South Oxfordshire District Council understands the importance of ensuring that personal data, including sensitive personal data, is always treated lawfully and appropriately and that the rights of individuals are upheld.
The Data Protection Act 2018 and UK GDPR requires every data controller who is processing personal information to register with the Information Commissioner’s Office unless they are exempt. The council has two registrations:
- Data controller name: South Oxfordshire District Council Registration number: Z6629204
- Data controller name: Electoral registration officer for South Oxfordshire District Council District Council Registration number: Z6605488
To view our notification, please go to the register on the Information Commissioners Office website and enter the registration number which starts with Z.
We also are required to provide you with information about how and why we use your personal data through a Privacy Notice. This page explains in general terms what the sections of a privacy notice are about. You can view the details that relate to the specific council services you use through the links to Service Area Specific Privacy Notices on the right of this page.
Sections of a privacy notice explained
Why we process your data
Processing covers things we do with your data including storing the information as well as actively working on it to deliver services to you. The main reasons we need information about you are to:
- deliver our district council services to you
- manage those services we provide to you
- recruit, train and manage the employment of our workers who deliver those services
- help investigate any worries or complaints you have about your services
- keep track of spending on services
- check the quality of services
- help with research and planning of new services
How we collect your data
There are many ways in which we obtain your personal data and mostly this is what you provide to us directly, such as when contacting us about our services, completing forms and online applications or registering to take part in surveys.
There are some situations when we receive or obtain your personal data from others besides yourself, for example when contacting you about parking notices.
We are only able to collect your data for the specific purposes as set out in the specific service area privacy notices.
The lawful basis for processing your data
We can only process your personal data where we have a lawful reason to do so as set out in data protection legislation. There are six specific reasons referred to as the ‘Lawful Bases’ set out in Article 6 of the UK GDPR. This section of the service area privacy notice will say which of these available lawful bases we rely on.
You have rights over your personal data and those rights depend on the lawful basis we have for processing your data. You can find out more about your rights over your data and how to request for what data we hold about you in our Data Protection pages using the link on the right of this page.
Types of personal data we process
We let you know what types of personal data we use. This can include information that might not obviously relate to you because you can only be identified when other information is known. For example, an account reference on its own does not identify you until it is matched with your name and address, but it is still your personal data which requires protecting.
There are more sensitive types of personal data that are referred to as ‘special category’ personal data or ‘criminal offence’ data. Some service areas may request special category data, such as ethnic origin information, in order to ensure we can look at the impact our policies and practices have on different groups of people.
If we do use any of the sensitive types of personal data, this requires additional protection and we must let you know what additional conditions, as set out in the legislation, allow us to use this more sensitive data.
Sharing your data
We may receive from, and share your information with, a number of other organisations as part of our processing and to help us deliver services, but only do so where we have a lawful basis to do so. Where we have these arrangements there are agreements or contractual clauses in place to make sure that the organisation complies with data protection law.
We may need to share your personal information when there is a legal duty to do so, or we feel there’s a good reason that’s more important than protecting your privacy. This doesn’t happen often but can be needed in order to find and stop crime and fraud, if there are serious risks to the public, our staff or to other professionals and to safeguard the protection of a child or vulnerable adult.
The council is under a legal duty to protect the public funds it administers. To do this we may use your information for the prevention and detection of fraud and share this information with other bodies responsible for auditing or administering public funds for these purposes.
The Cabinet Office carries out data matching exercises which involve comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This data matching is subject to a Cabinet Office code of practice. The Cabinet Office may be contacted should you require further information on the legal powers and the reasons why it matches particular information. You can find their contact details on the NFI website.
Sharing your data outside the UK
We aim to restrict processing of your data to the UK. There may be some service providers, for example cloud-based software services, which store data outside of the UK. If any of the specific services areas do involve any processing outside of the UK, we are required to ensure the level of protection of your personal data is adequate. We ensure there are additional protections if your information leaves the UK ranging from secure ways of transferring data to ensuring we have a robust contract in place with that third party.
Automated decision making
Automated individual decision-making is a decision made by automated means without any human involvement. For example, an online decision to award a loan, or a recruitment aptitude test which uses pre-programmed algorithms and criteria.
Automated individual decision-making does not have to involve profiling, although it often will do. Additional rules apply to protect individuals if we carry out solely automated decision making, and we must identify whether any of our processing needs these additional rules.
How long we keep your data
There’s often a legal reason for keeping your personal information for a set period of time, and this ranges from months for some records to decades, or even permanently, for other records. When the end of the specified retention period is reached the data and information will be deleted or securely destroyed. Details of how long we keep your personal information can be found in the specific service are privacy notices.
Where you can get further advice
We have a Data Protection Officer who makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please contact the Data Protection Officer.
For independent advice about data protection, privacy and data sharing issues, or to make a complaint about how the council has handled your personal information, you can contact the Information Commissioner’s Office (ICO). Please note that they will usually expect you to have already contacted the council about your concerns first. You can contact the ICO at:
Information Commissioner’s Office
Tel: 0303 123 1113 (local rate) or visit the ICO website