This privacy notice explains how the London Borough of Bromley collects, uses and protects your personal data under the Data Protection Act and General Data Protection Regulation (GDPR)
Your personal data - what is it?
Personal data is any information relating to a living individual who can be identified from that information. Personal data can be anything from your name, email address or mobile or landline telephone number to a biometric identifier or a photograph.
The use and protection of personal data is governed by the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA).
What do we use your data for?
Under GDPR and DPA Bromley Council is the personal data controller - this means the council decides how your personal data is lawfully used and for what purposes.
The primary purposes for which the council uses your personal data include providing council services and complying with our statutory and contractual obligations.
How do we protect your personal data
We comply with our obligations under GDPR and DPA by minimising personal data; keeping personal data up to date; storing and destroying it securely and in a timely way; not collecting or retaining excessive amounts of data; protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical and organisational measures are in place to protect personal data.
What is the legal basis for processing your personal data?
The legal basis for processing your personal data by the council as a public authority will be one or more of the following conditions under GDPR Article 6:
- Your consent for one or more specific purposes.
- Performance of a contract to which you are or will be a party.
- Compliance with the council’s legal obligations.
- Protecting your vital interests, or those of another person.
- Carrying out a task in the public interest or in the exercise of official authority.
Sharing your personal data
The council will only share your personal data with a third party with your consent or where it is otherwise lawful to do so.
In practice, this means the council may share your personal data across council departments and with other local authorities and government organisations, including central government and its agencies. In addition the council may share personal data with its contractors, consultants and agents – those people and organisations who partner with and support the council in delivering services.
Unless subject to an exemption under GDPR and DPA, you have the following rights with respect to your personal data:
a. to request access to information about and a copy of your personal data;
b. to request that we rectify any personal data if it is found to be inaccurate or out of date;
c. to request that your personal data be erased in certain circumstances;
d. to withdraw any consent to processing which you have given;
e. to request restriction of processing in certain circumstances;
f. to ‘personal data portability’ i.e. to request a transfer of your personal data;
g. to object to processing in certain circumstances;
h. to complain to the council and to the Information Commissioner.
Request a copy of your personal data
Reviews and complaints
If you are unhappy with the way we have handled a subject access request you can raise your concerns in the following way:
Stage 1 - Please contact the person who sent the response to your request. It may be that we can resolve the issue there and then.
Stage 2 - If you remain dissatisfied, you can request a review through the person who sent the response to your request. Your appeal will be directed to a member of the council's legal team for consideration.
Stage 3 - If you are unhappy with the outcome of the review, you can contact the Information Commissioner's Office, which investigates complaints about public bodies' handling of information requests.
Due the majority of Bromley Council staff now remote working, some requests will take longer than others if the requested information is held in a physical format.
At any stage, we aim to respond within 30 days.