1 How we look after your personal data
West Sussex County Council: the data controller
West Sussex County Council (WSCC) respects your privacy and is committed to protecting your personal data. We comply with the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679) (GDPR).
The County Council is registered as a ‘data controller’ with the Information Commissioner’s Office (ICO - Reg. No. Z6413427), the UK supervisory authority for data protection issues. We ensure that your personal data is processed fairly and kept securely for no longer than is necessary.
You have the right to know how we use your personal data. To comply with that right, we use privacy notices at the time the data are obtained or within a reasonable period of time after the data are obtained. These notices explain how personal information is going to be used, what it is used for, who it might be shared with and why, and for how long it is kept.
It is important that the personal data we hold about you is accurate and up to date, so please tell us if your personal details change during your relationship with us. If you are under 18, get your parent or guardian's permission before you provide personal information to our website.View our privacy notices
2 What information we collect and how we use it
In order to register and receive or use many of the services, including those on our website, you need to give us some personal information. We will hold this information for as long as it is needed for the service you have requested and remove it when that purpose has been met.
We may also receive your personal data from outside agencies or third parties where there is a sound legal basis and purpose for us to receive it.
In the case of an online information service, such as email alerts, we will remove your details if you inform us that you no longer wish to continue to receive the service.
The type of information we collect depends on the service involved, but may include any of the following:
- identity - name, date of birth, gender, passport, national insurance number, family details
- contact - address, email address, phone numbers
- technical - IP address
- social data - lifestyle, housing needs
- education - student and pupil records
- commercial services data - services used
- financial - bank account, payment card, transaction data, salary, benefits
- staff records - pensions, appraisals, nationality
- visual images, personal appearance and behaviour
- business activities - employment, licences and permits held
- case file information.
Under certain circumstances we may need to collect and process special categories of personal data including:
- medical - physical or mental health details
- racial or ethnic origin
- trade union membership
- political affiliation
- political opinions
- offences - including alleged offences
- religious or other beliefs of a similar nature
- genetic data or bio-metric data
- sexual orientation
In certain circumstances we may need to process criminal offence data. When we do so, we make sure the relevant conditions in the Data Protection Act 2018 are met.
How we use the information you provide
We use your data to:
- deliver and manage the services and support we provide to you
- respond to enquiries or complaints
- train and manage employees or volunteers who deliver those services
- control spending on services
- monitor the quality of our services
- research and plan new services.
We may use equality data, such as age, disability, gender, race, sex, religion or belief to compile statistics in order to comply with equality legislation and assist in planning services.
Such data does not identify individuals or affect anyone’s entitlement to services.
3 Personal and special category data
We will only use your personal data when the law allows us to. The bases are set out in Article 6 GDPR and in most cases the basis for processing is to enable the performance of a public task.
We will use your personal data in the following circumstances:
- Public task: to perform a task in the public interest or for an official function.
- Legal obligation: to comply with the law (not including contractual obligations).
- Contract: for a contract with you, or because you have asked us to take specific steps before entering into a contract.
- Vital interests: to protect someone’s life.
- Legitimate interests: to protect the interests of the County Council or someone else unless there is a good reason to protect your data which overrides those other interests.
- Consent: you have specifically agreed to our use of your data and we have no other legal basis for processing it.
Special category data (sensitive data)
We will only use your special category personal data when the law allows us to. The bases are set out in Article 9 GDPR. In most cases the reason for using this type of data will be to provide social care services, the relevant section being Article 9 (b).
We will use your special category data in the following circumstances, where processing:
- is with your explicit consent
- is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
- relates to personal data which are manifestly made public by the data subject
- is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
- is necessary for reasons of substantial public interest
- is necessary for the purposes of preventive or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care, or treatment or the management of health or social care systems and services
- is necessary for reasons of public interest in the area of public health
- is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim. This is on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes. Also that the personal data are not disclosed outside that body without the consent of the data subjects.
How long we will keep your personal data
We will only hold your personal information for as long as necessary. We use our retention schedules to work out how long we need to keep your information for.
Retention periods are set taking into account statutory requirements and service/business needs. You will be informed in the service-specific privacy notice how long your data will be kept.
5 Automated decisions and profiling
Automated decisions take place when an electronic system uses personal information to make a decision without human intervention. These types of decisions are used to improve services and can affect the services we may offer you now or in the future.
We may use automated decisions:
- where we have notified you of the decision and given you 21 days to request a reconsideration
- where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights
- in limited circumstances, with your explicit consent and where appropriate measures are in place to safeguard your rights.
We will only make an automated decision based on your sensitive personal information if we have your explicit written consent, unless:
- it can be justified as being in the public interest
- we have in place appropriate measures to safeguard your rights.
To assist us in planning and targeting services we look at the needs of our customers as a whole, and by understanding as much about them as possible in terms of their demographics, such as age, gender, disabilities and lifestyle.
We do not use this information to make decisions about access to services in any individual case.
6 Customer service centre
Our customer service centre provides a hub for incoming telephone contact.
All calls are recorded for training and monitoring purposes and to help us deal with customer feedback. Recordings are stored securely for up to 12 months, then permanently deleted.
The information we ask you for when you call us will depend on the reason for your call, and the range of information we may need to collect from you is set out in our personal and special category data page.
Your data is passed on to the relevant service. You should also read the privacy notice relating to the service that you are calling us about.
Many of our customer service centre advisors are employees of our trusted partner Capita, which operates the centre on our behalf.
Only authorised members of staff have access to the call recordings. These may also be shared with a limited number of authorised members of County Council staff as part of our quality monitoring processes and complaints handling procedures.
7 Consultation engagement and research
To help us to understand the needs of our customers we will, from time to time, carry out market and social research surveys and qualitative research. These include focus groups and in-depth interviews with customers, their families and/or the adults who are responsible for them.
Carrying out market research helps us make better decisions about what services to deliver and where they are needed, by understanding the needs of our customers.
You will be informed in the service-specific privacy notice if this applies to your personal information.
We may contact you to ask whether you are willing to participate in a market research survey and/or qualitative research. Your decision about whether or not to participate will not affect the services that you receive from WSCC.
We may ask a market research agency and/or independent qualitative researcher to undertake the research on our behalf. Any third party we use will be acting on our behalf as our data processor and will adhere to the data protection regulations. Your details will not be used for direct marketing purposes.
We value engagement with you and when you contribute your views, we ask your permission to use your contact data to reach out to you with further information which may be of interest.
If you agree, your name and contact data will be kept in a directory within the communications and engagement team. You be able to unsubscribe from the directory at any time.
We are sometimes contacted by university students wanting to carry out research amongst our customers and/or staff as part of their coursework, dissertation or thesis.
All such applications are subject to our quality assurance and research governance approval process. This includes approval from the relevant ethics committees, such as the Health Research Authority, where appropriate.
8 Data security
We have put in place security measures to prevent your personal data from being lost, used or accessed in an unauthorised way, altered or disclosed inappropriately.
We also limit access to your personal data to those employees, agents, contractors and other third parties who have a need to know in order for our service to be provided. They will only process your personal data on our instructions and are subject to a duty of confidentiality.
We have procedures to deal with any suspected breach of the rules about personal data and will notify you and the regulator of a breach where we are required to do so.
The County Council uses CCTV for the detection and prevention of crime.
We reserve the right to monitor and record electronic communications (website, email and phone conversations) for the purposes of keeping records, staff training, detection, investigation and prevention of crime.
- Phone conversations - we will inform you if your call is being recorded or monitored.
- Email - emails that we send to you or you send to us may be kept as a record of contact and your email address stored for future use in accordance with our record retention policy. If we need to email sensitive or confidential information to you, we will perform checks to verify the correct email address and may take additional security measures. If sending us such information, we recommend using our secure online forms where we provide them, Windows 365 or the postal service.
9 National Fraud Initiative
The National Fraud Initiative (NFI) is an exercise that takes place every two years to match electronic data within and between public sector bodies to prevent and detect fraud. It does not require the consent of the individuals concerned.
We have a legal obligation to take part in the exercise, which also includes police authorities, local probation boards, fire and rescue authorities and other local councils.
Payroll, pensions, trade creditors, personal budgets, care home residents and transport passes and permits are provided electronically to the Cabinet Office as part of the exercise, using a password-protected website. Strong security measures are in place to protect the information, and access to the data extract file is strictly controlled.
The data extract will not be sent by post or courier. Once the data extract file has been successfully submitted it will be removed from our computer network.
10 Your rights
- To request access to your personal data.
- To request correction of our records.
- To request removal of data or limit our use of it - this right is not absolute and we may not be able to comply with your request. You have a right to have personal data erased and prevent types of data processing in the following specific circumstances.
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When you withdraw consent we have relied upon.
- When you object to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed.
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
- To object to processing - in some cases, we may need to explain that we have good grounds to continue to process your information.
- To data portability - this right allows individuals to obtain and reuse their personal data for their own purposes for different services. This only applies to personal data provided by you, with your consent or for the performance of a contract, and when processing is automated.
- Not to be subject to automated decision-making, including profiling - this right only applies where the decision is based on automated processing and we do not undertake any automated decision-making, including profiling.
- To withdraw consent (when this is the only basis for our use of your data).
To find out more about your legal rights, or to request a change or deletion to your personal information, see Your rights.
To obtain access to the records we hold about you see Accessing your personal data.
We will use your personal information to investigate your complaint and check on our level of service. We compile and publish statistics showing information, such as the number of complaints we receive, but not in a form that identifies anyone.
No third parties have access to your personal information unless the law allows them to do so. However, if you have made a complaint to us about someone else or another organisation, we usually have to disclose your identity to them to enable the complaint to be dealt with appropriately and in context. This also means we may receive information about you from them.
If you don’t want information that identifies you to be shared with the organisation you want to complain about, we’ll try to respect that. However, it is not always possible to handle a complaint on an anonymous basis so we’ll contact you to discuss this.
If you are acting on behalf of someone making a complaint, we’ll ask for information to satisfy us of your identity and, if relevant, ask for information to show you have authority to act on someone else’s behalf.
12 Contact for data protection issues and complaints
We have appointed a data protection officer (DPO) who is responsible for overseeing issues in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, contact the DPO:
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO). We would, however, appreciate the chance to deal with your concerns before you approach the ICO. If you have a complaint about why your information has been collected, how it has been used or how long we keep it for, please contact the DPO.