Lewisham Council is registered as a 'Data Controller' with the Information Commissioner's Office (ICO) under the UK General Data Protection Regulation, as we collect and process personal information about you.
We process and hold your information in order to provide public services. This notice explains how we use and share your information. Information may be collected on a paper or online form, by telephone, email, CCTV or by a member of our staff, or one of our partners.
We have an appointed Data Protection Officer, who makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact:
Data Protection Officer
Why do we collect information about you?
- deliver public services
confirm your identity to provide some services
contact you by post, email or telephone
understand your needs to provide the services that you request
understand what we can do for you and inform you of other relevant services and benefits
obtain your opinion about our services
update your customer record
help us to build up a picture of how we are performing at delivering services to you and what services people need
prevent and detect fraud and corruption in the use of public funds
allow us to undertake statutory functions efficiently and effectively
make sure we meet our statutory obligations including those related to diversity and equalities.
We may not be able to provide you with a product or service unless we have enough information.
We will process your information for the following purposes
- for the service you requested, and to monitor and improve the council's performance in responding to your request
to allow us to be able to communicate and provide services and benefits appropriate to your needs.
to ensure that we meet our legal obligations
where necessary for the law enforcement functions
to prevent and detect fraud or crime
to process financial transactions including grants, payments and benefits involving the council, or where we are acting on behalf of other government bodies, e.g. Department for Work and Pensions
where necessary to protect individuals from harm or injury
to allow the statistical analysis of data so we can plan the provision of services.
We will not pass any personal data on to third parties, other than those who either process information on our behalf, or because of a legal requirement, and will only do so, after we have ensured that adequate organisational and technical measures are in place to protect the data.
We will not disclose any information that you provide 'in confidence' to us, to anyone else without your permission, except in situations where disclosure is required by law, or where we have good reason to believe that failing to share the information would put a person at risk.
We may process your information overseas using web services that are hosted outside the European Economic Area, but only with data processing agreements that meet our obligations under the UK General Data Protection Regulation.
Legal basis for processing your personal information
There are a number of legal reasons why we need to collect and use your personal information.
Each privacy notice from the menu on the left explains the legal basis for processing your information by the respective service areas. Generally we collect and use personal information where:
you, or your legal representative, have given consent
you have entered into a contract with us
it is necessary to perform our statutory duties
it is necessary to protect someone in an emergency
it is required by law
it is necessary for employment purposes
it is necessary to deliver health or social care services
you have made your information publicly available
it is necessary for legal cases
it is to the benefit of society as a whole
it is necessary to protect public health
it is necessary for archiving, research, or statistical purposes.
If we process your information entirely from your ‘Consent’ (i.e. non-statutory service), you have the right to withdraw it any time. If you want to withdraw your consent, please contact DPO@lewisham.gov.uk and tell us which service you are using so we can deal with your request.
We may, occasionally, need to share your information with other business areas within the council, and third parties that provide services. These providers are obliged to keep your details securely, and use them only to fulfil a justified need.
We may disclose information to other partners where it is necessary, either to comply with a legal obligation, or where permitted under the UK General Data Protection Regulation e.g. where the disclosure is necessary for the purposes of the prevention and/or detection of crime or fraud.
Where we need to disclose Special Category or confidential information such as medical details to other partners, we will do so only with your prior explicit consent or where we are legally required to.
We may disclose information when necessary to prevent risk of harm to an individual.
We have Information Sharing Agreements in place with other partners and external organisations to help deliver the best services for you. We do this to comply with UK Data Protection law and so you can be confident that they all comply with the same privacy principles as the local authority.
At no time will your information be passed to external organisations for marketing or sales purposes or for any commercial use without your express consent.
Detection and prevention of crime and fraud
Lewisham Council is required by law to protect the public funds it administers. We may use any of the information you provide to us for the prevention and detection of crime and fraud. We may also share this information with other bodies that are responsible for auditing or administering public funds including the Cabinet Office, the Department for Work and Pensions, other local authorities, HM Revenue and Customs, and the Police.
In addition to undertaking our own data matching to identify errors and potential frauds we are required to take part in national data matching exercises undertaken by the Cabinet Office. The use of data by the Cabinet Office in a data matching exercise is carried out under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned.
The personal information we have collected from you will also be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found online.
In limited situations we may monitor and record electronic transactions (website, email and telephone conversations). This will only be used to prevent or detect a crime, or investigate or detect the unauthorised use of the telecommunications system and only as permitted by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.
Emergency response management
Data matching may be used to assist the council in responding to emergencies or major accidents, by allowing the council, in conjunction with the emergency services, to identify individuals who may need additional support in the event of e.g. an emergency evacuation.
Ordinarily we will inform you if we record or monitor any telephone calls you make to us. This will be used to increase your security, for our record keeping of the transaction and for our staff training purposes.
If you email us we may keep a record of your email address, as well as your email for our records. For security reasons we will not include any confidential information about you in any email we send to you. We would also suggest that you keep the amount of confidential information you send to us via email to a minimum and use our secure online services or by post.
If you are a user with general public access, our website does not store or capture personal information, but merely logs a number called your IP address which is automatically recognised by the system.
The system will record personal information if you:
- subscribe to or apply for services that require personal information
- report a fault and give your contact details for us to respond
- contact us and leave your details for us to respond.
We employ cookie technology to help log visitors to our website.
They improve browsing by:
remembering who you are after you login to the site
prefill some of the online forms with information you already gave to us so you don’t need to keep entering it;
measuring how you use the website to make your browsing experience more efficient and user friendly.
Apart from the ones related to the login process our cookies aren’t used to identify you personally. They exist to make the site work better for you. You can manage and/or delete these small files as you wish.
Further information and how to block cookies is located on our cookies page.
To learn more about cookies and how to manage them visit AboutCookies.org.
We have installed CCTV systems in some of our premises used by members of the public for the purposes of public and staff safety, and crime prevention and detection. They are also installed in various sites across the Borough for public and staff safety, crime prevention and detection, and the abuse of council policies. In all locations, signs are displayed notifying you that CCTV is in operation and providing details of who to contact for further information about the scheme.
We will only disclose CCTV images to others who intend to use the images for the purposes stated above. CCTV images will not be released to the media for entertainment purposes or placed on the internet.
Images captured by CCTV will not be kept for longer than necessary. However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated. You may make a request for CCTV images you appear in.
How we protect your information
Our aim is not to be intrusive, and we won't ask irrelevant or unnecessary questions. The information you provide will be protected by adequate organisational and technical measures, to ensure it can't be seen by, accessed or disclosed to anyone who shouldn't.
We will not keep your information longer than it is needed or where the law states how long this should be kept. We will dispose of paper records or delete any electronic personal information in a secure way.
The UK General Data Protection Regulation requires the Council to ensure that any information we hold about you is correct. There may be situations where you find the information we hold is no longer accurate and you have the right to have this corrected.
You have the right to request that Lewisham Council stop processing your personal data in relation to any council service, however, this may affect service delivery to you. This right applies primarily to ‘Consent’ based services and not ‘Statutory’ service offerings.
Where possible we will seek to comply with your request but we may be required to hold or process information to comply with a legal requirement.
Please contact the service holding the information or the Information Security and Governance Team to exercise any of these rights, or if you have a complaint about how your information has been used.
How to have your information moved to another provider
You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.
However this only applies if we are using your personal information with consent (not if we are required to by law) and if decisions were made by a computer and not a human being.
It is unlikely that data portability will apply to most of the services you receive from the Council.
You can ask to have any computer made decisions explained to you, and details of how we may have risk profiled you.
You have the right to question decisions made about you by a computer, unless it's required for any contract you have entered into, required by law, or you have consented to it.
You also have the right to object if you are being profiled. Profiling is where decisions are made about you based on certain things in your personal information, e.g. your health conditions.
If and when Lewisham Council uses your personal information to profile you, in order to deliver the most appropriate service to you, you will be informed.
If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer at DPO@lewisham.gov.uk for details of how we are using your information.
NHS National Data Opt-Out
Lewisham Council is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a care service through Lewisham Council, important information about you is collected in a client record for that service. Collecting this information helps to ensure you get the best possible care. The information collected about you when you use our services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services.
All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
We only do this when there is a clear legal basis to use this information. Currently, we ensure that anonymised data is used so that you cannot be identified, in which case your confidential patient information is not needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. Otherwise, you have the right to opt out through the NHS National Data Opt-Out. If you do choose to opt out your confidential patient information will still be used to support your individual care.
Should a situation arise where we did need to use or share confidential patient information for one of these purposes, and we had a lawful right to do so, we would first consult the NHS National Data Opt-Out information in order to determine whether we could or could not include your confidential patient information.
To find out more or to register your choice to opt out, please visit the NHS website.
On this web page you will:
- see what is meant by confidential patient information
- find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- find out more about the benefits of sharing data
- understand more about who uses the data
- find out how your data is protected
- be able to access the system to view, set or change your opt-out setting
- find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- see the situations where the opt-out will not apply.
You can also find out more about how patient information is used on the NHS Health Research Authority website (which covers health and care research), and on the Understanding Patient Data website (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Appropriate Policy Document
Next formal review will take place from the date of the last review. This will be no later than July 2024 or in the event of a recommended improvement, a change in legislation or a change of council wide policy.
Policy statement - Appropriate Policy Document for processing special category and criminal offence data.
This is the “appropriate policy statement” for Lewisham Council that sets out how we will protect special category and criminal convictions personal data.
It meets the requirement at paragraph 1 of Schedule 1 to the UK Data Protection Act 2018 that an appropriate policy document be in place where the processing of special category personal data is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection.
It also meets the requirement at paragraph 5 of Schedule 1 to the UK Data Protection Act 2018 that an appropriate policy document be in place where the processing of special category personal data is necessary for reasons of substantial public interest. The specific conditions under which data may be processed for reasons of substantial public interest are set out at paragraphs 6 to 28 of Schedule 1 to the UK Data Protection Act 2018.
Procedures for securing compliance
Article 5 of the UK General Data Protection Regulation sets out the data protection principles. These are our procedures for ensuring that we comply with them.
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Lewisham Council will:
- ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful
- ·only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing
- ensure that data subjects receive full privacy information so that any processing of personal data is transparent
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Lewisham Council will:
- ·only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice
- ·not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Lewisham Council will only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.
- Personal data shall be accurate and, where necessary, kept up to date.
- Lewisham Council will ensure that personal data is accurate, and kept up to date where necessary.
- We will take particular care to do this where our use of the personal data has a significant impact on individuals.
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Lewisham Council will only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Lewisham Council will ensure that there appropriate organisational and technical measures in place to protect personal data.
The controller shall be responsible for, and be able to demonstrate compliance with these principles. Our Data Protection Officer is responsible for monitoring Lewisham Council’s compliance with these principles.
- ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request
- carry out a Data Protection Impact Assessment for any high risk personal data processing, and consult the Information Commissioner if appropriate
- ensure that a Data Protection Officer is appointed to provide independent advice and monitoring of the departments’ personal data handling, and that this person has access to report to the highest management level of the department
- have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law
Data controller’s policies as regards retention and erasure of personal data
We will ensure, where special category or criminal convictions personal data is processed, that:
- there is a record of that processing, and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data
- where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous
- data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
This policy will be retained for the duration of our processing and for a minimum of 6 months after processing ceases.
Additional special category processing
We process special category personal data in other instances where it is not a requirement to keep an appropriate policy document. Our processing of such data respects the rights and interests of the data subjects. We provide clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notice.
For further information about Lewisham Council’s compliance with data protection law, please contact us.
Data Protection Officer