The UK General Data Protection Regulation and the Data Protection Act 2018 require us, Canterbury City Council, as a data controller, to tell you in concise, transparent, intelligible and easily accessible form how we will process your personal data. For the purposes of this privacy notice we prefer to refer to ‘personal data’ as ‘personal information’. This privacy notice sets out how we will use any personal information we hold about you, who we will share it with and how we will protect your privacy. It also contains information about your rights. This privacy notice is published by us. What is personal information? Personal information can be any information that relates to or identifies a living person. Typically, and at its most simple, it could include a name, date of birth, postal address, email address, telephone number and debit or credit card details. The law regards some personal information as being in a special category. This special category of personal information is given more protection by the law and includes information about an individual's: race ethnic origin politics religion trade union membership genetics biometrics (where used for ID purposes) health sexual orientation Where we want to use or share special category personal information we have to identify both a legal basis from one of those set out below and, in addition, satisfy further conditions. What we are required to tell you Where we hold personal information about you that we have collected from you, we are required to provide you with certain information. We have set out the information which we are required to provide you below. We consider that this is the best way of providing the information to you in a clear, transparent, intelligible and easily accessible form. This privacy notice will be supported by further service specific privacy notices where appropriate. The right to object We are required to explicitly bring to your attention, clearly and separately from any other information, the existence of the right to object. This is the right to object to processing based on the performance of a task in the public interest, exercise of official authority or our legitimate interests and includes profiling), direct marketing (including profiling), and processing for purposes of scientific or historical research and statistics. Further information is given below. Name and contact details of the data controller Canterbury City Council Military Road Canterbury CT1 1YW email@example.com Contact details of the data controller's representative Corporate Governance Division Canterbury City Council Military Road Canterbury CT1 1YW firstname.lastname@example.org Contact details of the Data Protection Officer Matthew Archer Data Protection Officer Canterbury City Council Military Road Canterbury CT1 1YW email@example.com The purpose of the processing of personal data Each notice below sets out the purposes for processing personal data in the case of each service. Generally, this will be for one or more of the following purposes: To perform our statutory functions To deliver services to you To manage those services we provide Confirm your identity Process financial transactions such as invoices, payments and benefits To train and manage the employment of our workers who deliver those services To investigate any complaints you have about our services To monitor spending on services To check the quality of services To plan services To produce statistics To prevent and detect fraud, corruption and crime To protect individuals from harm The legal bases for processing Each service specific privacy notice will identify one or more legal bases for the processing of personal information. Generally, the legal reason will be one or more of the following: Consent The processing is necessary for the performance of a contract with you, or in order to take steps at your request prior to entering into a contract The processing is necessary for compliance with a legal obligation to which we are subject The processing is necessary in order to protect your vital interests or those of another individual The processing is necessary for the performance of a task carried out by us in the public interest or in the exercise of authority vested in us The processing is necessary for our legitimate interests or those of a third party. This will not apply to processing that we carry out in the performance of our tasks as a public authority Recipient or categories of recipients of your personal information We will generally only allow your personal information to be used by our staff who need it to perform their functions. We have outsourced some of our services to either joint arrangements with other local authorities, arm’s length partly-owned companies, or private sector companies who provide services on our behalf. These organisations collect and use personal information on our behalf to provide services. We will need to supply your information to these organisations in order to supply a service to you. These are: Dover District Council (EK Human Resources, aka EKHR) A joint administrative arrangement between Canterbury City Council, Dover District Council and Thanet District Council hosted by Dover District Council which provides human resources and payroll services to us. Thanet District Council (EK Services) A joint administrative arrangement between Canterbury City Council, Dover District Council and Thanet District Council hosted by Thanet District Council which provides ICT services and services relating to revenues and benefits including management of our contract with Civica UK Ltd. Thanet District Council are both our data processor and a joint data controller depending on the purpose of the processing. Civica UK Limited A private sector company which provides benefit services, income collection services, council tax and business rates administration and collection services and customer contact services to us. Civica UK Ltd are our data processor. East Kent Housing Ltd An arm’s length company, owned by Canterbury City Council, Dover District Council, The District Council of Folkestone and Hythe and Thanet District Council, which provides housing management services to the councils. East Kent Housing Ltd are our data processor. From October 2020, East Kent Housing ceased to provide housing management services to the councils, and each council took it's housing management function back in house. Google LLC A private company, employed as a data processor by Canterbury City Council, who provides services such as, but not limited to, email, word processing, spreadsheets and electronic file storage. Worldpay (UK) Ltd A private sector company which provides services that allow us, Canterbury City Council, to receive payments by credit and debit cards. If you wish to pay Canterbury City Council by credit or debit card we will share your personal information, as required by Worldpay (UK) Ltd, to process your payment. Worldpay (UK) Ltd are a data controller. You can read Worldpay’s privacy notice on their website. Other recipients Personal information may also be shared with the police, the Department for Works and Pensions, HMRC and other councils when we are either permitted to or are required to by law. We are a signatory to the Kent and Medway Information Sharing Agreement. The types of purposes for which it is legitimate to share your personal information are set out in the agreement. We may share the personal information of our service users where it is fair and lawful to do so and where the sharing takes place in a transparent manner. Our purposes for sharing information will be specified in our service specific privacy notices. We will not make your personal information available to companies for marketing purposes. We may share information with partners to achieve purposes that benefit you or the local community. Intent to transfer personal data to a third country or international organisation Should it be necessary to transfer personal information outside the European Economic Area, it will only be transferred to a third country or international organisation subject to appropriate safeguards such as, but not limited to, an Adequacy Decision, Standard Contract Clauses or Binding Corporate Rules. The period for which the personal data will be stored, or if that's not possible, the criteria used to determine that period We will only keep your personal information for as long as we consider that it is necessary to be retained. We have a data retention schedule which lists how we would intend to keep your personal information. We will review our data retention schedule from time to time and therefore the time periods specified in it may change. Once personal information is no longer needed it will be deleted or destroyed confidentially. You can view our retention schedules. Rights of individuals whose information we hold The right to be informed We are required to supply you with information about the processing of your personal information through notices such as this one. The right to access personal information that we hold about you You have the right to obtain from us confirmation that your personal information is being processed and access to your personal information. This is so that you are aware of and can verify the lawfulness of processing. There is generally no charge for this. We will provide your personal information without delay and generally within one month of the receipt of your request. The right to rectification of your personal information You have the right to have any personal information which we hold about you rectified if it is inaccurate or incomplete. We will generally deal with your request within one month. The right to erasure of your personal information (sometimes known as the ‘right to be forgotten’) There are some specific circumstances where the right to erasure does not apply and we can refuse to deal with a request; for example, where we are under a legal obligation to process your personal information in order to perform a task in the public interest. You have the right to have personal information erased and to prevent processing in specific circumstances: Where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed When you withdraw consent When you object to the processing and there is no overriding legitimate interest for continuing the processing The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR) The personal data has to be erased in order to comply with a legal obligation The right to restrict processing of your personal data You have the right to restrict processing of your personal information in certain circumstances. Where processing is restricted we are permitted to store your personal information but we may not process it further. We can retain just enough information about you to ensure that the restriction is respected in future. The right to restrict arises in the following cases: Where you contest the accuracy of your personal information, we may restrict the processing until we have verified the accuracy of the personal data Where you have objected to the processing (where it was necessary for the performance of a public interest task), and we are considering whether our legitimate grounds override yours When processing is unlawful and you have opposed erasure and requested restriction instead If we no longer need your personal information but you require the personal information to establish, exercise or defend a legal claim The right to information portability You have the right to obtain from us and reuse your personal information for your own purposes where you have provided the information to us yourself, where we process the information by automated means and where our basis for processing is based on consent or contract. Where this right applies we will provide you with your personal information in a structured, commonly used and machine readable form. The right to object You have a right to object to: processing based on the performance of a task in the public interest or exercise of official authority processing based on our legitimate interests or those of a third party direct marketing (including profiling relating to direct marketing) processing for purposes of scientific or historical research and statistics Where the objection is towards processing your personal information for direct marketing purposes we must stop processing your personal information when we receive your objection. Where the objection is regarding the processing your personal data for the performance of a public interest task we must stop processing your personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, or, the processing is for the establishment, exercise or defence of legal claims. Where the objection is regarding the processing your personal data for research purposes we do not have to comply with your objection where the processing of your personal information is necessary for the performance of a public interest task. Rights related to automated decision making including profiling Where we use automated decision making including profiling the service specific privacy notice will explain the logic involved, the significance and the potential consequences for you. The right to withdraw consent Where the legal basis for processing your personal information is consent, you have the right to withdraw your consent at any time. If you withdraw your consent it may not be possible to continue to provide you with that service. The right to lodge a complaint If you wish to complain about how we are processing your personal information please contact: Canterbury City Council Military Road Canterbury CT1 1YW Email: firstname.lastname@example.org You also have the right to complain to the Information Commissioner’s Office at: The Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 0303 123 1113 or 01625 545745 www.ico.org.uk The consequences of failing to provide personal information There are occasions when you must provide personal information. Where such an obligation exists either as a statutory or contractual requirement or a requirement necessary to enter into a contract, the service specific privacy notices will tell you and explain the possible consequences of failure to do so. Processing personal information for a purpose other than that for which it was originally collected Where we intend to process your personal information for a purpose other than that for which the personal data was collected, we will provide you with information on that other purpose before doing so. Personal information about you which you have not provided to us Sometimes we hold information about you which you have not provided to us. Where this is the case we will tell you in the service specific privacy notice. We will tell you the source of the information unless it is not possible to do so. If the specific source is not named then information will be provided about the nature of the sources (i.e. publicly or privately held sources) and the types of organisation, industry or sector. Service privacy notices We've also published privacy notices for our services.