Overarching Privacy Notice
Somerset County Council (SCC) provides a wide range of services to the people of Somerset. In order to provide those services, we process large amounts of your personal data. Personal information is any information which identifies and relates to a living person.
We are registered as a data controller for the data we collect, process, and hold, and our Data Protection Notification (registration number Z5957592) includes generic information about the types of personal data we process, what we use it for, and who we share it with.
Contact details
Somerset County Council
County Hall
Taunton
TA1 4DY
Telephone: 0300 123 2224
Email: generalenquiries@somerset.gov.uk
Data protection officer (DPO)
Lucy Wilkins
Contact the DPO by email on informationgovernance@somerset.gov.uk
This notice is overarching and provides general information about how the Council processes data. Please refer to service privacy notices for specific information about how the services you are engaged with collect, use and hold your data.
Purpose for processing
We collect, use and hold personal information so that we are able to effectively deliver our services.
We will use your information to support us with one or more of the following:
- delivering services and support to you or your family;
- managing services we provide to you or your family;
- training and managing the employment of our workers who deliver our services;
- investigating any worries or complaints you have about our services;
- keeping track of spending on services;
- checking the quality of services; and
- researching and planning new services.
Categories of personal data
We collect information in a variety of ways including paper forms, web forms, in a face-to-face meeting with you, by telephone, email or letter, through the use of CCTV or sometimes from one of our partners. We also sometimes receive information about you from people you know, if they are concerned about you, or you have given them permission to represent you.
The information we collect will depend on the services delivered but may include:
- personal details
- family details
- lifestyle and social circumstances
- goods and services
- financial details
- employment and education details
- housing needs
- visual images, personal appearance and behaviour
- licenses or permits held
- student and pupil records
- case file information
For some services we may also require information that falls under the following special categories (sensitive information):
- physical or mental health details
- racial or ethnic origin
- trade union membership
- political affiliation
- political opinions
- offences (including alleged offences)
- religious or other beliefs of a similar nature
- criminal proceedings, outcomes and sentences
- biometric information
Legal basis for processing
To process your personal data, we must have a lawful basis under Article 6 of the GDPR and under Article 9 if we are processing special category data.
Some of our services are required by law or we have a public duty to deliver them. In other cases, services may be non-statutory but available on request. This will affect the lawful basis on which we rely to process your personal data and that will be specified in the service privacy notices.
Data sharing
In some circumstances we have an obligation to work with and share information with partner organisations such as the NHS, schools and Police. Sometimes we contract external organisations to deliver services on our behalf and it is necessary to share information with them so that that they can provide those services. Service specific privacy notices will explain who we will share your data with.
We also work with many partner organisations, sometimes to meet a legal obligation, and sometimes with your consent. Whenever we need to share your information we will tell you when we collect it. If we obtain your information from another organisation, we will tell you as soon as is reasonably possible.
Where appropriate, the personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found here
Data storage
Your data will not be transferred abroad unless this is stated in the service specific privacy notice. Your data will be retained in line with the Council’s retention schedule and details for each service will be provided in their privacy notices.
Your rights
You have a number of rights in relation to your personal data including the right to ask for a copy of the information we hold about you. For more information, please see our information rights section. You also have the right to complain about how we use your data to the Information Commissioner’s Office.
You can contact the DPO by email on informationgovernance@somerset.gov.uk
For information about the data we collect and how we use it in relation to specific services, please see the links to service specific privacy notices below.
Service Privacy Notices
Privacy Notice – Adult and Health Services
Privacy Notice – Advertising on roundabouts
Privacy Notice – Blue Badge Service
Privacy Notice – Body-Worn Cameras (2021 Trial)
Privacy Notice – Children and Families (Children’s Social Care)
Privacy Notice – Children’s Services
Privacy Notice – Contact Centre
Privacy Notice – Corporate Affairs
Privacy Notice – Early Years
Privacy Notice – Economic and community infrastructure
Privacy Notice – Family Safeguarding
Privacy Notice – Finance, legal and governance
Privacy Notice – Fostering
Privacy Notice – Free School Meals Applications
Privacy Notice – Inclusion Advisory Services
Privacy Notice – Insurance
Privacy Notice – National Apprenticeship Scheme
Privacy Notice – Public Health
Privacy Notice – Recruitment Data Privacy Statement
Privacy Notice – Registration Services
Privacy Notice – Skills for Growth
Privacy Notice – Special Educational Needs and Disabilities (SEND)
Privacy Notice – Volunteering
Somerset COVID-19 Helpline and Web Service
Data Controllers
Somerset County Council – ICO Registration Z5957592
Mendip District Council – ICO Registration Z7552163
Sedgemoor District Council – ICO Registration Z5968381
South Somerset District Council – ICO Registration Z7228012
Somerset West and Taunton Council – ICO Registration ZA508925
Data Protection Officer contacts
informationgovernance@somerset.gov.uk
DPO@mendip.gov.uk
FOI@sedgemoor.gov.uk
DPO@southsomerset.gov.uk
DPO@somersetwestandtaunton.gov.uk
Purpose for processing
The personal data that you provide is used for the operation of the joint Somerset single COVID-19 telephone helpline and equivalent web service. The helpline/web service is a joint service between Somerset County and District Councils and provides signposting, advice and support in matters relating to the COVID-19 (Coronavirus) pandemic. The Helpline will use information supplied by Central Government and held by all Somerset Councils to identify individuals/households which may require additional support during the crisis and will contact those individuals/households assess and support need.
Categories of personal data
The personal data processed will depend on the nature of the transaction, but will include name and contact details and may include special category data (data which requires an additional level of protection due to the sensitivity of it), such as information about your health conditions.
Legal basis for processing
General personal data:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Special category data:
Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health
Data sharing
The COVID-19 helpline and web service is operated in Somerset as a joint venture between the County and District Councils. Information will be shared between partners where it is necessary to do so to fulfil the above stated purpose. Information provided to the helpline or online will be passed to the appropriate council for action or shared with other public service partners (e.g. health providers), voluntary services or commissioned providers (such as social prescribing organisations commissioned to contact individuals who have been asked to ‘shield’) where they are appropriate to meet the need.
Your personal information may also be shared where there is a statutory obligation to do so – for example, to safeguard someone from harm or for the prevention or detection of crime or fraud.
Transfers abroad
Your data will not be transferred abroad unless you are specifically informed at the point your data is collected.
Data retention
This data will be retained for a period of 12 months. Data may be used during this period for training, quality control and analytics.
Your rights
You have a number of rights in relation your personal data, including the the right to ask for a copy of your data. Please refer to the relevant council website for further details:
Somerset County Council
Mendip District Council
Sedgemoor District Council
South Somerset District Council
Somerset West and Taunton Council
It should be noted that not all rights apply in all cases and that these rights are only applicable if the Council has no other legal obligation concerning that data. More information about your rights.
You also have the right to complain to the regulator,
COVID-19 Supermarket Referrals
Data Controllers
Somerset County Council – ICO Registration Z5957592
Data Protection Officer contacts
informationgovernance@somerset.gov.uk
Purpose for processing
Somerset County Council will collect data from individuals in order that they can be referred for a priority home delivery slot with a participating supermarket. Referrals will be available for people who are not shielding, are able to order online and pay for food but cannot access food due to the current COVID-19 pandemic. The processing of data is necessary to facilitate provision of a delivery slot by the participating supermarket of the customer’s choice.
Categories of personal data
The following data will be collected where a customer qualifies for a referral and wishes to apply for one:
- First and surname
- Full address and postcode
- Email address
- Phone number
- Unique property identifier if available.
Additionally, customers will share information necessary to determine their eligibility for referral – this may include circumstances relating to health and disability.
Legal basis for processing
General personal data:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Special category data:
Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Data sharing
Data collected from individuals wanting a referral will be shared by the Council with the Department for Environment, Food and Rural Affairs (DEFRA) via a secure portal. Participating supermarkets will be able to access information from that portal for individuals that have requested a referral according to the specific supermarket choice made by the individual, in order that they can make contact and offer a delivery slot. Details of the individuals shopping and payment methods will not be processed by Somerset County Council as the shopping will take place in the usual manner through the chosen supermarket’s online store.
Transfers abroad
Your data will not be transferred abroad.
Data retention
Recorded telephone calls will be retained for a period of 12 months. Data may be used during this period for training, quality control and analytics.
The current retention period for the data input in to the DEFRA portal is 18 months from the date of first transfer. However, as this initiative is designed to meet needs arising from an emergency, a definite retention period cannot currently be designed. All parties undertake not to retain data longer than is necessary for the defined purpose.
Your rights
You have a number of rights in relation your personal data, including the right to ask for a copy of your data. More information
You also have the right to complain to the regulator.
Somerset COVID-19 Test and Trace
Data Controllers
Somerset County Council – ICO Registration Z5957592
Mendip District Council – ICO Registration Z7552163
Sedgemoor District Council – ICO Registration Z5968381
South Somerset District Council – ICO Registration Z7228012
Somerset West and Taunton Council – ICO Registration ZA508925
Data Protection Officer contacts
informationgovernance@somerset.gov.uk
DPO@mendip.gov.uk
FOI@sedgemoor.gov.uk
DPO@southsomerset.gov.uk
DPO@somersetwestandtaunton.gov.uk
Purpose for processing
Somerset’s County and District councils will be working in partnership to assist the national Test and Trace programme. Somerset Public Health will receive data from Public Health England where efforts to contact individuals who have tested positive for Covid-19 have failed. Somerset County Council (Public Health) will work with the District Council’s to make contact with those individuals (using Council Tax or other existing contact information held by the Councils) to provide guidance and support and to establish who the individual has had contact with since testing positive in order to manage local outbreak and ensure the well-being of affected individuals.
Categories of personal data
The personal data processed will be:
- The personal data provided by the individual at the point of test (name, contact information and so on)
- The result of the data subject’s Covid-19 test (positive).
- Additional contact information from local sources.
- Details provided by the individual in relation to their contacts since testing positive.
Legal basis for processing
General personal data:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Special category data:
Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health
Data sharing
Data will be shared with Public Health England, Somerset County Council and Somerset District Councils. Access to information will be provided only as necessary to perform the necessary functions of the Test and Trace programme. Data will be stored on the national CTAS system – for further information please refer to the Public Health England website
Your personal information may also be shared where there is a statutory obligation to do so – for example, to safeguard someone from harm or for the prevention or detection of crime or fraud.
Transfers abroad
Your data will not be transferred abroad unless you are specifically informed at the point your data is collected.
Data retention
No data will be retained locally. All information will be added to the national system – please see the Public Health England website for further information.
Your rights
You have a number of rights in relation your personal data, including the right to ask for a copy of your data. Please refer to the relevant council website for further details:
Somerset County Council
Mendip District Council
Sedgemoor District Council
South Somerset District Council
Somerset West and Taunton Council
It should be noted that not all rights apply in all cases and that these rights are only applicable if the Council has no other legal obligation concerning that data. More information about your rights. Please also note that Somerset County Council and local District council will not hold Test and Trace data as this will be managed through the national Public Health England system – further information
You also have the right to complain to the regulator,
Cookies
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
If you wish to remove your consent at any time, please clear your local storage.
Google Analytics
Collects anonymous information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect anonymous information, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
On some of our sites we may also collect demographics and interest data about our customers where this is available. If you do not wish to share this information with us you can turn off Google Analytics tracking in your cookie preferences.
Forms
Our online forms use cookies to store and send information. They only use the information you choose to provide to us, which we will process in accordance with our data policies.
Most web browsers allow some control of most cookies through the browser settings.
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
You can learn more about how we manage your data and your rights on our Privacy Notice.
Security
Our security software tracks IP addresses and host information to prevent attacks from malicious sources. We do not collect any personal information using this software.
Cookie names: jJdLTSncPpxvqy, lgaLzEVJsXnDQ
Cookie type: Expires after 1 day
Domain: somerset.gov.uk
Siteimprove
Cookie name: nmstat
Cookie type: Persistent – expires after 1000 days
Domain: somerset.gov.uk
About: This cookie is used to help record the visitor’s use of the website.
It is used to collect statistics about site usage such as when the visitor last visited the site.
This information is then used to improve the user experience on the website. This Siteimprove Analytics cookie contains a randomly generated ID used to recognize the browser when a visitor reads a page. The cookie contains no personal information and is used only for web analytics.
Cookie name: siteimproveses
Cookie type: Session cookie
Domain: 2734886.global.siteimproveanalytics.io
About: This cookie is used purely to track the sequence of pages a visitor looks at during a visit to the site. This information can be used to reduce user journeys, and enable visitors to find relevant information quicker.
Cookie name: szcib
Cookie type: Persistent – expires after 400 days
Domain: somerset.gov.uk
About: This cookie is used to determine if the user has accepted or declined cookies. This is only set if you use the Siteimprove Cookie Info Banner solution
Cookie name: sz-feedback-should-hide
Cookie type: Session cookie
Domain: somerset.gov.uk
About: This cookie is used to hide/close a feedback widget for specific sessions (visits) on the Analytics Feedback feature. It is set when a user clicks a button in the feedback widget which indicates they don’t wish to see the widget again. The cookie contains no personal information and is used only for web analytics. It simply contains the text ‘true’ when it is set.
Cookie name: _cfduid
Cookie type: Persistent cookie
Domain: .siteimproveanalytics.com
About: The “__cfduid” cookie is set by the CloudFlare service to identify trusted web traffic. It does not correspond to any user id in the web application, nor does the cookie store any personally identifiable information. See: What does the CloudFlare cfduid cookie do?