Overarching Privacy Notice
Somerset County Council (SCC) provides a wide range of services to the people of Somerset. In order to provide those services, we process large amounts of your personal data. Personal information is any information which identifies and relates to a living person.
We are registered as a data controller for the data we collect, process, and hold, and our Data Protection Notification (registration number Z5957592) includes generic information about the types of personal data we process, what we use it for, and who we share it with.
Contact details
Somerset County Council
County Hall
Taunton
TA1 4DY
Telephone: 0300 123 2224
Email: generalenquiries@somerset.gov.uk
Data protection officer (DPO)
Lucy Wilkins
Contact the DPO by email on informationgovernance@somerset.gov.uk
This notice is overarching and provides general information about how the Council processes data. Please refer to service privacy notices for specific information about how the services you are engaged with collect, use and hold your data.
Purpose for processing
We collect, use and hold personal information so that we are able to effectively deliver our services.
We will use your information to support us with one or more of the following:
- delivering services and support to you or your family;
- managing services we provide to you or your family;
- training and managing the employment of our workers who deliver our services;
- investigating any worries or complaints you have about our services;
- keeping track of spending on services;
- checking the quality of services; and
- researching and planning new services.
Categories of personal data
We collect information in a variety of ways including paper forms, web forms, in a face-to-face meeting with you, by telephone, email or letter, through the use of CCTV or sometimes from one of our partners. We also sometimes receive information about you from people you know, if they are concerned about you, or you have given them permission to represent you.
The information we collect will depend on the services delivered but may include:
- personal details
- family details
- lifestyle and social circumstances
- goods and services
- financial details
- employment and education details
- housing needs
- visual images, personal appearance and behaviour
- licenses or permits held
- student and pupil records
- case file information
For some services we may also require information that falls under the following special categories (sensitive information):
- physical or mental health details
- racial or ethnic origin
- trade union membership
- political affiliation
- political opinions
- offences (including alleged offences)
- religious or other beliefs of a similar nature
- criminal proceedings, outcomes and sentences
- biometric information
Legal basis for processing
To process your personal data, we must have a lawful basis under Article 6 of the GDPR and under Article 9 if we are processing special category data.
Some of our services are required by law or we have a public duty to deliver them. In other cases, services may be non-statutory but available on request. This will affect the lawful basis on which we rely to process your personal data and that will be specified in the service privacy notices.
Data sharing
In some circumstances we have an obligation to work with and share information with partner organisations such as the NHS, schools and Police. Sometimes we contract external organisations to deliver services on our behalf and it is necessary to share information with them so that that they can provide those services. Service specific privacy notices will explain who we will share your data with.
We also work with many partner organisations, sometimes to meet a legal obligation, and sometimes with your consent. Whenever we need to share your information we will tell you when we collect it. If we obtain your information from another organisation, we will tell you as soon as is reasonably possible.
Where appropriate, the personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found here
Data storage
Your data will not be transferred abroad unless this is stated in the service specific privacy notice. Your data will be retained in line with the Council’s retention schedule and details for each service will be provided in their privacy notices.
Your rights
You have a number of rights in relation to your personal data including the right to ask for a copy of the information we hold about you. For more information, please see our information rights section. You also have the right to complain about how we use your data to the Information Commissioner’s Office.
You can contact the DPO by email on informationgovernance@somerset.gov.uk
For information about the data we collect and how we use it in relation to specific services, please see the links to service specific privacy notices below.
Somerset COVID-19 Helpline and Web Service
Data Controllers
Somerset County Council – ICO Registration Z5957592
Mendip District Council – ICO Registration Z7552163
Sedgemoor District Council – ICO Registration Z5968381
South Somerset District Council – ICO Registration Z7228012
Somerset West and Taunton Council – ICO Registration ZA508925
Data Protection Officer contacts
informationgovernance@somerset.gov.uk
DPO@mendip.gov.uk
FOI@sedgemoor.gov.uk
DPO@southsomerset.gov.uk
DPO@somersetwestandtaunton.gov.uk
Purpose for processing
The personal data that you provide is used for the operation of the joint Somerset single COVID-19 telephone helpline and equivalent web service. The helpline/web service is a joint service between Somerset County and District Councils and provides signposting, advice and support in matters relating to the COVID-19 (Coronavirus) pandemic. The Helpline will use information supplied by Central Government and held by all Somerset Councils to identify individuals/households which may require additional support during the crisis and will contact those individuals/households assess and support need.
Categories of personal data
The personal data processed will depend on the nature of the transaction, but will include name and contact details and may include special category data (data which requires an additional level of protection due to the sensitivity of it), such as information about your health conditions.
Legal basis for processing
General personal data:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Special category data:
Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health
Data sharing
The COVID-19 helpline and web service is operated in Somerset as a joint venture between the County and District Councils. Information will be shared between partners where it is necessary to do so to fulfil the above stated purpose. Information provided to the helpline or online will be passed to the appropriate council for action or shared with other public service partners (e.g. health providers), voluntary services or commissioned providers (such as social prescribing organisations commissioned to contact individuals who have been asked to ‘shield’) where they are appropriate to meet the need.
Your personal information may also be shared where there is a statutory obligation to do so – for example, to safeguard someone from harm or for the prevention or detection of crime or fraud.
Transfers abroad
Your data will not be transferred abroad unless you are specifically informed at the point your data is collected.
Data retention
This data will be retained for a period of 3 years. Data may be used during this period for training, quality control and analytics.
Your rights
You have a number of rights in relation your personal data, including the the right to ask for a copy of your data. Please refer to the relevant council website for further details:
South Somerset District Council
Somerset West and Taunton Council
It should be noted that not all rights apply in all cases and that these rights are only applicable if the Council has no other legal obligation concerning that data. More information about your rights.
You also have the right to complain to the regulator,
COVID-19 Supermarket Referrals
Data Controllers
Somerset County Council – ICO Registration Z5957592
Data Protection Officer contacts
informationgovernance@somerset.gov.uk
Purpose for processing
Somerset County Council will collect data from individuals in order that they can be referred for a priority home delivery slot with a participating supermarket. Referrals will be available for people who are not shielding, are able to order online and pay for food but cannot access food due to the current COVID-19 pandemic. The processing of data is necessary to facilitate provision of a delivery slot by the participating supermarket of the customer’s choice.
Categories of personal data
The following data will be collected where a customer qualifies for a referral and wishes to apply for one:
- First and surname
- Full address and postcode
- Email address
- Phone number
- Unique property identifier if available.
Additionally, customers will share information necessary to determine their eligibility for referral – this may include circumstances relating to health and disability.
Legal basis for processing
General personal data:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Special category data:
Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Data sharing
Data collected from individuals wanting a referral will be shared by the Council with the Department for Environment, Food and Rural Affairs (DEFRA) via a secure portal. Participating supermarkets will be able to access information from that portal for individuals that have requested a referral according to the specific supermarket choice made by the individual, in order that they can make contact and offer a delivery slot. Details of the individuals shopping and payment methods will not be processed by Somerset County Council as the shopping will take place in the usual manner through the chosen supermarket’s online store.
Transfers abroad
Your data will not be transferred abroad.
Data retention
Recorded telephone calls will be retained for a period of 3 years. Data may be used during this period for training, quality control and analytics.
The current retention period for the data input in to the DEFRA portal is 18 months from the date of first transfer. However, as this initiative is designed to meet needs arising from an emergency, a definite retention period cannot currently be designed. All parties undertake not to retain data longer than is necessary for the defined purpose.
Your rights
You have a number of rights in relation your personal data, including the right to ask for a copy of your data. More information
You also have the right to complain to the regulator.
Somerset COVID-19 Test and Trace
Data Controllers
Somerset County Council – ICO Registration Z5957592
Mendip District Council – ICO Registration Z7552163
Sedgemoor District Council – ICO Registration Z5968381
South Somerset District Council – ICO Registration Z7228012
Somerset West and Taunton Council – ICO Registration ZA508925
Data Protection Officer contacts
informationgovernance@somerset.gov.uk
DPO@mendip.gov.uk
FOI@sedgemoor.gov.uk
DPO@southsomerset.gov.uk
DPO@somersetwestandtaunton.gov.uk
Purpose for processing
Somerset’s County and District councils will be working in partnership to assist the national Test and Trace programme. Somerset Public Health will receive data from Public Health England where efforts to contact individuals who have tested positive for Covid-19 have failed. Somerset County Council (Public Health) will work with the District Council’s to make contact with those individuals (using Council Tax or other existing contact information held by the Councils) to provide guidance and support and to establish who the individual has had contact with since testing positive in order to manage local outbreak and ensure the well-being of affected individuals.
Categories of personal data
The personal data processed will be:
- The personal data provided by the individual at the point of test (name, contact information and so on)
- The result of the data subject’s Covid-19 test (positive).
- Additional contact information from local sources.
- Details provided by the individual in relation to their contacts since testing positive.
Legal basis for processing
General personal data:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Special category data:
Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health
Data sharing
Data will be shared with Public Health England, Somerset County Council and Somerset District Councils. Access to information will be provided only as necessary to perform the necessary functions of the Test and Trace programme. Data will be stored on the national CTAS system – for further information please refer to the Public Health England website
Your personal information may also be shared where there is a statutory obligation to do so – for example, to safeguard someone from harm or for the prevention or detection of crime or fraud.
Transfers abroad
Your data will not be transferred abroad unless you are specifically informed at the point your data is collected.
Data retention
No data will be retained locally. All information will be added to the national system – please see the Public Health England website for further information.
Your rights
You have a number of rights in relation your personal data, including the right to ask for a copy of your data. Please refer to the relevant council website for further details:
Somerset County Council
Mendip District Council
Sedgemoor District Council
South Somerset District Council
Somerset West and Taunton Council
It should be noted that not all rights apply in all cases and that these rights are only applicable if the Council has no other legal obligation concerning that data. More information about your rights. Please also note that Somerset County Council and local District council will not hold Test and Trace data as this will be managed through the national Public Health England system – further information
You also have the right to complain to the regulator,
Service Privacy Notices
Privacy Notice – Adult and Health Services
Privacy Notice – Blue Badge Service
Privacy Notice – Children and Families (Children’s Social Care)
Privacy Notice – Children’s Services
Privacy Notice – Economic and community infrastructure
Privacy Notice – Family Safeguarding
Privacy Notice – Finance, legal and governance
Privacy Notice – Fostering
Privacy Notice – Inclusion Advisory Services
Privacy Notice – Insurance
Privacy Notice – National Apprenticeship Scheme
Privacy Notice – Public Health
Privacy Notice – Registration Services
Privacy Notice – Special Educational Needs and Disabilities (SEND)
Privacy Notice - Contact Centre
Data Controller – Somerset County Council – ICO Registration Z5957592
Data Protection Officer Contact – informationgovernance@somerset.gov.uk
Somerset County Council’s Contact Centre provides a ‘front door’ for customers contacting the Council by telephone, email and through web chat. The personal information processed by Contact Centre staff will depend on the nature of the contact and the services requested but may include:
- Identifying information (such as name, address, contact details, date of birth, family information, unique identification number (e.g. NHS Number).
- Details of services received and/or required.
- Special category data as defined in Article 9 of the General Data Protection Regulation.
Purposes for processing
We use your personal information to:
- Understand the nature of your enquiry and provide information and advice about services which you are requesting or that we feel may be of benefit.
- Deliver or enable the delivery of our services.
- Make referrals to our services.
- Signpost to other organisations where appropriate.
Legal basis for processing
We rely on the following provisions of the General Data Protection Regulation (GDPR) as the lawful bases for processing your personal data:
- Article 6 1(e) – Public task
Somerset County Council carries out a number of tasks across all services in the public interest or in the exercise of official authority vested in us and, in some cases, it is necessary to process your personal data in order to undertake such tasks. The Contact Centre works across the whole council, providing a ‘front door’ for all services. All data processed by the Contact Centre in relation to our wider services will be processed in accordance with the relevant privacy notices.
We rely on the following provision of the General Data Protection Regulation (GDPR) as the lawful basis for processing your special category data:
- Article 9 2(g) – substantial public interest
In order to deliver some services it may be necessary to process data which is classed as special category. This is information about you which, due to the nature of it, is afforded additional protections under data protection law.
The legislation to which our public tasks relate are detailed on service privacy notices where appropriate.
Data Sharing
Your personal information may be shared with internal departments or with external partners and agencies involved in delivering services on our behalf. However, we will only share information with organisations who will also comply with appropriate data protection laws. You will be informed in the service specific privacy notice of who your data may be shared with (if at all) and appropriate contracts or agreements will be in place to ensure the data sharing is appropriately managed.
Data Security
We have appropriate security measures in place to prevent personal information from being accidentally lost or misused. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are required to do so.
Your data will not be transferred abroad unless you are specifically informed at the point your data is collected.
Data Retention
The Contact Centre records telephone conversations and web chat transcripts for quality monitoring and training purposes. Calls recordings will be retained for 3 years and web chat transcripts will be retained for a period of 6 months.
Service specific data collected by the Contact Centre will be transferred to the appropriate service/systems and will be retained in accordance with the stated requirements of that service.
Your Rights
Under the General Data Protection Regulation (GDPR) you have a number of rights in relation to the data we hold about you. These include the right to ask for a copy of your data, the right to rectify or erase your personal data, and the right to object to processing. However, these rights are only applicable if the Council has no other legal obligation concerning that data. Further information about your rights and how to exercise them can be found on our website.
You also have the right to complain to the regulator (The Information Commissioner) and details can be found at https://ico.org.uk/make-a-complaint/
In some case if you do not supply your information to us, we will not be able to provide you with the services we are obliged to provide by law or any supplementary service you have asked for.
Privacy Notice - Corporate Affairs
Data Controller – Somerset County Council – ICO Registration Z5957592
Data Protection Officer contact – informationgovernance@somerset.gov.uk
Purpose for processing
- Customer and community insight – business intelligence
- Customer contact
- Customer experience and information governance
- Internal and external communications
- Performance
Legal basis for processing
Public task – Corporate Affairs is required to act in the public interest to perform public duties to ensure the delivery of the services detailed above. In some cases, Corporate Affairs may ask for your explicit consent to process your personal data, see below for more details.
Legitimate interests – Corporate Affairs uses your personal data to support its legitimate interests to audit financial transactions, to ensure the quality of services, to correspond with customers, to answer enquiries, and to deal with complaints.
Data sharing – the personal data provided to Corporate Affairs will be shared with a range of partners when providing services including National Government Departments, the NHS, the Police and other Local Authorities. When Corporate Affairs is required to share your personal data, you will be informed at the point your data is collected.
Safeguarding – In cases where you or another member of the public may be at risk your personal information will be shared
Other statutory obligations – In cases where the Council is legally obliged to disclose your personal information in cases such as prevention or detection of crime or fraud your personal information will be shared.
Transfers abroad – your data will not be transferred abroad unless you are specifically informed at the point your data is collected.
Data retention – this data will be retained for a period determined by UK law and regulations, or in some cases to meet specific requirements of the service being provided. You will be informed of this at the point your data is collected.
Your rights – You have the right to ask Somerset County Council for a copy of your data, the right to rectify or erase your personal data, and the right to object to processing.
However, these rights are only applicable if the Council has no other legal obligation concerning that data. For more information about your rights and details of how to exercise them see https://www.somerset.gov.uk/our-information/your-rights-on-the-information-we-hold-about-you/
You also have the right to complain to the regulator, ico.org.uk/
Consequences: In some case if you do not supply your information to us, we will not be able to provide you with the services we are obliged to provide by law or any supplementary service you have asked for.
Explicit consent
If the legal basis for processing is explicit consent we will need to ensure you are provided with a:
a) Clear explanation of exactly what is being consented to
b) Clear “opt-in”
c) Clear option to withdraw your consent later by use of an “opt-out”
Privacy of Electronic Communications Regulations (PECR)
To meet the requirements of the Privacy of Electronic Communications Regulations (PECR) we will ensure that we give you clear options on the information you receive, and how you can receive it.
If we are using your contact details to distribute further information, we will provide you with OPT-IN options so you can choose the method of communication, such as post, email, or phone, and to choose what you will receive, such as newsletters, invitations to events, and service updates. We will also offer you a clear option to unsubscribe to any communications sent with your consent.
Privacy Notice - Recruitment Data Privacy Statement
Data Controller – Somerset County Council
Data Protection Officer contact – informationgovernance@somerset.gov.uk
Purpose for processing – to run recruitment processes
Legal bases for processing – right to work, safer recruitment.
By law – Immigration, Asylum and Nationality Act 2006, Safeguarding Vulnerable Groups Act 2006 as amended by the Protection of Freedoms Act 2012.
Data sharing – the personal data provided will be shared internally to Somerset County Council and with partner organisations who are involved in our recruitment process. This information may be disclosed to Government Departments where there is a legal obligation to do so. If you are applying for an Apprenticeship the personal data provided will be shared with the Learning Provider attached to the employment.
Transfers abroad – Personal data in our e-recruitment system is kept within the EEA by Lumesse.
Data retention – If you become an employee the data will be kept for 100 years from your date of birth. If you do not become an employee the data will be kept for 12 months, right to work information of unsuccessful candidates is destroyed after interview.
Your rights – You have the right to ask Somerset County Council to a copy of your data, the right to rectify or erase your personal data and the right to object to processing. However, these rights are only applicable if the Council has no other legal obligation concerning that data. You also have the right to complain to the regulator ico.org.uk/
Consequences – If you do not supply the information requested on this application form we will not be able to process your application.
For more information see http://extranet.somerset.gov.uk/hr/employment-information/data-protection/
Privacy Notice - Volunteering
Data Controller: Somerset County Council – ICO Registration Z5957592
Data Protection Officer Contact: informationgovernance@somerset.gov.uk
Purpose for processing:
- Administration of volunteer agreements and arrangements;
- Administer and manage your volunteer placement
- Safeguarding of Somerset County Council clients and customers;
- Support the delivery of services
- Payment of expenses.
Legal basis for processing
By law
- Safeguarding Vulnerable Groups Act 2006 as amended by the Protection of Freedoms Act 2012.
- Safeguarding of vulnerable adults and children (The Care Act 2014, The Children and Families Act 2014, and The Children’s Act 2004)
- Proof that volunteer is legally able to fulfil the volunteer role (e.g. Volunteer drivers must have current drivers’ licence, with no more than 6 points)
- Volunteer Safety and Security (protected as non-employees, under the Health and Safety at Work Act 1974, whilst undertaking duties under their control, SCC Public Liability Insurance)
- We may be required to give information to legal authorities if requested or if they have the proper authorisation such as a search warrant or court order.
Under 16
If you are under 16 and become a volunteer we must have the consent of your parents or guardian to become a volunteer.
Public task:
Where your information is not processed in accordance with the law we will use your personal data in order to deliver a service to you, including your profile, provide you with recommendations of volunteering opportunities, and recruitment process and training, depending on the volunteer role you apply for. We will use your email address (where provided) to contact you about changes to our service and important information about your role.
When you enquire about our volunteer services we will process your enquiry, and provide you with the information that you have asked for.
When you apply to become a volunteer for Somerset County Council, you willingly enter a voluntary agreement, formed between you and Somerset County Council. In order to carry out our obligations under that agreement we must process the information you give us, as set out in the purpose for processing.
Explicit consent
Where you have given us your explicit consent, we will use your information in the way that you have asked us to such as provision of a newsletter or sharing your information with partner organisations to provide you with information about further volunteering opportunities.
Data sharing
Your personal data will be shared with relevant Somerset County Council Services and partner organisations who you may be supporting.
Transfers abroad
This data will not be transferred abroad
Data retention
This data will be retained for a period determined by UK law and regulations, or in some cases to meet specific requirements of the service being provided.
This data will be retained on file for the duration of the volunteer’s involvement with the Council as a volunteer, and for a further 6 years in order to support any follow up enquiries, unless your role is supporting children and it will then be held to meet any requirements resulting from the IICSA Enquiry. Information held about unsuccessful applicants is destroyed after 12 months.
Your rights
You have the right to ask Somerset County Council for a copy of your data, the right to rectify or erase your personal data, and the right to object to processing. However, these rights are only applicable if the Council has no other legal obligation concerning that data.
You also have the right to complain to the regulator, ico.org.uk/
Consequences
If you do not supply this information to us, we will not be able to place you into a volunteer role.
Cookies
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
If you wish to remove your consent at any time, please clear your local storage.
Google Analytics
Collects anonymous information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect anonymous information, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
Forms
Our online forms use cookies to store and send information. They only use the information you choose to provide to us, which we will process in accordance with our data policies.
Most web browsers allow some control of most cookies through the browser settings.
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
You can learn more about how we manage your data and your rights on our Privacy Notice.
Security
Our security software tracks IP addresses and host information to prevent attacks from malicious sources. We do not collect any personal information using this software.
Cookie names: jJdLTSncPpxvqy, lgaLzEVJsXnDQ
Cookie type: Expires after 1 day
Domain: somerset.gov.uk
Siteimprove
Cookie name: nmstat
Cookie type: Persistent – expires after 1000 days
Domain: somerset.gov.uk
About: This cookie is used to help record the visitor’s use of the website.
It is used to collect statistics about site usage such as when the visitor last visited the site.
This information is then used to improve the user experience on the website. This Siteimprove Analytics cookie contains a randomly generated ID used to recognize the browser when a visitor reads a page. The cookie contains no personal information and is used only for web analytics.
Cookie name: siteimproveses
Cookie type: Session cookie
Domain: 2734886.global.siteimproveanalytics.io
About: This cookie is used purely to track the sequence of pages a visitor looks at during a visit to the site. This information can be used to reduce user journeys, and enable visitors to find relevant information quicker.
Cookie name: szcib
Cookie type: Persistent – expires after 400 days
Domain: somerset.gov.uk
About: This cookie is used to determine if the user has accepted or declined cookies. This is only set if you use the Siteimprove Cookie Info Banner solution
Cookie name: sz-feedback-should-hide
Cookie type: Session cookie
Domain: somerset.gov.uk
About: This cookie is used to hide/close a feedback widget for specific sessions (visits) on the Analytics Feedback feature. It is set when a user clicks a button in the feedback widget which indicates they don’t wish to see the widget again. The cookie contains no personal information and is used only for web analytics. It simply contains the text ‘true’ when it is set.
Cookie name: _cfduid
Cookie type: Persistent cookie
Domain: .siteimproveanalytics.com
About: The “__cfduid” cookie is set by the CloudFlare service to identify trusted web traffic. It does not correspond to any user id in the web application, nor does the cookie store any personally identifiable information. See: What does the CloudFlare cfduid cookie do?