General privacy notice
The purpose of this document
Norfolk County Council (the County Council) is committed to protecting the privacy and security of your personal information. By personal information, we mean information which, by itself or with other data available to the County Council, can be used to identify you.
This general privacy notice serves as a privacy notice:
- Under the UK General Data Protection Regulation (GDPR) for the County Council's statutory functions relating to, for example, education, highways, transport planning, passenger transport, social care (children and adults), libraries, waste disposal and strategic planning
- Under Part 3 of the Data Protection Act 2018 (the DPA) for the County Council's statutory functions relating to law enforcement
In summary, this privacy notice:
- Sets out how we promise to look after your personal information
- Describes how we collect, use and share your personal information, and
- Tells you about your privacy rights and how the law protects you
This privacy notice covers personal information we collect about:
- Visitors to our website
- People who use our services, for example, persons who receive services from us to help remaining at home
- People who complain about any aspect of a service we provide
- People who are subject to or have a connection with enforcement related activity
Who we are
The County Council is the "data controller" for the personal information held by the County Council. This means that we are responsible for deciding how we "process" (that is, collect, hold, use and disclose) your personal information.
Our address is Norfolk County Council, County Hall, Martineau Lane, Norwich NR1 2UA.
The kind of information we hold about you and who provides it
Personal information can include, but is not limited to, your name, address, telephone number, date of birth, and bank details which can be found within records that the County Council holds which may include electronic records, letters, emails, photographs, audio recordings and video recordings. It does not include information where the identity has been removed and you cannot be identified by this information and by any other information held by the County Council (anonymous information).
We may also hold more sensitive personal data known under the GDPR as "special categories" and under the DPA as "sensitive processing". Special category data and sensitive data is personal data revealing:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic and bio-metric data
- Sex life or sexual orientation
- Health including disabilities
Under the GDPR and DPA we may also collect information relating to criminal offences and criminal convictions.
You can read the County Council's policy setting out our procedures for compliance with the data protection principles and the retention and erasure of this data in respect of:
- Special category data and information relating to criminal offences and criminal convictions under the GDPR
- Sensitive data for law enforcement purposes under the DPA
We may collect personal information about you from yourself directly or other individuals or organisations.
You can see more detail the kind of information we hold about you in relation to each County Council service and who we receive that information from can be found in our privacy notices for council service areas.
Use of data for planning and commissioning purposes
Organisations providing health and social care services within Norfolk and Waveney must submit certain information to its local Integrated Care Board, which is used to plan, commission, and monitor the performance of services. These are known as national and commissioning datasets and do not directly identify you as an individual, therefore the National Data Opt-Out does not apply to these data sets.
Norfolk County Council receives these datasets from NHS Norfolk and Waveney Integrated Care Board for the purposes of ensuring patients receive quality, effective and equitable care. If we have an existing direct care relationship with you and we intend to offer further care, we may request via NHS England to reidentify you from these datasets.
What we use your personal information for
We use your personal information to:
- Provide County Council services and anything we must do by law
- Carry out our regulatory, licensing and enforcement roles
- Make payments, grants and benefits
- Act in connection with the prevention, detection and investigation of fraud
- Assess how much you must pay towards your County Council service if a charge is made for the service
- Listen to your ideas about the County Council's services
- Deal with complaints
- Tell you about the County Council's services.
In some cases, you may be under a statutory or contractual obligation to provide information to the County Council. Further detail of where this applies and the consequences of not providing it, together with information about why we use your personal data in relation to each of the County Council's services can be found in our privacy notices for council service areas.
How the law protects you and the legal basis for processing your information
The GDPR and DPA place a legal obligation on us to process your personal information in accordance with the following data protection principles in that your personal data must be:
- Used lawfully, fairly and in a transparent way
- Collected only for valid purposes that we have explained to you and not used in any way that is incompatible with those purposes
- Relevant to the purposes we have told you about and limited only to those purposes
- Accurate and kept up to date
- Kept only as long as is necessary for the purposes we have told you about
- Kept securely
There must also be a lawful basis for processing personal information - a justifiable reason for us to collect, store, use and disclose your personal information. Our lawful basis for doing so will depend on what services we are providing to you, and what type of information we process about you, for example, an additional basis is required for 'special category' data described above.
The basis we process your information may include:
- Under GDPR:
- Necessary for the performance of a task in the public interest. There are statutory duties placed on and statutory powers provided to the County Council by various pieces of legislation including the Children Act 1989, the Care Act 2014, various education acts and Local Government Acts, the Localism Act 2011 and the Local Audit and Accountability Act 2014. Further detail about our legal duties and powers in relation to each County Council service can be found in our privacy notices for council service areas.
- Necessary for the performance of a contract we may have with you
- You consent/agree to the processing. The County Council will tell you if processing some of your personal data is not necessary to comply with a public task or to fulfil a legal duty or to fulfil a contract and is therefore optional. In these circumstances, we may ask for your consent to process it. The GDPR sets higher standards in relation to obtaining your consent to process your personal information. We have an obligation to ensure that when consent is required from you it is done so in a manner which is clear.
- Under the DPA
- For law enforcement purposes
- You consent to the processing
We also process special category information and information about criminal offences/convictions under the GDPR and sensitive personal information under the DPA.
The grounds for processing special category and criminal convictions data under the GDPR and sensitive data under the DPA differs from the grounds set out above. We have therefore set out our grounds for processing in relation to each County Council service and this can be found in our privacy notices for council service areas.
Who we share your personal data with
We may share your data with other services within the County Council so that we can keep our information on you as up-to-date as possible and so that we can improve our services to you. For example, if you tell the Customer Services Team that you have moved, they will update your records and inform other parts of the County Council that may be providing you with a service. Details of where we will do this can be found in our privacy notices for council service areas.
We may also share your personal data with, and receive your personal data from, organisations and individuals outside of the County Council. Further detail about data sharing in relation to each County Council service can be found in our privacy notices for council service areas.
Additionally, your personal information can be provided to a third party contracted by the County Council to provide a service to the Council or directly to you. These service providers are known as data processors and also have a legal obligation under GDPR and DPA and to the County Council to look after your personal information and only use it for providing that service. An example of this is the County Council uses a case management system operated by a data processor for its social care services.
If we transfer your personal information to other countries
Your personal information may be transferred outside of the UK and the European Economic Area. While some countries have adequate legal protections for personal data, in other countries steps will be necessary to ensure appropriate safeguards apply to the information. These include imposing contractual obligations to ensure that these safeguards apply. You can find details of what information the County Council may transfer to countries outside of the European Economic Area and the safeguards that apply in our privacy notices for council service areas.
How long we use your information for
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To work out the right retention period for personal data, we consider the following matters:
- The amount, nature, and sensitivity of the personal data
- The potential risk of harm from unauthorised use or disclosure of your personal data
- The purposes for which we process your personal data and whether we can achieve those purposes through other means, and
- Any legal or regulatory requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Once you no longer require services from us, we will retain and securely destroy your personal information in accordance with our data retention schedule.
Automated decision making
We may, in order to improve the efficiency and effectiveness of services, use automated decision-making processes, including profiling. If an automated decision is made about you that is significant (one that has a legal effect, or otherwise significantly affects you) you will be notified of this, together with your rights to challenge this decision.
Details of where and how the Council carries out automated decisions can be found in our privacy notices for council service areas.
Your responsibility to inform us of changes
It is important that the personal information we hold about you is accurate and current.
Please keep us informed if your personal information changes during your working relationship with us. You can do to help us with this by:
- Telling us when any of your details change; and
- Telling us if any of the information we hold on you is wrong
Your rights under the GDPR
You have the following rights (but note, these rights do not apply in all circumstances):
- Your right to be informed about the processing of your personal information. This is the purpose of this notice.
- Your right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
- Your right to object to the processing of your personal data
- Your right to restrict processing of your personal information
- Your right to have your personal data erased ("the right to be forgotten"). As above, please note this right is subject to several restrictions, which we will discuss further with you if you choose to exercise it.
- The right to move, copy or transfer your personal information ("data portability"). This only applies to personal data processed under the GDPR and only in certain limited circumstances. This right does not apply to personal data processed under the DPA.
- Rights to be notified of, object to and challenge any automated decision made in respect of you, including profiling
- Your right to request access to your personal information and information about how the County Council processes it
- Your right to withdraw any consent you have given for the processing of personal data at any time
If you want to exercise any of these rights, please contact the Information Compliance Team by:
- Emailing the Information Compliance Team on information.management@norfolk.gov.uk
- Writing to the Information Compliance Team, Norfolk County Council, County Hall, Martineau Lane, Norwich NR1 2UA
Questions or complaints
If you have any questions about this privacy notice or how we handle your personal information, you can write to the DPO by letter to the DPO, Norfolk County Council, County Hall, Martineau Lane, Norwich NR1 2DH or by email to dpo@norfolk.gov.uk.
You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. The ICO can be contacted:
- By writing to the ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- By telephoning 0303 123 1113
- Online at ico.org.uk/global/contact-us/
Links to other websites
Where this notice applies to information collected or processed on a website, please note this privacy notice only applies to the County Council's website and ceases to apply when you leave our pages. If you follow links to other organisations websites, even if you follow a link which we have provided, it is suggested you take the time to read the privacy notices on the websites you visit.
Changes to this privacy notice
We may amend this privacy notice at any time so please review it frequently. The date below will be amended each time this notice is updated.
This notice was last updated on 03 April 2023.