GDPR (General Data Protection Regulation)
Stirling Council needs to collect, store, use, share and dispose of personal data in order to deliver services as a local authority. Together, those activities are referred to do as data processing.
When we process personal data, we must comply with the EU General Data Protection Regulation and the Data Protection Act 2018 (for short, we refer to this legislation as data protection laws).
When we collect personal data, we must tell you why we need it, and what we will do with it. This information is called a privacy notice.
This privacy notice explains how we process your personal information as a Council. More specific information will also be provided by Council services when you use them, and can also be found in our Register of Data Processing
Organisations or individuals that determine how your personal information will be processed are known as data controllers. Data controllers must, by law, pay a fee to register with the Information Commissioner, who promotes and enforces data protection laws within the UK.
Stirling Council is registered as a data controller (registration number: Z6893154). You can see our entry in the Information Commissioner’s Register of Data Controllers
Data Protection Officer
The Council has a Data Protection Officer to make sure it is complying with data protection laws.
The Council’s Data Protection Officer is Kevin O’Kane.
Data Protection Officer,
Stirling FK7 7QA
The personal data we hold about you may be collected on a paper or online form, by telephone, email, CCTV, by a member of our staff, or one of our partners. When we collect and process your personal information, we are committed to the principles set out in data protection laws.
Those principles are there to protect you and make sure that:
- we tell you why we need your information and what we will do with it
- we don’t use your information for a different reason than the one we have told you about (the exception to this is if we have to do so by law e.g. to prevent and detect crime)
- we only collect information that we need
- we collect accurate information and, where necessary, keep it up to date
- we don’t keep your information for longer than we need to
- we keep your personal information secure
Categories of personal data
We process personal data and special category data.
Personal data is information which can be used to identify you such as your name, address, date of birth, or a unique identifier such as your National Insurance number.
Special category data is more sensitive information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.
Purpose of Processing Personal Data
We process personal data to allow us to provide services such as schools, social care, housing, transport, and environmental services. We also process personal data to fulfil certain legal responsibilities including: collecting Council Tax; paying benefits and grants; planning services and enforcement; licensing; trading standards; and, food safety.
On occasions, we may keep your personal data within the Council’s archives for evidential and historical reasons, or use it for research and statistical purposes (for example, to understand more about the health and care needs in your area).
It will sometimes be necessary to process personal information to protect individuals from harm or injury, to prevent and detect crime, to comply with legal orders, and to provide information in accordance with a person’s rights.
The Council will only process your personal information when it is lawful to do so. The reasons that allow us to process personal information include:
- It is necessary to provide a Council service (which is part of our public task).
- It is required by law.
- It is necessary to protect someone’s life.
- It is necessary as part of a contract.
- You have given us permission to do so.
The Council’s Register of Data Processing sets out the activities that involve the collection and use of personal information and the reason why we can process your information lawfully. The Register provides more detail about how the Council uses personal data for specific activities and services.
If we require your permission to process your personal information, we will ask you. If you wish to withdraw your consent, you can do so through contacting the Data Protection Officer (see above for details).
Sometimes we will share your personal data between teams within the Council, and with external partners and agencies involved in delivering services on our behalf. This is to provide you with efficient services.
The Council may also provide personal data to third parties, but only where it is necessary, either to comply with the law or where permitted under data protection laws.
Examples of organisations who we may share your data with include (but are not limited to): NHS Forth Valley, Police Scotland, HM Revenue & Customs, Department for Work & Pensions, voluntary organisations and care providers. Our service specific privacy notices (as set out in the Register of Data Processing) set out the recipients or organisations involved in providing services on our behalf, or with whom we share personal information.
We will only share your data with partners or suppliers who have sufficient measures and procedures in place to protect your information and can meet their legal obligations under data protection laws. These requirements will be set out in contracts or information sharing agreements.
We will not share your data for marketing purposes, unless you have specifically given us with permission to do so.
The National Fraud Initiative (NFI) is an exercise that matches electronic data within and between public and private sector bodies throughout the United Kingdom to prevent and detect fraud. Stirling Council, which participates in the NFI, is required by law to protect the public funds it administers. We may share certain information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud. There is more information about the NFI on the Council's website
Details of transfers to third country and safeguards
Your information will normally be stored and processed on servers based within the European Economic Area. While it may sometimes be necessary to transfer personal info overseas, any transfers will be in full compliance with data protection laws, and will be recorded in our Register of Data Processing.
We will not keep your information for any longer than it is needed, and will dispose of records (both paper and electronic) in a secure way. The length of time we need to keep information will depend on the purpose for which it is collected. The Council has a Record Retention Schedule which sets out how long we keep records and the reason why. There is more information about how the Council manages records on the Council's website.
You have the following rights under data protection laws.
- The right to be informed about how we collect and use your personal information, through privacy notices such as this.
- The right to request information we hold about you. This is known as a Subject Access Request and is free of charge. We must respond within one month, although this can be extended to three months if the information is complex. There is more information about how to make a Subject Access Request below.
- The right to rectification. You are entitled to have your information rectified if it is factually inaccurate or incomplete. We must respond to your request within one month. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner
- The right to erasure. You have the right to ask us to delete your information or stop using it. It will not always be possible for us to comply with your request, for example if we have a legal obligation to keep the information. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner.
- The right to restrict processing. You have the right to restrict how your data is processed in certain circumstances, for example if the information is not accurate. If a restriction is applied, we can retain just enough information to ensure that the restriction is respected in future. We must tell you if we decide to lift a restriction on processing.
- The right to data portability. If we are processing your personal data with your consent, and it is held in a structured, commonly used, machine readable form, you have a right to ask us to transmit it to another data controller so they can use it. This right does not apply if we process your personal data as part of our public task.
- The right to object. You can object to your information being used for profiling, direct marketing or research purposes.
- You have rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.
To exercise any of your rights, please contact the Data Protection Officer(see above for details).
Collecting Information Automatically
Please see our cookies page for further information about the information we collect automatically when using our website. See also information on our Privacy Statement on our Internet Standards page.
Incidents and breaches involving personal data
If you are concerned about what we do with your data, or think something has gone wrong with how the Council handles personal data, please contact the Council’s Data Protection Officer to report a data protection incident. See contact details above
Complaints and comments
If you wish to make a complaint or comment about how we have processed your personal information, you can do so by writing to the Council’s Data Protection Officer (see contact details above). If you are still unhappy with how the council have handled your complaint, you may contact the UK Information Commissioner's Office at:
The Information Commissioner,
Cheshire SK9 5AF
Telephone: 0303 123 1113
For further information, see: The Information Commissioners Office Website
Making a Subject Access Request
Data Protection laws give you the right to request to see personal data that the Council holds about you. This is known as the right of "subject access". To make a Subject Access Request, we need to know:
- your name and date of birth
- the type of personal data are you requesting. Are you looking for personal data held in relation to Social Work, Housing, Education, Council Tax or a different council service?
We may need to ask for further information before processing your request.
We may need to confirm your identity before disclosing any personal data to you.
If you are making a request for personal data relating to someone else, we may need to confirm that you are able to act on their behalf. For example:
- you might have Power of Attorney that enables you to act for that person
- you may be a parent with parental rights who wants personal data relating to your child aged under 12
- you might be acting on behalf of a friend or member of the family, and that person has signed a mandate form allowing you to act for them
Please note that children over the age of 12 are usually able to make a request for writing using their own right of access. We may ask you to provide a mandate form signed by them before we can disclose their personal data to you.
We have a Subject Access Request form that you can use to make your request. For assistance in making a request, please contact:
Records & Information Team
Stirling FK8 2ET
Telephone: 01786 233988
This Privacy Notice was last amended on 24 May 2018. If this privacy notice changes in any way, we will place an updated version on this page.