Record of Processing Activities

Article 30 UK General Data Protection Regulation (UK GDPR)

Name and contact details of the Controller

East Suffolk Council, East Suffolk House, Riduna Park, Station Road, Melton, Woodbridge, Suffolk, IP12 1RT

Website: www.eastsuffolk.gov.uk | Telephone: 03330 162 000 | Email: dataprotection@eastsuffolk.gov.uk

Joint Data Controllers and contact details

East Suffolk Council does not operate with any joint data controllers.

Name and contact details of the Data Protection Officer

Siobhan Martin - Head of Internal Audit and Data Protection Officer. Email: dataprotection@eastsuffolk.gov.uk Phone: 01394 444488

Description of processing

The following is a broad description of the way East Suffolk Council processes personal information. To understand how your own personal information is processed you may refer to any personal communications you have received and check any privacy notices the organisation has provided.

Reasons/purposes for processing information

We process personal information to enable us to provide a range of government services to local people and businesses which include:

  • maintaining our own accounts and records
  • supporting and managing our employees
  • promoting and administration of the services we provide
  • marketing our local tourism
  • carrying out health and public awareness campaigns
  • managing our property
  • providing leisure and cultural services
  • support in the provision of education (Suffolk County Council are responsible for education)
  • carrying out surveys and consultations
  • processing planning applications and appeals
  • managing planning enforcement
  • monitoring Section 106 Agreements
  • management of landscaping
  • Rights of Way related activity
  • administering the assessment and collection of taxes and other revenue including benefits and grants
  • licensing and regulatory activities
  • local fraud initiatives
  • the provision of safeguarding and support in the provision of social services (Suffolk County Council are responsible for the delivery of social services)
  • crime prevention and prosecution of offenders including the use of CCTV
  • corporate administration and all activities we are required to carry out as a data controller and public authority
  • undertaking research
  • the provision of all commercial services including the administration and enforcement of parking regulations and restrictions, the council’s garden waste service and the provision of leisure services
  • the provision of all non-commercial activities including refuse collections from residential properties
  • internal financial support and corporate functions
  • managing archived records for historical and research reasons
  • data matching under local and national fraud initiatives
  • debt administration and factoring
  • the use of CCTV systems for public safety, protection of life and property and enforcing Public Space Protection Orders
  • protection of life and property
  • management of information technology systems
  • information and databank administration
  • public health
  • prevention and control of disease within the community
  • occupational health and welfare
  • produce and distribute printed material
  • management of public relations, journalism, advertising and media (including social media)
  • sending promotional communications about the services we provide
  • enable us to buy, sell, promote and advertise our products and services
  • fundraising
  • any duty or responsibility of the local authority arising from common or statute law.

Description of the categories of data subjects

We process personal information about:

  • residents (and their households)
  • carers or parents of children
  • customers
  • suppliers
  • employees (and their next of kin)
  • persons contracted to provide a service (and their next of kin)
  • claimants
  • councillors
  • complainants, enquirers or their representatives
  • professional advisers and consultants
  • students and pupils
  • carers or representatives
  • landlords
  • recipients of benefits and grants
  • witnesses
  • offenders and suspected offenders
  • licence and permit holders
  • traders and others subject to inspection
  • people captured by CCTV images
  • representatives of other organisations
  • donors and potential donors to charitable causes
  • consultation participants
  • objectors and supporters of planning proposals

Categories of personal data

We process information relevant to the above reasons/purposes which may include:

  • personal details (name, date of birth, address, contact details, national insurance number, tenancy history, gender, signature, immigration status, marital status)
  • nationality, citizenship status or right to residency/work
  • identity information (passports, driving licences, birth certificates)
  • vehicle information
  • social media data
  • family/household details/emergency contact details
  • lifestyle and social circumstances
  • goods and services
  • financial details inc. bank account details/statements, credit history, pension details, mortgage details
  • employment and education details
  • housing needs
  • visual images (inc. CCTV and photographs), personal appearance and behaviour
  • licenses or permits held
  • student and pupil records (but not specific to schools) • business activities
  • case file information
  • charitable interests

We also process sensitive classes of information that may include:

  • physical or mental health details
  • racial or ethnic origin
  • trade union membership
  • political affiliation
  • political opinions
  • offences (including alleged offences)
  • religious or other beliefs of a similar nature
  • criminal proceedings, outcomes and sentences
  • biometric data
  • genetic data
  • sexual life/sexual orientation

Categories of recipients to whom personal data have been or will be disclosed

We sometimes need to share information with the individuals we process information about and other organisations. Where this is necessary, we are required to comply with all aspects of the Data Protection Act 2018. What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons. Where allowed by law, necessary, or required by law we may share information with:

  • customers/service users
  • residents
  • members of the public
  • family, associates or representatives of the person whose personal data we are processing
  • current, past and prospective employers
  • healthcare, social and welfare organisations
  • educators and examining bodies
  • providers of goods and services
  • financial organisations
  • external auditors
  • the council’s insurers
  • debt collection and tracing agencies
  • private investigators
  • service providers
  • grant and funding providers
  • local and central government
  • Members of Parliament
  • ombudsmen and regulatory authorities
  • press and the media
  • professional advisers and consultants
  • courts and tribunals
  • DVLA
  • Traffic Enforcement Centre
  • trade unions
  • political organisations
  • credit reference agencies
  • professional bodies
  • survey and research organisations
  • police forces
  • housing associations and landlords
  • voluntary and charitable organisations
  • religious organisations
  • students and pupils including their relatives, guardians, carers or representatives
  • data processors
  • other police forces, non-home office police forces
  • regulatory bodies
  • emergency services
  • courts and prison service
  • HM Customs and Excise
  • National Anti-Fraud Network (NAFN)
  • international law enforcement agencies and bodies
  • security companies
  • partner agencies, approved organisations and individuals working with the police
  • licensing authorities
  • healthcare professionals
  • law enforcement and prosecuting authorities
  • legal representatives and defence solicitors
  • the Police Complaints Authority
  • the Disclosure and Barring Service
  • the Health and Safety Executive
  • Public Health England
  • charities and not for profit partners

In addition:

  • the council’s Full Electoral Register must be made available to the individuals and bodies named in the Electoral Services Privacy Notice.
  • Your personal information collected in relation to the Planning (Development Management) service may be made available to the bodies named in the Planning (Development Management) Privacy Notice.

Transfers of personal data to a third country and safeguards

It may sometimes be necessary to transfer personal information overseas. Any transfers made will be in full compliance with all aspects of the Data Protection legislation.

We have additional protections on your information if it leaves the UK ranging from secure ways of transferring data, undertaking risk assessments on systems being used to ensuring we have a robust contract in place with the third party.

We will take all practical steps to make sure your personal information is not sent to a country that is not seen as “safe” either by the UK or EU Governments.

Transfers may take place when:

  • technical and organisational security measures have been put in place via a contract; or
  • with the consent of the data subject; or
  • where required by law.

Retention schedules for the different categories of personal data

We will hold your personal information in accordance with statutory responsibilities and contractual requirements. If you have supplied personal information for a discretionary service, the period of time the data will be held will be detailed within the Privacy Notice at the point of data collection. Further information on how long your information will be held for can be found in each service areas privacy notice available on the council’s website.

Once your information is no longer needed, it will be securely and confidentially destroyed.

Technical and organisational security measures

The council has a robust suite of security controls and ICT Security Policies in place to demonstrate security measures to ensure that personal data relating to service users is protected from accidental loss or alteration, inappropriate access, misuse or theft.

The council meets stringent security controls and has number of standards that we meet and adhere to such as but not limited to strict Payment Card Industry Data Security Standards (PCI-DSS) and annual IT health checks. Cyber Essentials Plus is also held by the councils Port Health service.

Access to your records is only available to those who have a right to see them. Examples of further security include:

  • encryption
  • pseudonymisation
  • anonymisation 7
  • business continuity planning and resilience planning including backups
  • robust security updates including timely patching and antivirus software
  • user access controls
  • physical security, e.g. restricted access to site locations and clear desk policy
  • penetration testing
  • risk assessment
  • Data Protection Impact Assessments
  • staff training
  • contractual requirements

All East Suffolk Council contracts will require any data processor to also keep a record, in writing, of the above when processing data on behalf of the Council, unless it is an enterprise or organisation that employs fewer than 250 people and:

  • the processing it carries out is unlikely to result in a risk to the rights and freedoms of data subjects;
  • the processing is occasional; or
  • the processing does not include special categories of data or personal data relating to criminal convictions and offences.

This written Record of Processing Activities shall be made available to the relevant supervisory authority on request.