DCC is a Data Controller under Data Protection Legislation and our ICO registration number is Z6475582. This privacy notice concerns the processing of personal data that is necessary for the completion of the following workstreams.

Data Protection Impact Assessments (DPIAs)
Data protection related customer feedback and complaints
Data subject rights requests
Information Governance Audits
Information risk assessments
Notification and investigation of cyber security, data protection and information security breaches
Security Questionnaires
Staff surveys
Provision and administration of staff training

This notice explains what information we collect, why we collect it and how we keep it secure. It also explains your rights and our legal obligation. Should you wish to find out more about Devon County Council’s data protection policies please contact our Data Protection Officer.

We will notify you of any changes to this privacy notice

This privacy notice was last updated 20 July 2021. If we use your personal data for any new purposes, updates will be made to the policy information and changes communicated, where necessary in accordance with current data protection legislation. Any queries relating to this privacy notice please contact the Data Protection Officer.

How will we use your personal data

We may need to collect personal data so we can:

Carry out an information governance audit.
Carry out a Data Protection Impact Assessment (as required under article 35 of the General Data Protection Regulation).
Carry out a risk assessment to determine information security or cyber security risks relating to an application, system, or new process.
Carry out a cyber security, data protection or information security incident investigation.
Carry out an assessment of the information security arrangements that a contractor or prospective contractor has in place.
Carry out surveys to assess the knowledge and skills of staff, contractors or those handling Devon County Council data.
Respond to customer or staff feedback regarding data protection issues, including complaints about how personal data has been handled. Any personal data that is processed for this purpose will be used in accordance with the Customer Feedback Privacy Notice.
Respond to requests from data subjects, to exercise their rights under Chapter III of the General Data Protection Regulation.
Offer training materials to staff and relevant partners in relation to data protection, information security and cyber security.

Information that we collect from you will be obtained via face-to-face interactions, phone calls, emails, web forms hosted on the council’s secure infrastructure (Microsoft Forms) and via secure web forms (SmartSurvey) or through the council’s MetaCompliance platform. The council only uses IT systems for these purposes which are supplied under a contract and where the security has been assessed. For more details about the security arrangements that are provided by Microsoft and SmartSurvey, please view links below

What information do we collect

We may collect and store records about you which may include:

your name
your manager’s name
the service or company you work for
telephone number(s)
email address(s)
postal address
information you supply which relates to any of the services listed previously.
Information about you that it may be necessary for us to collate to deliver the services listed above.

Why we collect and use your personal data

We aim to provide the highest quality of advice and guidance relating to information governance and data protection matters. To do this, it is sometimes necessary to collect a small amount of personal data, so that we can discharge our data protection and information security obligations effectively. We will only collect personal data where it is necessary.

Personal data that is collected for any of the purposes outlined in this notice is never used for direct marketing purposes and is not sold on to any other third parties. Information that is collected for any of the purposes listed on this privacy notice will be held for six years from the date that the intended purpose is fulfilled.

The legal basis for us collecting your personal data

We rely upon the following lawful conditions for processing your personal data.

Purpose	Lawful grounds for processing
Data Protection Impact Assessments (DPIA)	We rely upon article 6(1)(e) of the UK GDPR to process personal data that is supplied to complete a DPIA. As part of this process, we do not intend to process special category / sensitive personal data.
Data protection related customer feedback and complaints	We rely upon article 6(1)(e) of the UK GDPR to process personal data when responding to data protection related customer feedback and complaints. If it is necessary to process special category data or sensitive personal data, we rely upon the following articles of the UK GDPR in the following circumstances: Article 9(2)(b) – complaints from members of staff Article 9(2)(f) – complaints that are likely to give rise to a legal claim against the council. Article 9(2)(h) – where complaints relate to delivery of social work functions.
Data subject rights requests	We rely upon article 6(1)(e) of the UK GDPR to process personal data when responding to a data subject rights request. If it is necessary to process special category data or sensitive personal data, we rely upon the following articles of the UK GDPR in the following circumstances: Article 9(2)(b) – requests from members of staff Article 9(2)(f) – requests that are likely to give rise to a legal claim against the council. Article 9(2)(h) – where requests relate to delivery of social work functions.
Information Governance Audits	We rely upon article 6(1)(e) of the UK GDPR to process personal data that is supplied to complete an information governance audit. As part of this process, we do not intend to process special category / sensitive personal data.
Information risk assessments	We rely upon article 6(1)(e) of the UK GDPR to process personal data that is supplied to complete an information risk assessment. As part of this process, we do not intend to process special category / sensitive personal data.
Notification of data protection and information security breaches – members of the public	We rely upon article 6(1)(e) of the UK GDPR to process personal data you supply when notifying us of a data protection or information security breach. If it is necessary to process special category data or sensitive personal data, we rely upon the following articles of the UK GDPR in the following circumstances: Article 9(2)(f) – notifications that are likely to give rise to a legal claim against the council.
Notification of data protection and information security breaches – staff members	We rely upon article 6(1)(e) of the UK GDPR to process personal data you supply when notifying us of a data protection or information security breach. If it is necessary to process special category data or sensitive personal data, we rely upon the following articles of the UK GDPR in the following circumstances: Article 9(2)(b) – requests from members of staff Article 9(2)(f) – requests that are likely to give rise to a legal claim against the council. Article 9(2)(h) – where requests relate to delivery of social work functions.
Security Questionnaires	We rely upon article 6(1)(e) of the UK GDPR to process personal data that is supplied to complete a security questionnaire. As part of this process, we do not intend to process special category / sensitive personal data.
Staff surveys	We rely upon article 6(1)(e) of the UK GDPR to process personal data that is supplied to complete a staff survey. As part of this process, we do not intend to process special category / sensitive personal data.
Staff training	We rely upon article 6(1)(e) of the UK GDPR to process personal data for the purposes of providing and administering staff training. As part of this process, we do not intend to process special category / sensitive personal data.

Please note that we will only process the minimum amount of personal data that is necessary for the intended purpose.

Recipients or categories of recipients that we may share your personal data with

When processing your personal data, it may be necessary for us to share personal data with third-party organisations such as;

The Information Commissioner’s Office when responding to complaints about the way that we have processed someone’s personal data
Our suppliers and data processors, if the supply of your personal data is necessary for us to conclude an investigation or is necessary for us to respond to a data protection complaint.
If you are reporting an information security incident, we may share limited personal data with the Data Privacy Advisory Service (DPAS) who are commissioned by the Council to provide support with investigating security incidents.

Please note that we will only share information that is relevant and necessary for the intended purpose.

If we feel that it is necessary to share your personal data with professionals to ensure you or someone you work with is safeguarded from harm, we rely upon the provisions of the Safeguarding Vulnerable Groups Act 2006 and Children Act 1989 & 2004. Where it is necessary to share medical or social care information for these purposes, we rely upon article 9(2)(h) of the General Data Protection Regulation (information necessary for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems).

We may also share information to enable us to comply with court orders and other legal obligations. If this is necessary, we will only share the minimum amount of personal data needed for this purpose.

We may also need to share some personal data about you, so that we can support third party organisations to discharge their regulatory requirements. This includes organisations such as;

The data protection regulator (the Information Commissioner’s Office)
The Care Quality Commission

How long will we hold your personal data?

Devon County Council will retain your personal data for the purposes outlined in this privacy notice for no longer than is necessary and in accordance with our corporate retention schedule.

Your data protection rights

Under Data Protection Legislation, you have the right to obtain a copy of their personal records held by us; this is called a Subject Access Request (SAR).

International transfers

We do not transport or share personal data outside of the European Union.

Complaints

If you have any comments, queries or complaints about this privacy notice or the processing of your personal data please contact our Data Protection Officer.

Your right to complain

In the event that you wish to complain about the way that your personal data has been handled by Devon County Council, you should write to the Data Protection Officer and clearly outline your case. Your complaint will then be investigated in accordance with the Council’s customer feedback procedure. If you remain dissatisfied with the way your personal data has been handled, you may refer the matter to the Information Commissioner’s Office whose contact details are below:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email: casework@ico.org.uk