Privacy and Data
This Privacy Notice provides detailed information relating to the protection of your personal data on the Cumberland Family Hubs website hosted by Cumberland Council.
Purpose of this Privacy Notice
The purpose of this Privacy Notice is to let you know how we process your Personal Data when you visit our website. This Privacy Notice therefore explains what Personal Data we collect from you and how we collect, use, store and disclose it when you use our website. This Privacy Notice also contains information about your rights under applicable data protection legislation.
We are committed to compliance with data protection laws. We believe that ensuring data protection compliance is the foundation of trustworthy business relationships.
It is important that you read this Privacy Notice together with any other Privacy Notice we provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other notices and is not intended to override them.
Personal data
UK GDPR defines personal data as: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Ensuring the privacy of your personal data
In this section, there is a list of services we provide. Under each service, there is further information about who we may share your personal data with and why.
We have a Data Protection Officer who ensures that we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal data, contact the Data Protection Officer, dataprotection@cumbria.gov.uk
Collection and use of your personal data
We collect and use your personal data to the extent necessary within the framework of our activities.
We may collect various types of personal data about you including:
- identification information (for example, name, ID card and passport numbers, nationality, place and date of birth, gender, photograph)
- contact information (for example, postal address and email address)
- family situation (for example, marital status, number of children)
- education and employment information (for example, level of education, employment status, employer’s name)
- banking, financial and transactional data (for example, bank account details, credit card number)
- information related to your digital activities (for example, IP address, browsing activity, location etc.)
- data relating to your habits, and preferences
- data which relates to your use of our services
- data from interactions with us, our internet websites, social media pages, meetings, calls, emails, interviews and phone conversations
- data concerning your hobbies and interests
We do not ask for personal data that is related to your religious or philosophical beliefs, ethnicity, physical or mental health, political opinion related to a trade union membership, genetic or biometric data, criminal history, or sexual orientation, unless it is needed to discharge a legal obligation, or is required by law for statistical research purposes. In this event, this data would be treated as Highly Confidential (Special Personal Data) and would not have an impact on your entitlement to council services.
The personal data we use about you may either be directly provided by you or obtained from other sources such as:
- websites or social media containing information made public by you
- databases made available by official authorities
- databases made publicly available by third parties
In certain circumstances, we collect and use the personal data of individuals with whom we have, could have, or used to have a direct relationship. In addition, we may collect information about individuals who have not had a direct relationship with us. For example, this could have been obtained from:
- family members
- legal representatives
- commercial partners
- personal contacts
Use of your personal data
We use your personal data in order to:
- deliver services and support to you
- manage the services we provide to you
- train and manage the employment of our workers who deliver those services
- help investigate any worries or complaints you have about your services
- keep track of spending on services
- check the quality of services
- to help with research and planning of new services
Legal basis of collecting and using your personal data
Each privacy notice in this section provides greater detail, but in general, we collect and use your personal data where:
- you, or your legal representative, have given consent
- you have entered into a contract with us
- it is necessary to perform our statutory duties
- it is necessary to protect someone in an emergency
- it is required by law
- it is necessary for employment purposes
- it is necessary to deliver health or social care services
- you have made your information publicly available
- it is necessary for legal cases
- it is to the benefit of society as a whole
- it is necessary to protect public health
- it is necessary for archiving, research, or statistical purposes
If we have consent to use your personal information, you have the right to remove it at any time. If you want to remove your consent, contact dataprotection@cumbria.gov.uk and tell us which service you’re using so we can deal with your request.
Sharing your personal data
Where we can, we will only collect and use personal information if we need it to deliver a service or meet a requirement.
If we use your personal information for research and analysis, we will ensure you remain anonymous or use a different name unless you’ve agreed that your personal information can be used for that research.
We do not sell your personal information to anyone else.
We use a range of organisations to either store personal information or help deliver our services to you. Where we have these arrangements, there is always an agreement in place to make sure that the organisation complies with the data protection law.
Where required we will complete a Data Privacy Impact Assessment (DPIA) before we share personal information to make sure we protect your privacy and comply with the law. Sometimes we have a legal duty to provide personal information to other organisations, service providers or partners.
Your privacy and the security of sharing this information will always be checked before we share such information. Examples are:
- providers of goods and services
- local and central government, and other public bodies
- Ombudsmen and regulatory authorities
- health bodies in the local area and sometimes nationally (NHS Trusts, GPs)
- partners that are part of national or regional improvement projects
We may also share your personal information when we feel there’s a good reason that is more important than protecting your privacy. This doesn’t happen often, but we may share your information:
- to find and stop crime and fraud
- if there are serious risks to the public, our staff or other professionals
- to protect a child
- to protect adults who are thought to be at risk
The risk must be serious before we can override your right to privacy.
If we are worried about your physical safety or feel we need to act to protect you from being harmed in other ways, we’ll discuss this with you and, if possible, get your permission to tell others about your situation before doing so.
We may still share your information if we believe the risk to others is serious enough to do so. There may also be rare occasions when the risk to others is so great that we need to share information straight away. If this is the case, we’ll make sure that we record what information we share and our reasons for doing so. We will keep you informed of what we have done and why if we it is safe to do so.
Protecting your personal data
In order to protect your Personal Data, we put in place appropriate organisational and technical security measures. These measures include ensuring our internal IT systems are suitably secure and implementing procedures to deal with any suspected data breach.
We will make every effort to ensure that we hold records about you (on paper and electronically) in a secure way, and we will only make these records available to those who have a right to see them. Examples of our security include:
- Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’
- Pseudonymisation means that we’ll use a different name, so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours
- Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
- Training for all of our staff in order to make them aware of how to handle information and how and when to report when something goes wrong
- Regular testing of our technology and ways of working including keeping up to date with the latest security updates (commonly called patches)
In the unlikely event of a data breach, we will take steps to mitigate any loss or destruction of data and, if required, will notify you and any applicable authority of such a breach. Although we use appropriate security measures once we have received your Personal Data, you will appreciate that the transmission of data over the internet (including by email) is never completely secure. We endeavour to protect Personal Data, but we cannot guarantee the security of data transmitted to or by us.
How long we keep your personal data
We will only keep your Personal Data for as long as is necessary to fulfil the purposes we collected it for, which may include satisfying any legal, accounting, or reporting requirements. The retention period depends on the type of Personal Data and the reason we are processing it. Details will be included in our retention schedule.
When calculating the appropriate retention period for your data, we consider the nature and sensitivity of the data, the purposes for which we are processing the data, and any applicable statutory retention periods. Using these criteria, we regularly review the Personal Data which we hold and the purposes for which it is held and processed.
When we determine that Personal Data can no longer be retained (or where we must comply you request us to delete your data in accordance with your right to do so) we ensure that this data is securely deleted or destroyed.
Where we hold your personal data and how it's transferred
Most personal data is stored on systems in the UK. In the case where there is a need to transfer personal data within Europe, adequate protection is currently in place. For all other personal data transfers, we will either ensure that robust contractual clauses are in place and seek to use an appropriate safeguard such as Standard Contractual Clauses or an International Data Transfer Agreement. In some cases, we may seek advice from the Information Commissioners Office (ICO).
We will take all practical steps to make sure your personal information is not sent to a country that is not seen as ‘safe’ either by the UK or EU Governments.
Your rights and how you can you exercise them
You have rights under the data protection legislation and, subject to certain legal exemptions, we must comply when you inform us that you wish to exercise these rights. There is no charge, unless your requests are manifestly unfounded or excessive. In such circumstances, we may make a reasonable charge or decline to act on your request. Before we action your request, we may ask you for proof of your identity. Once in receipt of this, we will process the request without undue delay and within one calendar month.
In order to exercise your rights contact the Data Protection Officer at dataprotection@cumbria.gov.uk
You can contact us if you wish to complain about how we collect, store and use your Personal Data. It is our goal to provide the best possible remedy with regard to your complaints.
However, if you are not satisfied with our answer, you can also contact the relevant competent supervisory authority. In the UK, the relevant supervisory authority is the ICO, contact details of which can be found below.
To access
You can obtain information relating to the processing of your personal data. We would normally expect to share any information we record about you whenever we assess your needs or provide you with a service. However, you also have the right to request such information. We cannot let you see confidential information that relates to other persons, that could cause potential harm to another party or that may prevent us from detecting a crime.
To correct
Where you consider that your personal data is inaccurate or incomplete you can require that such personal data be modified accordingly. We may not always be able to change or remove all information, but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with them.
To erase
You can request the deletion of your personal data, to the extent permitted by law. This would be in the case where your personal data is no longer needed, where you have removed your consent, or where deleting the information is legally required. Where your personal data has been shared with others, we will do what we can to ensure your request is complied with. Please note that we can’t delete your information where:
- there is a legal requirement
- it is in use and protected by freedom of expression
- it is in use for public health purposes
- it is for, scientific or historical research, or statistical purposes where it would make information unusable
- it is necessary for legal claims
To restrict
You can request the restriction of the processing of your personal data. When information is restricted it can’t be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interests of the UK. Where restriction of use has been granted, we will inform you before we carry on using your personal data. You have the right to ask us to stop using your personal data for any council service. However, if this request is approved, this may cause delays or prevent us from delivering that service. Where possible we will seek to comply with your request, but we may need to hold or use information because we are required to by law.
To object
You can object to the processing of your personal data e.g. for direct marketing purposes.
To withdraw your consent
Where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
To provide data portability
Where legally applicable you have the right to have the personal data you have provided returned to you or if feasible transferred to a third party. However, this only applies if we are using your personal data with consent (not if we’re required to by law) and if decisions were made by a computer and not a human being. It is likely that data portability won’t apply to most of the services you receive from Cumberland Council. You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain criteria in your personal data, e.g. your health conditions.
If and when we use your personal data to profile you, in order to deliver the most appropriate service to you, you will be informed.
If you have concerns regarding automated decision-making or profiling, please contact the Data Protection Officer who’ll be able to advise you about how we are using your personal data.
Right to complain
If you are unhappy with the way in which your personal information has been or is being processed, you have the right to make a complaint about it to the Information Commissioner’s Office (ICO).
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: www.ico.org.uk
If you wish to exercise any of the rights above, contact the Data Protection Officer at dataprotection@cumbria.gov.uk
Advice
If you have any worries or questions about how your personal data is handled, contact our Data Protection Officer at dataprotection@cumbria.gov.uk
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745 (national rate number).
Alternatively, visit the Information Commissioner's Office or email casework@ico.org.uk
Changes to this Privacy Notice
We reserve the right to update this Privacy Notice from time to time. Updates to this Privacy Notice will be published on our website. To ensure you are aware of when we make changes to this Privacy Notice, we will amend the revision date at the top of this page. Changes apply as soon as they are published on our website. We therefore recommend that you visit this page regularly to find out about any updates that may have been made.