UK GDPR privacy notices Financial Services Privacy Notice

Introduction

Financial Services Team have provided this privacy notice to help you understand how we collect, use and protect your information whilst we provide you with payment for the supply of goods and services to the council, the collection of sundry debt income owed to the council and the management of insurance claims made against the council.

The document below will describe how we may collect and process your personal information.

The purpose of this document is to clearly acknowledge the council’s responsibilities in relation to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Definitions

Personal data means any information related to an identified or identifiable natural (living) person (‘data subject’) i.e. a person that can be directly or indirectly identified by reference to a name, ID reference number, email address, location data, or physical, physiological, genetic, mental, economic, cultural or societal identifier.

Special personal data, previously known as ‘sensitive personal data’, relates to race, ethnic origin, politics, religion, trade union membership, genetic data, biometric data, health, sex life or sexual orientation. Records of criminal personal data must also be treated in a similar way.

Data Controller determines the purposes and means of processing personal data.

Data Processor is responsible for any operation which is performed on personal data on behalf of the controller, e.g. collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction.

Third Party is someone/somebody who is not the Data Controller, the Data Processor or the Data Subject.

Who we are

The various functions of the Financial Services Team include:

  • processing payments to suppliers for their supply of goods and services to the council
  • making payments for grants awarded to individuals and organisations
  • processing refunds as and when necessary
  • the collection of payments made for Council Tax, Non Domestic Rates, Housing Benefit overpayments, licence fees and planning applications etc. which are notified to the relevant service teams in the council
  • the collection of sundry income due to the council for goods and services it has supplied to customers
  • making payments for sales sundry invoice overpayments
  • managing insurance claims made against the council

The council is the ‘data controller’ for the information which is collated and processed. This means we are responsible for deciding how we can use your information. If you want more information regarding the services delivered, please go to our website.

The council regards lawful and correct treatment of personal information as critical to their successful operations, maintaining confidence between the council and those with whom they carry out business. The council will ensure that they treat personal information correctly in accordance with the law.

The service we provided is contractual and statutory. The laws the service is governed by are:

  • Local Government Finance Act 1992
  • HMRC – Compliance Handbook Manual CH15400
  • The Income Tax (Construction Industry Scheme) Regulations 2005
  • The Limitation Act 1980
  • The Civil Procedure Rules 1998
  • The Civil Procedure (Amendment No.6) Rules 2013 and ‘EL/PL Protocol’

The Data Protection Officer for ESC is Siobhan Martin, Head of Internal Audit, and can be contacted at dataprotection@eastsuffolk.gov.uk.

How the law protects you

UK GDPR says that we are allowed to use personal information only if we have a proper reason to do so. More information on how the law protects you can be found on the East Suffolk website.

Our responsibilities

UK GDPR provides us with main responsibilities for processing personal data. All personal information provided by you is held securely and in confidence by us in our computerised and other records. When we process your personal information, we do so in compliance with UK GDPR. For further information on our responsibilities, please see our website.

Your rights

The UK GDPR and DPA 2018 provide you with the following rights:

  • The right to be informed: You have the right to be informed about the collection and use of your personal data, and this is outlined in this privacy notice.
  • The right of access: You have the right to request access to the personal data we may hold about you. This is undertaken using a Subject Access Request.
  • The right to rectification: You have the right to request that inaccurate personal data we hold is rectified.
  • The right to erasure: In certain circumstances, you have ‘the right to be forgotten’ and have your personal data erased.
  • The right to restrict processing: In certain circumstances, you have the right to request the restriction or suppression of your personal data.
  • The right to data portability: In certain circumstances, you have the right to request to obtain your own personal data for your own use or to give to other organisations.
  • The right to object: In certain circumstances, you have the right to object to your personal data being collated, stored and processed.
  • Rights in relation to automated decision making and profiling: You have the right to request that we do not make our decisions based on solely an automated process, and you can object to an automated decision and ask that a person reviews it in certain circumstances.
  • The right to withdraw consent: In our discretionary service provisions, you have the right to withdraw your consent at any time.
  • The right to complain: You have the right to complain through our complaints procedure, and then to the Information Commissioner. Any requests in relation to your rights with regard to the personal data we hold should be made verbally or in writing to the Data Protection Officer. For further information on your rights, please see the ICO website.

Your responsibilities

You are responsible for making sure you give us accurate and up to date information, and to let us know if any personal information we hold is incorrect.

When do we collect information about you?

We collect information about you from different places, including:

  • setting up and maintaining suppliers accounts in order to make a payment for the supply of good and services to the council
  • setting up and maintaining customer accounts in order to make a grant payment
  • setting up and maintaining customer account in order to process refunds
  • recording entries in the cashbook for payments made for Council Tax, Non Domestic Rates, Housing Benefit overpayments, licence fees and planning applications etc. which are notified to the relevant service teams in the council
  • setting up and maintaining customer accounts to collect sundry income for goods or services provided by the council
  • making payments for sales sundry invoicing overpayments
  • when an insurance claim has been made against the council

What information do we maintain?

The information about you which we will maintain will include:

Setting up and maintaining supplier accounts in order to make a payment for the supply of good and services to the council:

  • Name and address
  • Bank details in order to make a BACs payment
  • Email address to dispatch remittance advice to if available
  • Contact telephone number if available
  • Additional contact details if necessary e.g. placing orders
  • VAT registration number if applicable
  • Scanned copy of invoice or credit note

Setting up and maintaining customer accounts in order to make a grant payment:

  • Name and address
  • Bank details in order to make a BACs payment
  • Email address to dispatch remittance advice to if available
  • Contact telephone number if available
  • Additional contact details if necessary
  • VAT registration number if applicable
  • NDR account number if applicable
  • Scanned copy of grant application to support the payment

Setting up and maintaining customer account in order to process refunds for Housing Rents and Planning Applications:

  • Name and address
  • Bank details in order to make a BACs payment
    Email address to dispatch remittance advice to if available
  • Contact telephone number if available
    Additional contact details if necessary
  • VAT registration number if applicable
  • Scanned copy of refund application to support the payment

Recording entries in the cashbook for payments made for Council Tax, Non Domestic Rates, Housing Benefit overpayments, licence fees and planning applications etc. which are notified to the relevant service teams in the council:

  • On-line credit/debit card payments: Name and address of the cardholder, and their card details to process the payment
  • Customer in attendance credit/debit card payments: Cardholder name and their card details to process the payment
  • Direct bank payments: The reference provided by the customer making the payment which usually includes their name
  • Cheque payments: Customer name and the cheque account name, account number, sort code, and cheque number
  • Cash payments: Customer name

Setting up and maintaining customer accounts to collect sundry income for goods or services provided by the council:

  • Name and address
  • Email address to dispatch statements to if available
  • Contact telephone number if available
  • VAT registration number if applicable
  • Scanned copy of sales order if applicable

Making payments for sales sundry invoice overpayments:

  • Name and address
  • Bank details in order to make a BACs payment
  • Email address to dispatch remittance advice to if available
  • Contact telephone number if available
  • VAT registration number if applicable
  • Scanned copy of original payment to support the refund

Management of insurance claims made against the council:

  • Name and address of claimant
  • Details of the incident leading to the claim
  • Details of location and date of the incident
  • Name and address of claimant’s solicitors (if applicable)
  • Scanned copies of all documentation and correspondence provided by the claimant to support the claim

The data for the management of insurance claims may be collected from data subjects who are below the age of 16. The courts do not permit a minor to make a claim. In the event of such a claim being made it will be returned requesting the claim be submitted by a ‘Litigation Friend’ (this will normally be a parent or legal guardian) as required by the Limitation Act 1980.

How do we use your information?

We will be using your information to:

  • process payments to you for goods and services you have provided to the council
  • process payments to you for grants you have been awarded
  • process refunds as and when necessary
  • record your payments made for Council Tax, Non Domestic Rates, Housing Benefit overpayments, licence fees and planning applications etc. to notify the relevant service teams of the payment in the council
  • Raise invoices to you for the collection of income due to the council for goods and services it has provided to you
  • process payments to you in the event of overpayment of a sales sundry invoice
  • manage an insurance claim you have made against the council

We will not use your personal data for other purposes other than for what it was collated unless we have obtained your consent or for other lawful purposes (e.g. detection and prevention of fraud).

How long do we keep your information?

Records of payments made to and by the council

In line with the council’s Retention Policy and in compliance with the HMRC Compliance Handbook CH15400 we will hold your personal information for six years plus current year once you cease to be a customer or supplier.

Information collected under the Construction Industry Scheme (CIS) will be retained for three years after the end of the tax year under HMRC rules.

Insurance claims against the Council

Personal and special information collected to support Public Liability claims involving a minor will be retained for 3 years after the minor reaches the age of majority in line with the Limitation Act 1980.

Personal and special information collected for Employers Liability and Public Liability claims, relating to personal injury, will be retained for up to a maximum of 5 to 6 years. This time period includes the 3 years a claimant has from the date of the incident in which to submit court proceedings under The Limitation Act 1980, time for the court proceedings to take place, and an 18 month period after the claim is closed to reasonably permit appeals. Under normal circumstances the actual retention period will be much shorter being 18 months after the claim is closed.

Personal information collected for Public Liability claims relating to damage to property will be retained for up to a maximum of 8 to 9 years. This time period includes the 6 years a claimant has from the date of the incident in which to submit court proceedings under The Limitation Act 1980, time for the court Page | 6 proceedings to take place, and an 18 month period after the claim is closed to reasonably permit appeals. Under normal circumstances the actual retention period will be much shorter being 18 months after the claim is closed.

Personal information collected for other claims relating to financial loss and/or general compensation (e.g. Officials Indemnity, Libel and Slander, Public Health Act, and Land Charges) will be retained for up to a maximum of 8 to 9 years. This time period includes the 6 years a claimant has from the date of the loss in which to submit court proceedings under The Limitation Act 1980, time for the court proceedings to take place, and an 18 month period after the claim is closed to reasonably permit appeals. Under normal circumstances the actual retention period will be much shorter being 18 months after the claim is closed.

Covid Business Support Grants

Records will be retained for 10 years after the grant is awarded. This is in accordance with the Department for Business, Energy & Industrial Strategy (BEIS) Grant Funding Schemes Assurance Guidance for Local Authorities.

Data sharing

We will share your personal information with:

Records of payments made to or by the council, and records of customer and supplier accounts:

  • Other service teams within the council to permit them to complete their duties under the Local Government Act 1972
  • The council’s appointed auditors under the Local Audit and Accountability Act 2014
  • The council’s accounting software providers under a maintenance services contract for fault finding and correction, and development purposes
  • Enforcement agencies
  • Covid Business Support Grant data will be shared with the Department for Business, Energy & Industrial Strategy (BEIS). Please refer to the BEIS Privacy Notice for details of the purpose of the data sharing

Insurance claims made against the council

Zurich Municipal is contracted to the council for the provision of insurance claims handling services and all information provided is shared with them. The claim and supporting documentation will be forwarded to our insurers within 24 hours of receipt in line with Civil Procedure (Amendment No.6) Rules 2013 and ‘EL/PL Protocol’.

Where a claim results in a civil court case all information will also be shared with the barristers instructed by Zurich Municipal (normally Weightmans LLP) and the claimant’s legal team under The Civil Procedure Rules 1998 Part 31 governing disclosure.

Transferring your information overseas

Records of payments made to or by the council, and records of customer and supplier accounts

We do not transfer any personal information outside of the European Economic Area (EEA).

Insurance claims made against the council

Zurich Municipal is contracted to the council for the provision of claims handling services. Their computer servers and data storage are located in Switzerland. We rely on the European Council's decision (2000/518) which recognises Switzerland as providing adequate protection in respect to data protection.

National Fraud Initiative (NFI)

We may share information provided to us with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud. For further information, see the East Suffolk website.