Privacy notice for Information Governance

DCC is a Data Controller under Data Protection Legislation and our ICO registration number is Z6475582. This privacy notice concerns the processing of personal data that takes place in the following circumstances:

  • Data Protection Impact Assessments
  • Data protection related customer feedback and complaints
  • Information Governance Audits
  • Security Incident Notifications
  • Information risk assessments
  • Security Questionnaires
  • Staff surveys.

This notice explains what information we collect, why we collect it and how we keep it secure.  It also explains your rights and our legal obligation. Should you wish to find out more about Devon County Council’s data protection policies please contact our Data Protection Officer.

We will notify you of any changes to this privacy notice

This privacy notice was last updated 18 April 2019. If we use your personal data for any new purposes, updates will be made to the policy information and changes communicated, where necessary in accordance with current data protection legislation. Any queries relating to this privacy notice please contact the Data Protection Officer.

How will we use your personal data

We may need to collect personal data so we can:

  • Carry out an information governance audit.
  • Carry out a Data Protection Impact Assessment (as required under article 35 of the General Data Protection Regulation).
  • Carry out a risk assessment to determine information security or cyber security risks relating to an application, system or new process.
  • Carry out a security incident investigation.
  • Carry out an assessment of the information security arrangements that a contractor or prospective contractor has in place.
  • Carry out a surveys to assess the knowledge and skills of staff, contractors or those handling Devon County Council data.
  • Respond to customer or staff feedback regarding data protection issues, including complaints about how personal data has been handled.  Any personal data that is processed for this purpose will be used in accordance with the Customer Feedback Privacy Notice.
  • Respond to requests from data subjects, to exercise their rights under Chapter III of the General Data Protection Regulation.

Information that we collect from you will be obtained via face-to-face interactions, emails, web forms hosted on the council’s secure infrastructure (Microsoft forms) and via secure web forms (smart surveys).  The council only uses IT systems for these purposes which are supplied under a contract and where the security has been assessed. For more details about the security arrangements that are provided by Microsoft and Smart Surveys, please view links below:

What information do we collect

We may collect and store records about you which may include:

  • your name
  • your manager’s name
  • the service or company you work for
  • telephone number(s)
  • email address(s)
  • postal address
  • information you supply which relates to any of the services listed previously.

Why we collect and use your personal data

We aim to provide the highest quality of advice and guidance relating to information governance and data protection matters. To do this, it is sometimes necessary to collect a small amount of personal data, so that we can discharge our data protection and information security obligations effectively. We will only collect personal data where it is necessary.

Personal data that is collected for any of the purposes outlined in this notice is never used for direct marketing purposes and is not sold on to any other third parties. Information that is collected for any of the purposes listed on this privacy notice will be held for six years from the date that the intended purpose is fulfilled.

The legal basis for us collecting your personal data

Where we are collecting personal data about you for the provision of one of the services outlined in this privacy notice, we rely upon article 6(1)(c) and article 6(1)(e) of the General Data Protection Regulation as the lawful basis for processing this personal data.

If we feel that it is necessary to share your personal data with professionals to ensure you or someone you work with is safeguarded from harm, we rely upon the provisions of the Safeguarding Vulnerable Groups Act 2006 and Children Act 1989 & 2004.  Where it is necessary to share medical information for these purposes, we rely upon article 9(2)(h) of the General Data Protection Regulation (information necessary for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems).

We may also need to share some personal data about you, so that we can support third party organisations to discharge their regulatory requirements. This includes organisations such as:

  • the data protection regulator (the Information Commissioner’s Office.
  • the Care Quality Commission.

We may also share information to enable us to comply with court orders and other legal obligations. If this is necessary, we will only share the minimum amount of personal data needed for this purpose.

Your data protection rights

Under Data Protection Legislation, you have the right to obtain a copy of their personal records held by us; this is called a Subject Access Request (SAR).

International transfers

We do not transport or share personal data outside of the European Union.

Complaints

If you have any comments, queries or complaints about this privacy notice or the processing of your personal data please contact our Data Protection Officer.

Your right to complain

In the event that you wish to complain about the way that your personal data has been handled by Devon County Council, you should write to the Data Protection Officer and clearly outline your case. Your complaint will then be investigated in accordance with the Council’s customer feedback procedure. If you remain dissatisfied with the way your personal data has been handled, you may refer the matter to the Information Commissioner’s Office whose contact details are below:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email: casework@ico.org.uk