Clackmannanshire Council Online

Data Protection Statement

Data Protection Statement

Our handling of personal information

Who are we?

We are Clackmannanshire Council and are a Scottish local authority constituted under the Local Government etc. (Scotland) Act 1994. Our main offices are at Kilncraigs, Greenside Street, Alloa FK10 1EB. We are a data controller processing personal information. We are registered with the Information Commissioner and our registration number is Z5777954.

Why do we have a data protection policy?

We want users of our services to feel confident about the privacy and security of their personal information. We are aware that the proper handling of this information is vital.

Our Data Protection Policy is therefore published on our website.

How Our Data Protection Policy applies

What is 'personal information'?

When we talk about 'personal information', we are referring to 'personal data' which is any information that identifies someone as a living, private individual or could do so if combined with any other information.

What information do we hold about people?

In order to provide services, we have and use a large amount of personal data about people. This information could be about current, past and prospective employees, suppliers, clients and service users/customers.

We may hold information such as someone's name, address and date of birth, but we could have sensitive information such as information about his/her health, racial or ethnic origin, or any criminal offences that he/she may have committed. The type of information that we have will depend upon the reason why we need the information i.e. to provide a service to someone.

How do we get personal information?

In most cases, the information that we have will come from the person concerned, for instance when applying for a service from us. However, the information could come from the person's legal representative, partner, relatives and other agencies such as the police, other Councils, the NHS or the HMRC. We will ensure that the individual concerned will be aware that we have received and are using their personal information unless there is a good reason not to do so as set down in data protection laws.

Why do we need someone's information?

We will only use personal information where we need to do so in connection with the provision of services or other Council business for instance where necessary to do so in connection with  

• a statutory function or
• where we are under an obligation to use the personal information in terms of law or
• where we need to do so in order to perform a contract between you and the Council or
• where we need to do so to protect someone's vital interests or
• if someone else has a legitimate interest in relation to obtaining the personal information. However, we will only do this where we are satisfied that your own rights and freedoms do not take precedence over the interests of the other person/organisation.

There may be cases where what we are offering are additional services intended to make a process easier for people but is not necessary for our functions, we will ask you for your consent to use your information in this way.  In those cases, you will be entitled to withdraw your consent at any time.

Who could we give your personal information to?

From time to time, we will share someone's personal information with other bodies. There may be times when we will share someone's information without consent, for example, with the police, the NHS or other agencies. We will only share your personal information in compliance with data protection laws.

The National Fraud Initiative (NFI) is an exercise that matches electronic data within and between public and private sector bodies throughout the United Kingdom to prevent and detect fraud. Clackmannanshire Council, which participates in the NFI, is required by law to protect the public funds it administers. We may share certain information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.  There is more information about the NFI on the Council's website

How do we handle someone's personal information?

When we refer to 'using' personal information this has the same meaning as 'processing' in terms of data protection laws. This is where we collect, record, organise, structure, store, adapt or alter, retrieve, consult, use, disclose, disseminate or otherwise make available, restrict, erase or destroy any of your personal information.

Before we start to use your personal information that you have provided to us, generally, we will let you know that we are doing so and provide other information to you that will make things clear to you. If we receive your personal information from someone else, generally, we will let you know that we have received your information, what we are doing with it and the other information within one month of receiving your information. After then, we will let you know of any new uses of your personal information as soon as we can.

We will not inform you about the uses of your personal information and other relevant information if there is a good reason not to do so such as when to do so could result in harm to someone else.

How long will we keep your information?

We are aware that we must not keep personal information longer than is necessary for our purposes. Sometimes, law sets down these time limits. In that case, we must comply with those specified time limits.

We maintain Retention Schedules that set out the periods of time that we apply to keeping particular information. If you wish to get more information about the specific time limit for particular information, you can

• ask to see the relevant retention schedule or
• exercise your right to be told about our use of your personal information (the right of access).

What are your rights in relation to our use of your personal information?

In terms of data protection laws, you may have some or all of these following rights. The rights in italics only apply in certain circumstances or are restricted and so may not be fully available to you.

You have the right to ask us to:

• confirm that we are using personal information about you, detail what that information is, to whom we have disclosed your information and a copy of the information that we have about you (The right of access)
• correct any incorrect or misleading personal information that we have about you (The right to rectification)
• stop using any or all of your personal information (The right to object)
• to delete or destroy your personal information (The right to erasure including the right to be forgotten) and 
• stop using your personal information until we can look into correcting your personal information or our justification for using your personal information or to stop us deleting your personal data where you need it in connection with any legal claims (the right of restriction) and
• pass your personal information to someone else (the right to data portability (this only applies where we are using your information in relation to a contract or with your consent).

When exercising any of the rights, you should try to be as specific as possible about the personal information concerned.  

To submit a Subject Access Request please follow the link. Please note that for Subject Access Requests, you will require to provide a proof of identification. Failure to provide this information on application, may delay providing you with the information requested.

Our Governance arrangements

Our data protection promise

We know that if we do not comply with data protection laws, including protecting the information, we will lose the trust and confidence of the public and our partners.

Data protection laws set down rules that we must follow when collecting and using personal information. These rules are called the data protection principles.

To comply with these principles, we must take steps to ensure that all personal information is:

• lawfully, fairly and transparently;
• held and used for specified purposes;
• adequate, relevant and  limited to what is necessary for our purposes
• accurate and up to date;
• not kept any longer than necessary; and
• kept secure.

Who is responsible and for what?

The Council as a whole has a responsibility for compliance with data protection laws. However, it places specific responsibilities on:

• the Chief Executive and Chief Officers, who will implement and enforce this policy across the Council and will ensure that employees receive the appropriate training
• they will also ensure that appropriate guidance and advice is provided on operational matters such as: the security of personal information; how we store information; who should have access to information and how we transfer information to other bodies or agencies
• line managers, who will make sure that employees are aware of and comply with their responsibilities
• individual employees, who must comply with their responsibilities.

Who is our Data Protection Officer and what are their responsibilities?

We have a Data Protection Officer (DPO) to

• help and advise us on meeting our data protection obligations
• check our compliance with data protection laws and our policies, including carrying out audits and ensuring that we have assigned responsibilities and provided training to our employees in accordance with the law and this policy
• provide advice to us to help us carry out any assessments that we may make in connection with data protection compliance.

We will give the DPO independence to carry out these tasks and ensure that the DPO is able to carry out these tasks freely and impartially.

If you have any concerns or enquiries about the way that we use your personal information or wish to exercise any of your rights (see above) you can contact the DPO direct. The DPO's details are as follows

The Data Protection Officer
Clackmannanshire Council
Resources and Governance
Legal and Democratic Services
Kilncraigs
Alloa
FK10 1EB

By email to: dpo@clacks.gov.uk

How do we ensure that what we are compliant with data protection laws?

In relation to the holding and use of personal information, we are aware that our responsibilities apply all of the time that we hold and use the personal information. We appreciate that we must have checks in place to make sure that we treat all personal information correctly.

We will keep in mind that your rights and freedoms go further than respect for your privacy. The appropriateness of all decisions or actions taken by us will be dependent upon the reliability (adequacy, accuracy, and relevancy) and accessibility of your personal information.

Before we start to use your personal information for

• a new purpose or
• make changes to the existing way that we already handle information or
• change the means that we use to process personal information

involving a high risk to your rights and freedoms as an individual, we will carry out a privacy impact assessment (where necessary) at the earliest possible stage in the planning process.

Further, we will carry out regular reviews of the ways that we collect and use personal information to make sure that we are still complying with data protection laws. We will do this by carrying out an assessment at regular periods determined by the sensitivity of the personal information involved.

When carrying out these assessments or dealing with any data protection matters, we will ensure that we involve the DPO, fully, at the earliest opportunity.

We will ensure that any contractors, who are providing services on our behalf, treat any personal information in the same way that we do.

How do people find out about changes to our data protection policy?

We may change our data protection policy from time to time. We will publish any new or amended policy on our website.

What if I want to complain about how the Council is handling my data?

In the first instance contact the Council's DPO, details above.  If you are still not satisfied, you can contact the Information Commissioner at

www.ico.gov.uk.