This privacy notice tells you what to expect when Lambeth Council collects personal information. In the last section on this page you’ll see a list of links to council services and activities. Each one will give more information about who we may share your information with and why.
We have a Data Protection Officer who makes sure we respect your rights and follow the law. You can contact them if you have any questions or concerns about how we look after your personal information.
Sections in this guide (click title to view)
- 1. Your personal information
- 2. Other legal requirements in regards to personal information
- 3. Your rights
- 4. Sharing and protecting your information
- 5. Visitors to our websites
- 6. People who contact us via social media
- 7. Service specific privacy notices
1. Your personal information
What is personal information?
Personal information can be anything that identifies and relates to a living person.
This can include information that when put together with other information can then identify a person.
For example, this could be your name and contact details.
What information do we ask for and why?
To provide services for you, we ask for a wide range of information, some of which is personal and may be required by law or necessary to:
- access funding to deliver specific services to you
- deliver services and support to you
- manage those services we provide to you
- train and manage the employment of our workers who deliver those services
- help investigate any worries or complaints you have about your services
- keep track of spending on services
- hear your views on a range of issues
- prevent and detect fraud
- check the quality of services
- to help with research and planning of new services.
We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.
If we don’t need personal information we’ll either keep you anonymous if we already have it for something else or we won’t ask you for it.
For example, in a survey we may not need your contact details and will only collect your survey responses.
If we use your personal information for research and analysis, we’ll always keep you anonymous or use a different name unless you’ve agreed that your personal information can be used for that research.
We don’t sell your personal information to anyone else.
Certain information needs more protection due to its sensitivity and falls under the term ‘special categories’.
It’s often information you would not want widely known and is very personal to you and for which we need your explicit consent in order to collect and use it (unless required by law).
This is likely to include anything that can reveal your:
- sexuality and sexual health
- religious or philosophical beliefs
- physical or mental health
- trade union membership
- political opinion
- genetic or biometric data
- criminal history.
How the law allows us to use your personal information
There are a number of legal reasons why we need to collect and use your personal information.
Generally, we collect and use personal information where:
- you, or your legal representative, have given consent (see section below)
- you have entered into a contract with us
- it is necessary to perform our statutory duties
- it is necessary to protect someone in an emergency
- it is required by law
- it is necessary for employment purposes
- it is necessary to deliver health or social care services
- you have made your information publicly available
- it is necessary for legal cases
- it is to the benefit of society as a whole
- it is necessary to protect public health
- it is necessary for archiving, research, or statistical purposes.
Don’t I have to give consent for you to use my personal information?
Generally, the information we hold about you has been collected for a specific purpose.
Your consent may be needed when we want to use your personal information for a different purpose from the original one.
For example, we collect your name and address so we can send Council Tax bills, but we would need your permission if we used this information to send you something else at another time, this is called ‘opting-in’.
If you give consent for this action or any other form of opt-in consent, you have the right to ask for this consent to be withdrawn.
However, your consent is not required when we are obliged under law to assist in the prevention and detection of crime, for example through the National Fraud Initiative - see next section - or where the information is needed to carry out a legal function, such as the collection of Council Tax.
If we have consent to use your personal information, and you wish to withdraw it, contact the Data Protection Officer to let us know which service you’re using so we can deal with your request.
2. Other legal requirements in regards to personal information
The National Fraud Initiative (NFI)
We are required by law to protect the public funds we administer.
We may share information provided to us with other bodies responsible for auditing or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
We participate in the Cabinet Office's National Fraud Initiative, a data matching exercise to assist in the prevention and detection of fraud.
We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise. The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer data held by one body against other computer records held by the same or another body to see how far they match.
This is usually personal information.
This data matching exercise allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation.
No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
Read more about the National Fraud Initiative.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the General Data Protection Regulations 2018.
Data matching by the Cabinet Office is subject to a code of practice - download the code of practice.
More information on the Cabinet Office's privacy notice.
3. Your rights
The law gives you a number of rights to control what personal information is used by us and how it is used by us.
You have the right to be informed
This is the information given to you in this privacy notice.
You have the right to access the information we hold on you
We would normally inform you of what personal information we collect whenever we assess your needs and prior to providing you with services.
You also have the right to ask for all the information we have about you and the services you receive from us. When we receive a request from you in writing, we must give you access to everything we’ve recorded about you.
However, we can’t let you see any parts of your record which contain:
- confidential information about other people
- data a professional thinks will cause serious harm to your or someone else’s physical or mental wellbeing
- information that we think may stop us from preventing or detecting a crime if we give it to you.
This applies to personal information that is in both paper and electronic records.
If you ask us, we’ll also let others see your record, except if one of the points above applies.
If you can’t ask for your records in writing, we’ll make sure there are other ways that you can.
If you have any queries about access to your information please email firstname.lastname@example.org or call us on 020 7926 9694.
You have the right to ask us to change information we hold about you that you think is inaccurate
You should let us know if you disagree with something written on your file.
We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.
You have the right to ask for your personal information to be erased in some circumstances (right to be forgotten).
In certain instances, you can ask for your personal information to be deleted, for example where:
- your personal information is no longer needed for the reason why it was collected in the first place
- you have removed your consent for us to use your information - where there is no other legal reason us to use it
- there is no legal reason for the use of your information
- deleting the information is a legal requirement
- your personal information has been shared with others, we’ll do what we can to make sure those using your personal information comply with your request for erasure.
Please note that we can’t delete your information where:
- we’re required to have it by law
- it's used for freedom of expression
- it's used for public health purposes
- it's for, scientific or historical research, or statistical purposes where it would make information unusable
- it's necessary for legal claims.
You have the right to ask us to limit what we use your personal data for
You have the right to ask us to restrict what we use your personal information for where:
- you have identified inaccurate information, and have told us of it
- where we have no legal reason to use that information, but you want us to restrict what we use it for rather than erase the information altogether.
When information is restricted it can’t be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interests of the UK.
Where restriction of use has been granted, we’ll inform you before we carry on using your personal information.
You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.
This only applies if we’re using your personal information with consent (not if we’re required to by law) and if decisions were made by a computer and not a human being.
It’s likely that data portability won’t apply to most of the services you receive from us.
You have the right to object to our use of your personal information for any council service
However, if this request is approved this may cause delays or prevent us delivering that service.
Where possible we’ll seek to comply with your request, but we may need to hold or use information because we are required to by law.
You have the right to question automated and profiling decisions about you, unless required for any contract you have entered into, required by law, or you’ve consented to it.
You have the right to know if your personal information is used in an automated process which could result in an unfavourable decision against you.
You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information, for example your health conditions.
If and when we use your personal information to profile you, to deliver the most appropriate service to you, you will be informed.
If any of the personal information we take from you is used in the processes above we will tell you at the time it is taken.
If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer who’ll be able to advise you about how we are using your information.
If you wish to make a complaint about our information rights practices, contact our Data Protection Officer.
We will respond to any information rights concerns we receive, clarifying how we have processed your personal information in a specific case and explaining how we will put right anything that's gone wrong.
If you are dissatisfied with our handling of your complaint, you may report your concern to the Information Commissioners Office.
4. Sharing and protecting your information
Who do we share your information with?
We use a range of organisations to either store personal information, help deliver our services to you and hear your views on a range of issues.
Where we have these arrangements, there is always an agreement in in place to make sure that the organisation complies with data protection law.
We’ll often complete a data protection impact assessment (DPIA) before we share personal information to make sure we protect your privacy and comply with the law.
Sometimes we have a legal duty to provide personal information to other organisations.
This is often because we need to give that data to courts, including if:
- we take a child into care
- the court orders that we provide the information
- someone is taken into care under mental health law.
We may also share your personal information when we feel there’s a good reason that’s more important than protecting your privacy.
This doesn’t happen often, but we may share your information:
- to find and stop crime and fraud
- if there are serious risks to the public, our staff or to other professionals
- to protect a child
- to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.
For all of these reasons the risk must be serious before we can override your right to privacy.
If we’re worried about your physical safety or feel we need to take action to protect you from being harmed in other ways, we’ll discuss this with you and, if possible, get your permission to tell others about your situation before doing so.
We may still share your information if we believe the risk to others is serious enough to do so.
There may also be rare occasions when the risk to others is so great that we need to share information straight away.
If this is the case, we’ll make sure that we record what information we share and our reasons for doing so.
We’ll let you know what we’ve done and why if we think it is safe to do so.
How do we protect your information?
We’ll do what we can to make sure we hold records about you (on paper and electronically) in a secure way, and we’ll only make them available to those who have a right to see them.
Examples of our security include:
- Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’
- using a different name so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours
- controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
- Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
- regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches)
Where in the world is your information?
The majority of personal information is stored on systems in the UK.
But there are some occasions where your information may leave the UK either in order to get to another organisation or if it’s stored in a system outside of the EU.
We have additional protections on your information if it leaves the UK ranging from secure ways of transferring data to ensuring we have a robust contract in place with that third party.
We’ll take all practical steps to make sure your personal information is not sent to a country that is not seen as ‘safe’ either by the UK or EU governments.
If we need to send your information to an ‘unsafe’ location we’ll always seek advice from the Information Commissioner first.
How long do we keep your personal information?
There’s often a legal reason for keeping your personal information for a set period of time.
For each service, the schedule lists how long your information may be kept for. This ranges from months for some records to decades for more sensitive records, or as required by applicable law.
Where can I get advice?
If you have any worries or questions about how your personal information is handled contact our Data Protection Officer.
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:
Information Commissioner's Office
Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
5. Visitors to our websites
When someone visits our website we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns.
We do this to find out things such as the number of visitors to the various parts of the site.
This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.
If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.
Our website search and decision notice search is powered by Google.
Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either us or any third party.
We use a third party provider, GovDelivery, to deliver our monthly newsletters.
GovDelivery is provided by Granicus UK. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter.
We use a third party service, WordPress.com, to publish Love Lambeth blog and some of our microsites.
These sites are hosted at WordPress.com, which is run by Automattic Inc.
We use a standard WordPress service to collect anonymous information about users' activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it.
WordPress requires visitors that want to post a comment to enter a name and email address.
For more information about how WordPress processes data, please see Automattic's privacy notice.
6. People who contact us via social media
We use a third party provider, Hootsuite to manage our social media interactions.
If you send us a private or direct message via social media the message will be stored by Hootsuite for three months.
It will not be shared with any other organisations.