Lancashire Combined County Authority Privacy Policy

The Privacy Policy for the Lancashire Combined County Authority

Overview

The Lancashire Combined County Authority (LCCA) is registered as a data controller with the Information Commissioner’s Office (registration number: C1646071). The Information Commissioner’s Office is the regulator for data protection in the UK.

This notice complies with the UK General Data Protection Regulation (GDPR) and is aligned to our Data Protection Policies.

If you have any questions about our Privacy Notice, you can fill in our online form, or contact us at:

Name: Lancashire Combined County Authority

Address: County Hall, Fishergate, Preston, Lancashire PR1 8XJ

Purpose(s)

We are committed to ensuring that personal information is processed fairly, lawfully and securely in accordance with data protection laws.

This privacy policy contains important information about how and why we collect, store, use and share any information relating to personal data. It also explains your rights in relation to your personal data and how to contact us or a relevant regulator in the event you have a complaint.

Why we use your information

In order to deliver services to you in an effective way, the authority will need to collect and use personal information about you.

Personal information can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify a person. For example, this could be your name and contact details.

If you use a specific service, we will usually let you know how that service will use your personal information via a separate privacy notice.

The UK General Data Protection Regulations ensures that we comply with a series of data protection principles. These principles are there to protect you and they make sure that we:

  • Process all personal information lawfully, fairly and in a transparent manner
  • Collect personal information for a specified, explicit and legitimate purpose
  • Ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected
  • Ensure the personal information is accurate and up to date
  • Keep your personal information for no longer than is necessary for the purpose(s) for which it was collected
  • Keep your personal information securely using appropriate technical or organisational measures

Service or project specific privacy notices

Services using large amounts of personal or special categories of information will have their own dedicated privacy notice to tell people what information is being shared. These notices will map out how personal information flows through the service or project and how it is processed. 

Consent and categories of personal data

Consent

If we rely on your consent to use your personal information, you have the right to remove it at any time. If you want to remove your consent at any time, please contact us

However, if there is another legal reason for processing your personal information, as outlined under the UK GDPR, we may not require your consent, e.g. where the disclosure is necessary for the purposes of the prevention and/or detection of crime.  

Where we need to disclose special category or confidential information such as medical details to other partners, we will do so only with your prior explicit consent or where we are legally required to, e.g. we may disclose information when necessary to prevent risk of harm to an individual. 

Categories of personal data

We process: 

  • Personal information relating to identified natural persons used to deliver services such as Investment, Innovation and Trade, Adult Skills and Education, Housing and Planning, Transport or Highways, and any other services that the authority delivers
  • Special categories of information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning health or sex life
  • Health and wellbeing information. All local authorities have a duty to improve the health of the population they serve. To help with this, we use information from a range of source data to understand more about the health and care needs in the area
  • Research and statistical data to provide intelligence including demographic data, population projections, the economic situation, health and wellbeing information. This personal information is often pseudonymised when an identifier such as name is replaced with a unique number

Lawful basis for processing

The lawful basis for processing this personal data must be one of the following:

  • Consent: the individual has given clear consent for the council to process their personal data for a specific purpose
  • Contract: the processing is necessary for a contract the council has with the individual
  • Legal Obligation: the processing is necessary for the council to comply with the law
  • Vital Interests: the processing is necessary to protect someone's life
  • Public Task: the processing is necessary for the council to perform a task in the public interest and has a clear basis in law
  • Legitimate Interests: Processing is necessary for the purposes of legitimate interests pursued by the local authority – (the authority will not use this lawful basis for any tasks it performs as a public authority)

Information sharing and retention periods

To ensure that the council provides you with an efficient and effective service we will sometimes need to share your information with different services within the authority as well as with our partner organisations that support the delivery of the service you may receive. 

We will also need to supply your information to organisations we have contracted to provide a service to you. 

We will only ever share your information if we are satisfied that our partners or suppliers have sufficient measures in place to protect your information in the same way that we do. 

We will never share your information for marketing purposes. 

Before sharing information the council will ensure that: 

  • Privacy Notices are completed if appropriate
  • Technical security such as encryption and access controls are in place to keep information secure
  • Information Sharing Agreements are completed showing the rules to be adopted by the various organisations involved in the sharing exercise
  • Data Protection Impact Assessments are completed to assess any risks or potential negative effects
  • Common retention periods and deletion arrangements are set for the information
  • There are arrangements in place for handling data subject rights enquiries (including subject access requests)

Details of transfers to other countries and additional safeguards

We will always process as little personal data as is necessary to meet the purpose of the processing activity. We will inform you where your personal and sensitive data will be stored and of the additional safeguards that we have taken to ensure compliance with UK GDPR and data protection legislation which applies within the country where your personal and sensitive information is held, should this be outside of the UK.

Retention periods

We will only keep your information for as long as it is required to be retained. The retention period is either dictated by law or by our discretion. Once your information is no longer needed it will be securely and confidentially destroyed. Service and project specific retention periods can be found in our service and project specific privacy notices.

Your rights

You have certain rights under the UK General Data Protection Regulations (UK GDPR), these are the right:

  • to be informed via Privacy Notices such as this
  • to withdraw your consent. If we are relying on your consent to process your data then you can remove this at any point
  • of access to any personal information the council holds about you. To make a 'subject access request' please refer to the guidance within the Data Subject Rights Policy
  • of rectification, we must correct inaccurate or incomplete data within one month
  • to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information
  • to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future
  • to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked
  • to object. You can object to your personal data being used for profiling, direct marketing or research purposes
  • in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention

If you wish to exercise any of these rights then you can do so by contacting us

To ensure that we can deal with your request as efficiently as possible you will need to include your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), as much detail as possible regarding your request so that we can identify any information we may hold about you, this may include your previous name and address, date of birth and which services you have been involved with. 

Data matching and Audit

We are required by law to protect the public funds we administer. We may use personal information in the prevention and detection of crime. We may share the information with other bodies that are responsible for auditing or administering public funds including the Department for Work and Pensions, other Local Authorities, HM Revenue and Customs, and the Police.

The Combined Authority uses data matching from different sources to aid processing of large volumes of information. We use this as a useful way to improve our services e.g detect fraud, and compliance with Data Protection law for example by identifying inaccurate or out of date information.

Transferring your personal data out of the UK and EEA

Most personal information we collect is stored on electronic systems in the UK and European Economic Area. For example, some personal information may be stored on computer services located in the European Economic Area (EEA).

Generally, personal information in our control will not be sent outside EEA, unless stored within cloud-based computer services. If this is done, appropriate assessments, procedures and technologies will be put in place to maintain the security of all personal information processed outside of the EEA.

We will take appropriate steps to make sure we hold records about you in a secure way, including:

  • All employees, and those acting on our behalf, who have access to your personal information or are associated with the handling of that data, are obliged to respect the confidentiality of your personal information
  • All employees, and those acting on our behalf, undergo annual mandatory information security and data protection training

Keeping your personal data secure

The Combined Authority has appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine need to access it.

We also have procedures in place to deal with any suspected and actual data security breaches. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

We utilise encryption methods, verification processes and train staff on how to securely handle information and what to do if something goes wrong.

Automated decision making

‘Automated decision making’ is when decisions are made about you by a computer, without any human involvement. If any of our services carry out any automated decision making using your personal information, this will be explained in the service specific privacy notice.

‘Risk profiling’ is where decisions are made about you based on certain things in your personal information, e.g. your health conditions.  If we use your personal information to profile you to deliver the most appropriate service, we will tell you.

If you are concerned about us using automated decision making or profiling, you can get help from the Data Protection Officer (DPO) who will be able to explain to you how we are using your information.

Access to the authority's official information

Under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 you have a right to request any recorded official information held by the authority. The information you require may already be publicly available. The council has a duty to make information available via a publication scheme. Before you submit a request please check the LCCA Publication Scheme.

Access to the authority's decision making process 

Information on the decision making process of the council can be found in the constitution.  

Our website 

This policy applies to the website operated by The Lancashire Combined County Authority.

This website and trading styles are all brands of the LCCA which remains the data controller and the responsible statutory body in relation to this website and brand.

Cookies and other tracking technologies

A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our website. We use cookies on our website. These cookies help us recognise you and your device and store some information about your preferences or past actions.

For further information on cookies please see our Cookie Policy.

How to complain and contact us

If you have any queries or concerns about our use of your personal data, please contact the Lancashire Combined County Authority’s Data Protection Officer

You also have the right to lodge a complaint with the Information Commissioner's Office.

The Information Commissioner’s Office is an independent body set up to uphold information rights in the UK. You can contact them through the Information Commissioners Office website, or by telephone helpline on 0303 123 1113, or in writing to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Changes to this privacy policy

This Privacy Notice is regularly reviewed; however, you are advised to check this page from time to time for any updates to this notice.

Do you need extra help?

If you would like this policy in another format (for example audio, large print) please contact the Information Governance Team