who promotes and enforces data protection laws within the UK.
Stirling Council is registered as a data controller (registration number: Z6893154). You can see our entry in the Information Commissioner’s Register of Data Controllers.
Data protection officer
The council has a data protection officer to make sure it complies with data protection laws. You can contact the data protection officer using our online form or you can email dataprotection@stirling.gov.uk
Data collection
The personal data we hold about you may be collected on a paper or online form, by telephone, email, CCTV, by a member of our staff, or one of our partners. When we collect and process your personal information, we are committed to the principles set out in data protection laws.
Those principles protect you and make sure that:
- we tell you why we need your information and what we will do with it
- we don’t use your information for a different reason than the one we have told you about (the exception to this is if we have to do so by law, such as to prevent and detect crime)
- we only collect information we need
- we collect accurate information and, where necessary, keep it up to date
- we do not keep your information for longer than we need to
- we keep your personal information secure
Categories of personal data
We process personal data and special category data.
Personal data is information which can be used to identify you such as your name, address, date of birth, or a unique identifier such as your National Insurance number.
Special category data is more sensitive information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.
Purpose of processing personal data
We process personal data to allow us to provide services such as schools, social care, housing, transport, and environmental services. We also process personal data to fulfil certain legal responsibilities including collecting Council Tax, paying benefits and grants, planning services and enforcement, licensing, trading standards, and food safety.
On occasions, we may keep your personal data within the council’s archives for evidential and historical reasons, or use it for research and statistical purposes. For example, to understand more about the health and care needs in your area.
It will sometimes be necessary to process personal information to protect individuals from harm or injury, to prevent and detect crime, to comply with legal orders, and to provide information in accordance with a person’s rights.
The council will only process your personal information when it is lawful to do so. The reasons that allow us to process personal information include:
- it is necessary to provide a council service
- it is required by law
- it is necessary to protect someone’s life
- it is necessary as part of a contract
- you have given us permission to do so
Our Register of Data Processing sets out the activities that involve the collection and use of personal information and the reason why we can process your information lawfully. The Register provides more detail about how we use personal data for specific activities and services.
If we need your permission to process your personal information, we will ask you. If you wish to withdraw your consent, you can do so by contacting the data protection officer.
Information sharing
Sometimes we will share your personal data between teams within the council, and with external partners and agencies involved in delivering services on our behalf. This is to provide you with efficient services.
We may also provide personal data to third parties, but only where it is necessary, either to comply with the law or where permitted under data protection laws.
Examples of organisations who we may share your data with include, but are not limited to: NHS Forth Valley, Police Scotland, HM Revenue & Customs, Department for Work & Pensions, voluntary organisations and care providers. Our service-specific privacy notices are in our Register of Personal Data Processing. They set out the recipients or organisations involved in providing services on our behalf, or with whom we share personal information.
We will only share your data with partners or suppliers who have sufficient measures and procedures in place to protect your information and can meet their legal obligations under data protection laws. These requirements will be set out in contracts or information-sharing agreements.
We will not share your data for marketing purposes unless you have specifically given us permission to do so.
The National Fraud Initiative (NFI) is an exercise that matches electronic data within and between public and private sector bodies throughout the United Kingdom to prevent and detect fraud. Stirling Council, which participates in the NFI, is required by law to protect the public funds it administers. We may share certain information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
Details of transfers to third country and safeguards
Your information will normally be stored and processed on servers based within the UK. While it may sometimes be necessary to transfer personal information overseas, any transfers will be in full compliance with data protection laws, ensuring the appropriate Standard Contractual Clauses or other relevant safeguards are in place and will be recorded in our Register of Data Processing.
Retention periods
We will not keep your information for any longer than it is needed, and will dispose of records (paper and electronic) in a secure way. The length of time we need to keep information will depend on the purpose for which it is collected. The council has a record retention schedule which sets out how long we keep records and the reason why.
Your rights
You have the following rights under data protection laws. If you have a request under any of these rights, you can make a subject access request.
- The right to be informed about how we collect and use your personal information, through privacy notices such as this.
- The right to request information we hold about you. This is known as a subject access request and is free of charge. We must respond within one month, although this can be extended to three months if the information is complex.
- The right to rectification. You are entitled to have your information rectified if it is factually inaccurate or incomplete. We must respond to your request within one month. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner
- The right to erasure. You have the right to ask us to delete your information or stop using it. It will not always be possible for us to comply with your request, for example, if we have a legal obligation to keep the information. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner.
- The right to restrict processing. You have the right to restrict how your data is processed in certain circumstances, for example, if the information is not accurate. If a restriction is applied, we can retain just enough information to ensure that the restriction is respected in future. We must tell you if we decide to lift a restriction on processing.
- The right to data portability. If we are processing your personal data with your consent, and it is held in a structured, commonly used, machine-readable form, you have a right to ask us to transmit it to another data controller so they can use it. This right does not apply if we process your personal data as part of our public task.
- The right to object. You can object to your information being used for profiling, direct marketing or research purposes.
- You have rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.
The Information Commissioner's Office provides further information about these rights, including how you should expect us to respond to any requests.
Collecting information automatically
See our cookies page for further information about the information we collect automatically when you use our website.
Incidents and breaches involving personal data
If you are concerned about what we do with your data or think something has gone wrong with how the council handles personal data, email the data protection officer to report a data protection incident.
Complaints and comments
If you want to complain about or comment on how we have processed your personal information, you should email dataprotection@stirling.gov.uk
If you are still unhappy with how the council handled your complaint, you can contact the UK Information Commissioner's Office at:
The Information Commissioner,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire SK9 5AF
Phone: 0303 123 1113
You can find further information on the Information Commissioners Office website.
Changes
This privacy statement was last amended in December 2020.