Data protection

Personal information can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify a person. For example, this could be your name and contact details.

We will collect information about you when you request or receive a service, we also collect information from people who contact us requesting information about Middlesbrough, the Council, or themselves.

This information can include your name, address, email address, telephone number and other contact information that allow us to meet our organisational and statutory obligations to you.

We can collect your data in multiple ways, including:

• verbally
• paper
• telephone
• email
• online forms
• website cookies
• CCTV
• other forms of image and voice recordings

This data can be collected directly from you or may be gathered from other sources, we may also need to ask other agencies or organisations for relevant data about you in order to fulfil our legal responsibilities or provide services.

Some information is ‘special’ and needs more protection due to its sensitivity. It’s often information you would not want widely known and is very personal to you. This is likely to include anything that can reveal your:

• sexuality or sexual health
• religious or philosophical beliefs
• ethnicity
• physical or mental health
• Trade Union membership
• political opinion
• genetic/biometric data
• criminal history

There are a number of legal reasons why we need to collect and use your personal information.

The privacy notice from each service explains which legal reasons are being used.

• you, or your legal representative, have given consent
• you have entered into a contract with us
• it is necessary to perform our statutory duties
• it is necessary to protect someone in an emergency
• it is required by law
• it is necessary for employment purposes
• it is necessary to deliver health or social care services
• you have made your information publicly available
• it is necessary for legal cases
• it is to the benefit of society as a whole
• it is necessary to protect public health
• it is necessary for archiving, research, or statistical purposes
• it is in our legitimate interests

If we have relied on consent to use your personal information, you have the right to remove it at any time. If you want to remove your consent, please contact our Data Protection Officer and tell us which service you’re using so we can deal with your request.

Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you.

If we have relied on legitimate interests to use your personal information, we will only do this where we do not have an existing legal duty or power covering the specific service that we are providing. Before using legitimate interest, we will first carry out an assessment to check that it is necessary and there is an appropriate balance between our interests and your rights.

When we collect personal data from you we will use it to provide you with services you have requested or require. We will not collect data from you that we do not need.

We will use the information you provide in order to:

• deliver our services – see our Statement of Public Task for further details - https://middlesbrough-council-middlesbrough.opendata.arcgis.com/documents/middlesbrough-council-statement-of-public-task-2021-2024/explore
• maintain and update your customer records or contact details
• contact you where necessary
• obtain your opinion and feedback about the services we provide
• ensure that we fulfil our legal obligations

It may not always be possible to provide you with a services if you do not provide us with the information required to do so.

Where necessary we may share your information with other organisations and partners that provide services on our behalf. When this happens, the information provided is only the minimum necessary for them to provide that service to you. These organisations are required to keep your information safe and only use to provide a service to you.

Under the UK General Data Protection Regulations (GDPR) we have a legal duty to protect any information that we hold about you.

We take measures to safeguard your data and implement security standards and controls to prevent any unauthorised access to it.

Information which you have provided the council will be stored securely. It will only be used for the purpose(s) stated when the information was collected.

Some of the other measures that we use to ensure that your personal data is secure include data protection and security policies, information security incident reporting, data and device encryption, system and data access controls, user accounts and passwords, physical and environmental security, staff vetting practices, staff training and awareness, data back-ups, ICT network penetration testing, and business continuity and disaster recovery plans.

The amount of time data is kept before being disposed of will vary depending on why it was collected, how it is used, and in line with any applicable UK laws. Our retention and disposal schedule gives details about how long we keep data. This information will also be available from individual services own Privacy Notices.

The Council will only process your information overseas where the country it is transferred to has adequate data protection measures in place or where the suppliers are bound by model contract security clauses or where the supplier has signed up to an approved certification scheme or where requested by an external organisation under a legal requirement or at your request.

We will only send you information about our services and/or products if you have agreed for us to do so or we are sending you information in relation to similar services you have received in the past. You can opt out of this at any time by letting us know by unsubscribing or replying with your request.

Your Information Rights are set out in law and, subject to some exceptions, you have the:

• Right to rectification - to ask for information to be corrected
• Right to erasure - to have your personal data deleted
• Right to object - to how your data is used
• Right to restriction - to request limits on how your data is used
• Right to portability - to request that we move your data to another organisation
• Right of access - to request a copy of the personal information that the Council holds about you (subject access request).

For further details on your rights and how you can exercise these, please visit our information rights page.

Middlesbrough Council is required by law to have and implement a records retention and disposal schedule. You can view the full schedule below.

• Records retention and disposal schedule 2022

The Data Protection Act 2018 provides a number of exemptions where the council can disclose personal information for specific purposes such as crime and taxation. For further details, please visit the request for disclosure of personal data page.

If you have any concerns about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner's Office. Visit the website of the Information Commissioner's Office.