Information about how Wirral Council uses your personal data. Wirral Council Wirral Council is committed to protecting your privacy when you use council services. This Privacy Notice below explains how Wirral Council (as a Data Controller) collects, uses and protects personal data that we hold. Data Controller Wirral Council is the data controller. This means it decides how your personal data is processed and for what purposes. Wirral Council PO Box 290 Brighton Street Wallasey Wirral CH27 9FQ Cookies Wirral.gov.uk puts small files known as ‘cookies’ onto your computer to collect information about how you browse the site. View our cookies policy. Personal data Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. Issues of how data is handled are dealt with by the council's Data Protection Officer Jane Corrin who can be contacted by email at DPO@wirral.gov.uk or by writing to: Data Protection Officer, PO Box 290, Brighton Street, Wallasey, Wirral CH27 9FQ. The council is a public authority, we must comply with all relevant legislation relating to data handling. The Information Commissioner's Office (ICO) is the supervisory authority in the United Kingdom established to ensure that your data rights are upheld. See Formal Resolution below for the ICO address. Categories of personal data we hold Obtaining, recording, holding and dealing with personal information is known as 'processing'. We hold a variety of different categories of data depending on the relationship the council has with you. If you are a library member we may hold your name and address. If you were accessing support via our Health and Social Services we may hold more sensitive data such as health or financial information. We only hold information which is necessary for the purpose the information was obtained for. What is the legal basis for processing your personal data? Depending on how we are processing your personal data will determine the legal basis for processing. Generally, the legal bases for processing by the council as a public authority will be: to perform a function or provide a service required by statute (Article 6(1)(e) GDPR) (see list of Statutory duties placed on local government) to comply with a legal obligation (Article 6(1)(c) GDPR) where the processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Article 1(b) GDPR) where disclosure is in the vital interests of yourself or another person (Article 6(1)(d) GDPR); and with your explicit consent (Articles 6(1)(a) and 9(2)(a) GDPR) There is a 6th Lawful basis: ‘Legitimate interests’ where the processing is necessary for data subjects legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply to a public authority processing data to perform its official tasks.) How departments within the council collect and use your personal data Wirral Council has overall responsibility for a wide range of public services across our Local Authority Area and it is necessary to collect personal data to enable those services to be delivered to residents. Many of the council services can be found on the council website. Providing a service We hold the details of these people who have requested a service in order to provide it. However, we only use these details to provide the service requested or for other closely related services. Personal information is collected and used when we provide social care services or administer council tax, housing benefit, grants and other important services to the public. Enforcement Some departments collect personal data as a result of enforcement activity carried out by the council. For example, such data is collected by our Public Protection and our Highways departments when enforcing regulations concerning trading standards, fly-tipping, highways and parking offences. Marketing Some departments provide discretionary services and invite you to sign up for mailing lists in order to be kept informed of their services, special offers or activities which may interest you. This personal data is collected only where you provide your consent that you wish to be kept informed. You are able to and have the right unsubscribe or ask for your data to be erased when you no longer wish to receive marketing information. Recruitment When individuals apply to work for the council, we will only use the information they supply to process their application and to monitor equal opportunities statistics. Personal information about unsuccessful candidates will be held for six months after the recruitment process has been completed, it will then be destroyed securely. Once a person has taken up employment with the council we compile a personnel file relating to their employment. The information contained in this is kept secure and will only be used for purposes directly relevant to that employment. Registering to vote When a person registers to vote, their name and address are included in the electoral register. Two versions of the register are compiled and published each year. The Full Register is available for inspection under supervision. The Edited Register does not include the names and addresses of people who have asked to be excluded from this version of the register. The Edited Register can be bought by anyone who asks for a copy and they may use it for any purpose. Public Health data We have a legal duty to improve the health of the population we serve. To help with this, we use data and information from a range of source data, including data collected at the registration of a birth or death to understand more about the health and care needs in the area. This data assists us in tailoring local solutions to local problems, and using all the levers at our disposal to improve health and reduce inequalities and it helps to create a 21st century local public health system, based on localism, democratic accountability and evidence as directed in the Health and Social Care act 2012. The legal basis for the flow of this data: Section 42(4) of the SRSA (2007) as amended by section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002. The source of personal data The vast majority of personal data we hold will have been provided to us directly from you. There are occasions where personal data is collected about you in other ways. This includes: when partner agencies share information with us to provide a joined-up service to you when you move into our Local Authority Area, data may be shared from your previous local authority when the police and other law enforcement agencies share information to enable the local authority to safeguard residents when members of the public report issues to us CCTV images of some public spaces How we protect your data We will take appropriate steps to make sure we hold records about you (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them. The council takes security measures such as, but not limited to: Logical Security Control encryption anonymisation pseudonymised partitioning paper document security Physical Security Control managing workstations website security backups network security physical access control monitoring network activity hardware security Organisational Control monitoring committee policies managing Privacy risks integrating privacy protection in projects (PIA) People we share data with We share data with others to enable a requested or statutory service to be provided. This could be where we use another agency to deliver the service for us or where we collaborate with other agencies. The agencies involved may be regional partnerships, UK Government, local schools and colleges, and the National Health Service. We also provide information on occasion to the private and charity sectors where they are involved in the delivery of service for us. If you are receiving services or support from adult social care then the NHS may share your NHS number with Social Care. This is so that the NHS and social care are using the same number to identify you whilst providing services to you. By using the same number the NHS and social care can work together more closely to improve your care and support. We will also use this Number in an integrated care record system across a number of support services including GPs, hospitals, community matrons, district nurses, mental health services and social care practitioners. We will share information only to provide health and social care professionals directly involved in your care access to the most up-to-date information about you. Joint working example A request for aids and equipment to assist an elderly service user. Such a request would be a service that could be delivered jointly by Adult Social Care as well as the National Health Service. A paid-for service example We pay some organisations to provide services on our behalf such as providers of residential accommodation and home care. In such cases, the information provided to them is only the minimum necessary to enable them to provide services to you on our behalf. Transfer of information to another local authority Personal information about you may also be provided to other local authorities. An example would be where you have moved from one area to another and it is necessary to share personal information to allow for services you are receiving to continue. Transfer of information required by law We also share personal information where we are required to do so by law. Examples include where we are required to publish or report matters to the Government, to assist law enforcement agencies prevent, detect and prosecute crime, to protect the vital interests of the person concerned or to comply with a Court Order. National Fraud Initiative We participate in the Cabinet Office's National Fraud Initiative. This requires us to provide particular sets of data to the Minister for the Cabinet Office for matching. The use of data for this data matching exercise is carried out with statutory authority under part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under Data Protection legislation. Data matching by the Cabinet Office is subject to a Code of Practice. You can view further information on the Cabinet Office's legal powers and the reasons why it matches particular information. Access to information by private companies In some instances we share information with private companies in order for them to act as data processor for us. Such arrangements are subject to data processing agreements with strict rules on processing to keep the data secure. How long we keep your data Data is held for no longer than is necessary and the council follows legal, financial and regulatory requirements as well as professional best practice on how long information should be kept before destruction or archiving. The timeframe for holding data is different depending on the purpose for which the information was collected and processed. See Wirral Corporate Retention Policy Transfers outside the European Economic Area We do not regularly share personal information beyond the European Economic Area (EEA). Transferring personal data to a country beyond this area can only take place if the destination has been the subject of an adequacy decision that it meets certain criteria set by the European Commission. What this means is we could only send information to a country if it meets very strict standards or your consent to this transfer is provided. If ever a situation arose that your personal information might be transferred outside of the EEA, you would be notified beforehand and consent sought if required and recorded, providing that does not conflict with a legal obligation imposed upon the council. Your data rights 1. Right to be informed We must be completely transparent with you by providing information 'in a concise, transparent, intelligible and easily accessible form, using clear and plain language'. Our privacy notice is one of the ways we try and let you know how data is handled. 2. Right of access You have the right to access your personal information except where: it contains confidential information about other people and the council has to balance the rights of other individuals includes information a care professional thinks will cause serious harm to your or someone else’s physical or mental wellbeing information which may prejudice an investigation if disclosed For details on how you can access your personal information see our Data Protection Policy. 3. Right to rectification You have the right without undue delay to request the rectification or updating of inaccurate personal data. 4. Right to restrict processing You can ask for there to be a restriction of processing such as where the accuracy of the personal data is contested. This means that we may only store the personal data and not further process it except in limited circumstances. 5. Right to object You can object to certain types of processing such as direct marketing. The right to object also applies to other types of processing such as processing for scientific, historical research or statistical purposes (although processing may still be carried out for reasons of public interest). 6. Rights on automated decision making and profiling The law provides safeguards for you against the risk that a potentially damaging decision is taken without human intervention. The right does not apply in certain circumstances such as where you give your explicit consent. 7. Right to data portability Where personal data is processed on the basis of consent and by automated means, you have the right to have your personal data transmitted directly from one data controller to another where this is technically possible. 8. Right to erasure or 'right to be forgotten' You can request the erasure of your personal data when: i) the personal data is no longer necessary in relation to the purposes for which it was collected and processed.ii) the council’s lawful basis for processing your personal data was consent and you no longer provide your consent and there is no other legal ground for the processing , oriii) you object to the processing and there are no overriding legitimate grounds for the processing. The Information Commissioner regulates data handling by organisations in the U.K and work to uphold the data rights of citizens and the Information Commissioner's website provides more information on the rights available to you. Withdrawing consent If you consented to providing your personal information to us and you have changed your mind and you no longer want the council to hold and process your information, please let us know. In the first instance please contact the relevant department. Withdrawing consent should be as easy to do as when you provided consent in the first place. If that isn't your experience with a particular service it is important you let us know of your difficulties so that we can put that right. If you encounter any difficulties in withdrawing consent, please contact the council's Data Protection Officer by email at DPO@wirral.gov.uk or by writing to: Data Protection Officer, PO Box 290, Brighton Street, Wallasey, CH27 9FQ. Automated decision making and profiling The majority of services provided by the council do not carry out automated decision-making. There are a very small number of services that do and this is to ensure that you the applicant receive a quick response. When automated decision making takes place you will be informed and an option will be provided to enable you to request human intervention. We do on occasion carry out profiling to enable us as a local authority to target services to those in society who are in need of help and support and who may suffer harm without our assistance. The right to complain about data handling The council sets very high standards for the collection and appropriate use of personal data. We therefore take any complaints about data handling very seriously. We encourage you to bring to our attention where the use of data is unfair, misleading or inappropriate and we also welcome suggestions for improvement. Informal resolution In the first instance we would ask that you try and resolve data handling issues directly with the relevant department before applying for a formal resolution. Formal resolution If you are dissatisfied with the informal resolution of your complaint you can request a review by the Data Protection Officer Jane Corrin by email DPO@wirral.gov.uk If you remain dissatisfied following an internal complaint, you can lodge a complaint with the Information Commissioner: Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Changes to our Privacy Notice We regularly review our privacy notice and encourage you to check it from time to time. This notice was last updated in November 2022.