Dudley Council
Dudley Skyline

Corporate Information Governance Privacy Notice

Our core data protection obligations and commitments are set out in the Council’s corporate Privacy Notice.

This notice provides additional privacy information for those accessing the Council’s Information Governance service and describes how the Corporate Information Governance service collects, uses and shares personal information about you and the types of personal information we need to process, including information the law describes as ‘special’ because of its sensitivity.

Personal information we collect and use

Information collected by us

Information collected by us
The information we collect from you will be the minimum we need to deliver our service and will include the following personal data:
•  name
•  address
•  contact details
•  date of birth
•  proof of identity (we ask for this in relation to a data subject  requests)
•  Images of you (we ask for this in relation to CCTV footage requests)

Information processed by us

Once you have provided the necessary information to locate the material you have requested, we seek out and collate information from all service areas of the council that are holding information as described in your request. If your request is a data subject request, this means we are likely to obtain and process all the information held by a service area about you. This includes Children’s Services, Revenues and Benefits Services, Housing Services, Adult Social Care, Legal Services, Planning and Regeneration etc. The information we obtain can therefore include both personal and special category information about you. You should view each services individual Privacy Notices to see what information they are processing about you as appropriate.

How we use your personal information

We collect your personal information for the following purposes:
•  The processing of Freedom of Information requests
•  Responding to Data Subject Requests
•  Responding to requests for information covered by the Environmental Information Regulations
•  Dealing with all Data Protection matters including any alleged data security incidents and /or personal data breaches

How long your personal data will be kept

We will hold your personal information for 3 years. At its expiry date the information will be reviewed, and only retained where there is an ongoing requirement to retain for a statutory or legal purpose. Following this your personal information will be securely destroyed.

Reasons we can collect and use your personal information

The lawful basis on which we collect and use your personal data is that
•  Processing is necessary for compliance with a legal obligation
•  Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

We also process special category data, and the condition for processing this is
•  processing is necessary for reasons of substantial public interest and is authorised by domestic law.

This is supported by Section 10 of the DPA 2018, particularly Schedule 1, Part 2 – Substantial Public Interest conditions, paragraph 6 (statutory etc and government purposes) (2)(a). Where the relevant access regimes detailed in UK GDPR, DPA 2018, FOIA and EIR place a statutory obligation on the council to comply with requests for information.

We hold the information in line with the following legislation:
•  Freedom of Information Act 2000
•  Environmental Information Regulations 2004
•  Data Protection Act 2018
•  UK General Data Processing Regulation (UK GDPR)


Who we share your personal information with

We may sometimes share the information that we have collected about you where it is necessary, lawful and fair to do so. We may share information with the following for these purposes:
•  The Information Commissioner
•  The Local Government and Social Care Ombudsman
•  Other internal council departments
•  Local health providers
•  Other local councils

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

To manage the requests we receive, we utilise an internet (cloud) based request management solution called Axlr8. This enables allocation of workloads, tracking of request progress and issuing of responses to you. No special category data is stored in this system, for further information please see this link:
Axlr8 Information Request Management

We also have procedures in place to deal with any suspected data security incidents and we will notify you and the appropriate regulator of any incident where we are legally required to do so.

When computers make any decisions about you

The Information Governance service does not make or use any automated decisions.

When your data is sent to other countries

We do not send any information we collect about you outside the United Kingdom.

Rights for individuals under the UK GDPR

Find out about the rights for individuals under the UK GDPR in the Council's corporate Privacy Notice

What are your rights?

Please contact the Corporate Information Governance Team at information.governance@dudley.gov.uk to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.

You can contact our Data Protection Officer via the same email address or write to: Data Protection Officer, The Council House, Priory Road, Dudley, DY1 1HF.

The UK GDPR also gives you the right to lodge a complaint with the Information Commissioners Office who are the supervisory authority responsible to regulate and monitor the legislative obligations within the UK. They can be contacted via: ICO Contact Us