Privacy and data protection

The Council will do all we can to respect your privacy and to protect the personal information we acquire when you use our services.

View our Data Protection Policy.

Quick links

• About personal information
• Your rights
• How we hold and share your data
• Cost of living crisis
• Protecting your information
• Departmental privacy notices
• Councillor privacy notice
• Our website
• Getting advice

How we protect and use your information

This privacy notice provides a summary on how we use your information in order to fulfil our statutory responsibilities as a Local Authority in the provision of services to you, explains your rights and outlines the measures that we have taken to protect the personal data we hold.

We collect and process various types of personal information, including basic information such as your name and contact details.  Most of your information will have been provided by yourself or collected through your use of Council services where necessary information is also obtained from other sources.

View the Council's departmental privacy notices. Under each service will be more information about how your data is processed, who we may share your information with and why. 

What is personal information?

Personal information can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify a person, for example, this could be your name and contact details. 

Some information is ‘special’ and needs more protection due to its sensitivity. It’s often information you would not want widely known and is very personal to you. This is likely to include: sexuality, sexual health, religious or philosophical beliefs, ethnicity, physical or mental health, trade union membership, political opinion, and genetic/biometric data.

The Council also processes personal data about criminal convictions or offences when specific conditions provide lawful authority for us to process that data. The Council's Appropriate Policy Document (pdf, 216 KB) contains more information about how the Council protects special category and criminal convictions personal data.

What is our lawful basis for processing your personal data?

GDPR states we (the Council) need a lawful basis for processing your personal data. Depending on why we are processing your personal data will determine the lawful basis for processing. The lawful basis for processing has to be at least one or more of these conditions - 

1. You have given us consent to the processing of your personal data for one or more specific purposes.
2. Processing is necessary for the performance of a contract to which you are party, or in order for us to take steps, at your request, prior to entering into a contract.
3. Processing is necessary for compliance with a legal obligation to which we are subject.
4. Processing is necessary in order to protect the vital interests of either yourself or another person.
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
6. Processing is necessary for the purpose of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms, particularly where the data subject is a child.
7. An additional lawful basis is required to process special category data

Why do we need your personal information?

We may need to use some information about you to:

• Deliver services and support to you
• Manage those services we provide to you
• Train and manage the employment of our workers who deliver those services
• Help investigate any worries or complaints you have about your services
• Keep track of spending on services
• Check the quality of services
• To help with research and planning of new services
• To keep you informed about new initiatives and opportunities within the borough – where you have asked us to keep you informed
• In the case of agency workers, consultants, contractors and other third parties we may need to collect biometric data (e.g. fingerprint/hand scans or facial/voice recognition) for the purposes of secure entry access to buildings in some specific areas, or for equipment login purposes

Without your personal data we may not be able to provide these services.

How the law allows us to use your personal information

There are a number of legal reasons why we need to collect and use your personal information. Generally, we collect and use personal information when:

• It is required by law
• You, or your legal representative, have given consent
• You have entered into a contract with us
• It is necessary to perform our statutory duties
• It is necessary to protect someone in an emergency
• It is necessary for employment purposes
• It is necessary to deliver health or social care services
• You have made your information publicly available
• It is necessary for legal cases
• It is to the benefit of society as a whole
• It is necessary to protect public health
• It is necessary for archiving, research, or statistical purposes

We only collect and store information that we need for as long as we need it

For further information on retention of records, please view the Records management page. 

We’ll only collect and use personal information if we need it to deliver a service or meet a requirement such as processing Council Tax billing. If we use your information for other reasons such as for performance reporting and analysis, we’ll always keep your personal identifying details anonymous unless you’ve agreed that your personal details can be included.  Where your information is no longer needed it will be destroyed in line with the Councils retention and disposal policies.

What you can do about your personal information

Data protection law gives you a number of rights to control what personal information we can hold and how it is used by us.

For more information please see our Individual Rights Policy (pdf, 292 KB), the main elements of which are summarised below.

You can ask for access to the information we hold on you

We would normally expect to share what we record about you with you whenever we assess your needs or provide you with services. However, you also have the right to ask for all the information we have about you and the services you receive from us. When we receive a request from you either verbally or in writing, we will review the records held and respond to you within one month.

If you have any queries about access to your information please make a request for records held by Richmond Council.

Data protection law specifies that we cannot let you see any parts of your record which contain items such as:

• Confidential information about other people
• Information a professional assesses may cause serious harm to your or someone else’s physical or mental wellbeing
• If we think that giving you the information may stop us from the prevention or detection of a crime

You can ask to change information you think is inaccurate

You should let us know if you disagree with something in our records about you.

We will correct factual inaccuracies and may include your comments in the record to show that you disagree with it where necessary.  

You can ask to withdraw consent previously given

Where we have previously had your consent to use your personal information, you have the right to remove your consent at any time.

You can ask to delete information (right to be forgotten)

In some circumstances you can ask for your personal information to be deleted. You can request the erasure of your personal data.

Erasure of personal data is not an absolute right. It will be granted in most but not all circumstances.

You have the right to ask us to restrict the use of your personal information

You can ask us to restrict the use of your personal information where either:

• You have identified inaccurate information
• The processing was unlawful and although you do not want your information erased you want its use restricted
• You need your personal information held by the us for your use of it for legal reasons, even though we have no further use for it
• You object to the processing of your personal information and we need to provide legitimate grounds for the processing

You have the right to ask us to stop using your personal information for any council service.

Unless we can demonstrate compelling legitimate grounds for the processing of your personal data which overrides your interests, rights and freedoms or its use in legal claims, you have the right to object to the processing of your personal information. However, if this request is approved this may cause delays or prevent us delivering that service. This includes the right not to be subject to a decision based solely on automated processing, including profiling.

You have the right to data portability

Only where you have provided us with either consent to have your personal information or where it has been processed in order to fulfil a contract with us and where the information has been automated, you can request this information be given to other organisations where technically feasible.

If you wish to exercise any of the rights above please contact us by email at DPO@richmondandwandsworth.gov.uk with full details and verification of who you are (i.e. proof of address and ID) and we will process your request as quickly as possible and certainly within the one calendar month period allowed, where ever possible.

How we hold and share your data

We keep your information confidential and will only share your information outside of the Council for the purposes mentioned in our privacy notice. This may include sharing with third parties such as our partner service providers or for fraud prevention and in compliance with law enforcement agencies and regulators.

We use a range of organisations to either store personal information or help deliver our services to you. Where we have these arrangements, there is always an agreement in place to make sure that the organisation complies with data protection law. 

Before we share personal information to make sure we protect your privacy and comply with the law we will review the risks involved and, if necessary, complete a full privacy impact assessment (PIA).

Sometimes we have a legal duty to provide personal information to other organisations. This is often because we need to give that data to courts, including:

• If we take a child into care
• If the court orders that we provide the information
• If someone is taken into care under mental health law

We may also share your personal information when we feel there’s a good reason that’s more important than protecting your privacy. This doesn’t happen often, but we may share your information:

• In order to find and stop crime and fraud or if there are serious risks to the public, our staff or other professionals
• To protect a child
• To protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them

For all of these reasons the risk must be serious before we can override your right to privacy. If we are worried about your physical safety or feel we need to take action to protect you from being harmed in other ways, we will discuss this with you and if possible, get your permission to tell others about your situation before doing so. 

We may still share your information if we believe the risk to others is serious enough to do so.  

There may also be rare occasions when the risk to others is so great that we need to share information straight away. If this is the case, we will make sure that we record what information we share and our reasons for doing so. We will let you know what we have done and why if we think it is safe to do so.

We may share personal information you provide to the Council with the Cabinet Office who undertakes data matching for the National Fraud Initiative. This is comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body to see how far they match and identify potentially fraudulent claims. This processing is carried out under Part 6 of the Local Audit and Accountability Act 2014 and does not require the consent of the individuals concerned. For further information on the NFI please see the National Fraud Initiative privacy notice.

Cost of living crisis

As part of its response to the current cost of living crisis the Council has engaged with an external organisation, Policy in Practice, to utilise what is known as the Low-Income Family Tracker Dashboard (LIFT).

The dashboard brings together indicators of poverty from data supplied by the Council to highlight those residents or households at risk of falling into crisis. It specifically identifies households affected by multiple welfare reforms and allows staff to identify residents and families who would benefit financially from targeted pro-active engagement, rather than just reacting to people who contact the Council.

The dashboard uses information from the Council's administrative datasets covering Housing Benefit and Council Tax Support recipients, Housing data in regard to Council tenants, Universal Credit data which the Council holds as data controller and Free School Meals data. These datasets are controlled by the Council. Policy in Practice acts as a data processor working directly with these datasets.

Given the volume of personal information involved a Data Protection Impact Assessment has been undertaken to assess the level of any risk to data subjects and to identify ways of mitigating any such risks. The work being undertaken by Policy in Practice is governed by a formal Data Processing Agreement put in place by the Council.

The lawful basis for the intended processing is set out in UK GDPR Article 6 (e) Public task: as it is necessary for the Council to process the data to enable it to carry out its statutory duties in respect of Housing Benefit and Council tax administration in support of the Council's official functions and statutory obligations.

No data will be processed outside of the UK and there are no automated decisions or 'profiling'.

NHS data opt-out

An organisation may approach us to disclose your data if they have a section 251 National Health Service Act 2006 approval for research. The data would usually include something that identifies you and about the care you receive. The data collected will be used by the organisation for research and planning purposes, for example it could be used for improving care.

In order to find out more about the National data opt-out please visit the NHS website.  If you want to opt out of your data being used by organisations who have a section 251 National Health Service Act 2006 approval please contact DPO@richmondandwandsworth.gov.uk.

Please note that if you decide later to change your opt out choice you can do so at any time by contacting the above email address.

How do we protect your information?

We will do what we can to make sure we hold records about you (on paper and electronically) in a secure way, and we’ll only make them available to those who have a right to see them. Examples of our security include:

• We will continue to work towards the standards set by ISO27001 for information security
• Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’
• Pseudonymisation, meaning that we’ll use a different name so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours
• Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
• Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
• Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches).

Generally, the Council will not process your personal data outside of the UK or the EEA. In exceptions where we do, we will ensure equivalent data protection controls are in place.

Departmental privacy notices

More detail about how individual departments use your data.

Visitors to our websites

When you visit the Council’s website we collect routine internet log information, which allows us to see visitor behaviour patterns and helps us improve our website. Internet log information is collected in a way which does not allow us to identify you and we do not make any attempts to find out the identities of individuals visiting our website.

Cookies and how you use our website

To make this website easier to use, we sometimes place small text files on your device (for example your iPad or laptop) called cookies. Most big websites do this too.

They improve things by:

• Remembering the things you have chosen while on our website, so you do not have to keep re-entering them whenever you visit a new page
• Remembering data you have given (for example, your address) so you do not need to keep entering it
• Measuring how you use the website so we can make sure it meets your needs

By using our website, you agree that we can place these types of cookies on your device.  We do not use cookies on this website that collect information about what other websites you visit (often referred to as privacy intrusive cookies). Our cookies are not used to identify you personally, they are just here to make the site work better for you. You can manage or delete these files as you wish. Find out how Richmond Council uses cookies. To learn more about cookies and how to manage them, visit AboutCookies.org.

External links

Our website contains external links to third party sites. Our privacy notice applies only to information collected by or on behalf of the Council. When you are transferring to another site you should read their privacy statement on the use of your information before submitting any personal details.

Updating this privacy notice

Our privacy notice may be reviewed from time to time so please check back here each time you submit personal data to us.

Where can I get advice?

The Council's Data Protection Officer (DPO) is Katrina Waite. The DPO can be contacted at dpo@richmondandwandsworth.gov.uk.

If you are unhappy about how we have handled your data or for independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO), their contact details can be found via the ICO website or you can email casework@ico.org.uk.