Stirling Council needs to collect, store, use, share and dispose of personal data in order to deliver services as a local authority. Together, those activities are referred to do as data processing.
When we process personal data, we must comply with the EU General Data Protection Regulation and the Data Protection Act 2018 (for short, we refer to this legislation as data protection laws).
When we collect personal data, we must tell you why we need it, and what we will do with it. This information is called a privacy notice.
This privacy notice explains how we process your personal information as a Council. More specific information will also be provided by Council services when you use them, and can also be found in our Register of Data Processing.
Organisations or individuals that determine how your personal information will be processed are known as data controllers. Data controllers must, by law, pay a fee to register with the Information Commissioner, who promotes and enforces data protection laws within the UK.
Stirling Council is registered as a data controller (registration number: Z6893154). You can see our entry in the Information Commissioner’s Register of Data Controllers.
Data Protection Officer
The Council has a Data Protection Officer to make sure it is complying with data protection laws. The Council’s Data Protection Officer is Kevin O’Kane. Please use the 'Contact Us' option if you wish to contact the Data Protection Officer.
The personal data we hold about you may be collected on a paper or online form, by telephone, email, CCTV, by a member of our staff, or one of our partners. When we collect and process your personal information, we are committed to the principles set out in data protection laws.
Those principles are there to protect you and make sure that:
- we tell you why we need your information and what we will do with it
- we don’t use your information for a different reason than the one we have told you about (the exception to this is if we have to do so by law e.g. to prevent and detect crime)
- we only collect information that we need
- we collect accurate information and, where necessary, keep it up to date
- we don’t keep your information for longer than we need to
- we keep your personal information secure
Categories of personal data
We process personal data and special category data.
Personal data is information which can be used to identify you such as your name, address, date of birth, or a unique identifier such as your National Insurance number.
Special category data is more sensitive information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life.
Purpose of Processing Personal Data
We process personal data to allow us to provide services such as schools, social care, housing, transport, and environmental services. We also process personal data to fulfil certain legal responsibilities including: collecting Council Tax; paying benefits and grants; planning services and enforcement; licensing; trading standards; and, food safety.
On occasions, we may keep your personal data within the Council’s archives for evidential and historical reasons, or use it for research and statistical purposes (for example, to understand more about the health and care needs in your area).
It will sometimes be necessary to process personal information to protect individuals from harm or injury, to prevent and detect crime, to comply with legal orders, and to provide information in accordance with a person’s rights.
The Council will only process your personal information when it is lawful to do so. The reasons that allow us to process personal information include:
- It is necessary to provide a Council service (which is part of our public task).
- It is required by law.
- It is necessary to protect someone’s life.
- It is necessary as part of a contract.
- You have given us permission to do so.
The Council’s Register of Data Processing sets out the activities that involve the collection and use of personal information and the reason why we can process your information lawfully. The Register provides more detail about how the Council uses personal data for specific activities and services.
If we require your permission to process your personal information, we will ask you. If you wish to withdraw your consent, you can do so through contacting the Data Protection Officer.
Sometimes we will share your personal data between teams within the Council, and with external partners and agencies involved in delivering services on our behalf. This is to provide you with efficient services.
The Council may also provide personal data to third parties, but only where it is necessary, either to comply with the law or where permitted under data protection laws.
Examples of organisations who we may share your data with include (but are not limited to): NHS Forth Valley, Police Scotland, HM Revenue & Customs, Department for Work & Pensions, voluntary organisations and care providers. Our service specific privacy notices (as set out in the Register of personal data processing) set out the recipients or organisations involved in providing services on our behalf, or with whom we share personal information.
We will only share your data with partners or suppliers who have sufficient measures and procedures in place to protect your information and can meet their legal obligations under data protection laws. These requirements will be set out in contracts or information sharing agreements.
We will not share your data for marketing purposes, unless you have specifically given us with permission to do so.
The National Fraud Initiative (NFI) is an exercise that matches electronic data within and between public and private sector bodies throughout the United Kingdom to prevent and detect fraud. Stirling Council, which participates in the NFI, is required by law to protect the public funds it administers. We may share certain information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
Details of transfers to third country and safeguards
Your information will normally be stored and processed on servers based within the European Economic Area. While it may sometimes be necessary to transfer personal info overseas, any transfers will be in full compliance with data protection laws, and will be recorded in our Register of Data Processing.
We will not keep your information for any longer than it is needed, and will dispose of records (both paper and electronic) in a secure way. The length of time we need to keep information will depend on the purpose for which it is collected. The Council has a Record Retention Schedule which sets out how long we keep records and the reason why.
You now have the following rights under data protection laws.
- The right to be informed about how we collect and use your personal information, through privacy notices such as this.
- The right to request information we hold about you. This is known as a Subject Access Request and is free of charge. We must respond within one month, although this can be extended to three months if the information is complex. There is more information about how to make a Subject Access Request here.
- The right to rectification. You are entitled to have your information rectified if it is factually inaccurate or incomplete. We must respond to your request within one month. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner
- The right to erasure. You have the right to ask us to delete your information or stop using it. It will not always be possible for us to comply with your request, for example if we have a legal obligation to keep the information. If we decide to take no action, we will tell you why and let you know about your right of complaint to the UK Information Commissioner.
- The right to restrict processing. You have the right to restrict how your data is processed in certain circumstances, for example if the information is not accurate. If a restriction is applied, we can retain just enough information to ensure that the restriction is respected in future. We must tell you if we decide to lift a restriction on processing.
- The right to data portability. If we are processing your personal data with your consent, and it is held in a structured, commonly used, machine readable form, you have a right to ask us to transmit it to another data controller so they can use it. This right does not apply if we process your personal data as part of our public task.
- The right to object. You can object to your information being used for profiling, direct marketing or research purposes.
- You have rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.
Collecting Information Automatically
Please see our cookies page for further information about the information we collect automatically when using our website. Privacy Notice 2017
Incidents and breaches involving personal data
If you are concerned about what we do with your data, or think something has gone wrong with how the Council handles personal data, please contact the Council’s Data Protection Officer to report a data protection incident.
Complaints and comments
If you wish to make a complaint or comment about how we have processed your personal information, you can do so by writing to the Council’s Data Protection Officer.
If you are still unhappy with how the council have handled your complaint, you may contact the UK Information Commissioner's Office at:
The Information Commissioner,
Cheshire SK9 5AF
Telephone: 0303 123 1113
For further information, see: The Information Commissioners Office Website
This Privacy Notice was last amended in December 2018. If this privacy notice changes in any way, we will place an updated version on this page.