This website is operated by Horsham District Council which is responsible for the processing of your personal data and is the Data Controller for all such information. We regard your privacy as very important.
Being transparent and providing accessible information to you about how we use your personal information is a key element of the General Data Protection Regulation (GDPR).
We describe below the type of personal information we may collect from you and the purpose for our collection of it. If you use a specific Council service, we will usually let you know how that service will use your personal information via separate service and project specific Privacy Notices. These provide further details on how we process your personal data.
1. Data Controller
A Data Controller is an individual or organisation that determines the purposes and means of processing personal data.
Horsham District Council is registered as a Data Controller with the Information Commissioner's Office (registration number: Z7294458).
As a Data Controller we take all necessary steps to comply with the Data Protection Act (DPA) 2018 and the GDPR when handling any personal information.
2. Why do we need your personal information?
As a local authority, the Council delivers services to you. In order to do this in an effective way we will need to collect and use personal information about you. Where we can, we will only collect and use personal information if we need it to deliver a service or meet a legal requirement. The services we deliver to you include:
- housing needs,
- planning applications,
- access to information requests,
- legal claims,
- customer services,
- highways agreements,
- parking services.
We also collect your personal information for:
- Health and wellbeing information. All local authorities have a duty to improve the health of the population they serve.
- To help with this, we use information from a range of source data, including data collected at the registration of a birth or death to understand more about the health and care needs in the area.
- Research and statistical data to provide intelligence about the District including demographic data, population projections, the economic situation, health and wellbeing information. This personal information is often anonymised - an identifier such as name is replaced with a unique number.
3. How do we protect your information?
The personal information that we collect from you must be handled and dealt with properly, covering how it is collected, recorded and used whether it is on paper, in computer records or recorded by other means and how long it is kept.
The DPA 2018 and the GDPR ensure that we comply with a series of data protection principles. These principles are there to protect you and they make sure that we:
- Process all personal information lawfully, fairly and in a transparent manner.
- Collect personal information for a specified, explicit and legitimate purpose.
- Ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected.
- Ensure the personal information is accurate and up to date.
- Keep your personal information for no longer than is necessary for the purpose(s) for which it was collected.
- Keep your personal information securely using appropriate technical or organisational measures.
4. What personal information do we collect?
Personal information covers anything that identifies and relates to a living person. This includes information that, when put together with other information, can then identify a person. For example, this could be your name together with your contact details.
Some information needs more protection due to its sensitivity. This is called “special category” information and is likely to include anything that can reveal your:
- sexuality and sexual health
- religious or philosophical beliefs
- physical or mental health
- trade union membership
- political opinion
- genetic/biometric data
- criminal history
5. Who do we share your information with?
To ensure that the Council provides you with an efficient and effective service we will sometimes need to share your information between teams within the Council as well as with our partner organisations that support the delivery of the service you may receive, for example:
- County Council
- Fire Service
- Housing Associations
- Voluntary organisations
We may also need to supply your information to other organisations we have contracted to provide a service to you. We will only ever share your information when necessary for performance of a statutory public task or with your consent and if we are satisfied that our partners or suppliers have sufficient measures in place to protect your information in the same way that we do.
For election purposes, to verify your identity, the data you provide will be processed by the Individual Electoral Registration Digital Service managed by the Cabinet Office. As part of this process your data will be shared with the Department of Work and Pensions and the Cabinet Office suppliers that are data processors for the Individual Electoral Registration Digital Service.
Before sharing information the Council will ensure that:
- Privacy Notices are completed if appropriate.
- Technical security such as encryption and access controls are in place to keep information secure.
- Data Sharing Agreements are completed showing the rules to be adopted by the various organisations involved in the sharing exercise.
- Data Protection Impact Assessments are completed to assess any risks or potential negative effects.
- Common retention periods and deletion arrangements are set for the information.
- Subject access rights are catered for.
We do not sell your personal information to anyone else, nor do we share your personal data with third parties for marketing purposes.
Details of transfers to third country and safeguards
If your personal data needs to be transferred outside of the EEA we will make sure that an adequate level of protection is in place.
6. How long do we keep your personal information?
We will only keep your information for as long as it is required to be retained. The retention period is either dictated by law or by our discretion. Once your information is no longer needed it will be securely and confidentially destroyed.
Service and project specific retention periods can be found in our Data Retention Schedule. Relevant services of the Council will list how long your information may be kept for. This ranges from months for some records to a number of years for more sensitive records or indefinitely for research and statistical data.
7. Your rights
You have certain rights under the Data Protection Act 2018 and GDPR. These are:
- The right of access to any personal information the Council holds about yourself. Please see our separate section for further information on Making a Subject Access Request.
- The right to be informed via Privacy Notices.
- The right to withdraw your consent. If we are relying on your consent to process your data then you can remove this at any point.
- The right to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information.
- The right of rectification. We must correct inaccurate or incomplete data within one month. If this data has been shared with other organisations we must also inform those organisations of any changes so they can update their records.
- The right to restrict processing. We can retain just enough information about you to ensure that the restriction is respected in future.
- The right to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked.
- The right to object. You can object to your personal data being used for profiling, direct marketing or, in some circumstances, research purposes.
- You have rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.
If you want to exercise any of these rights then you can do so by contacting:
Information Governance Team
8. Data Protection Officer
As a public authority we are required to have a Data Protection Officer who is responsible for:
- Monitoring the Council's compliance with the GDPR and other data protection laws. Monitoring our data protection policies, awareness-raising, training, and audits.
- Advising the council in respect to their data protection obligations.
- Providing advice and monitoring the Data Protection Impact Assessment process.
- Acting as a point of contact for the Information Commissioner's Office (ICO) and members of public on any matter relating to Data Protection.
If you need to contact the Data Protection Officer, contact details are:
Data Protection Officer
Last Review Date: October 2019
Reviewer: Information Governance Team
Owner: Data Protection Officer