This privacy notice explains how the London Borough of Bromley collects, uses and protects your personal data under the Data Protection Act and General Data Protection Regulation (GDPR)
Your personal data - what is it?
Personal data is any information relating to a living individual who can be identified from that information. Personal data can be anything from your name, email address or mobile or landline telephone number to a biometric identifier or a photograph.
The use and protection of personal data is governed by the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA).
What do we use your data for?
Under GDPR and DPA Bromley Council is the personal data controller - this means the council decides how your personal data is lawfully used and for what purposes.
The primary purposes for which the council uses your personal data include providing council services and complying with our statutory and contractual obligations.
How do we protect your personal data
We comply with our obligations under GDPR and DPA by minimising personal data; keeping personal data up to date; storing and destroying it securely and in a timely way; not collecting or retaining excessive amounts of data; protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical and organisational measures are in place to protect personal data.
What is the legal basis for processing your personal data?
The legal basis for processing your personal data by the council as a public authority will be one or more of the following conditions under GDPR Article 6:
- Your consent for one or more specific purposes.
- Performance of a contract to which you are or will be a party.
- Compliance with the council’s legal obligations.
- Protecting your vital interests, or those of another person.
- Carrying out a task in the public interest or in the exercise of official authority.
Sharing your personal data
The council will only share your personal data with a third party with your consent or where it is otherwise lawful to do so.
In practice, this means the council may share your personal data across council departments and with other local authorities and government organisations, including central government and its agencies. The Council may also share your personal data with selected staff as part of the London Care Record initiative. In addition the council may share personal data with its contractors, consultants and agents – those people and organisations who partner with and support the council in delivering services.
Unless subject to an exemption under GDPR and DPA, you have the following rights with respect to your personal data:
a. to request access to information about and a copy of your personal data;
b. to request that we rectify any personal data if it is found to be inaccurate or out of date;
c. to request that your personal data be erased in certain circumstances;
d. to withdraw any consent to processing which you have given;
e. to request restriction of processing in certain circumstances;
f. to ‘personal data portability’ i.e. to request a transfer of your personal data;
g. to object to processing in certain circumstances;
h. to complain to the council and to the Information Commissioner.
How to make an effective subject access request
When making a subject access request what is most important is that we can clearly identify you, and the information you are requesting.
You may want a file from a specific service, like a copy of your benefits file, or your housing file, or your social care records. You could ask for information from more than one service, all services, or for just a small amount e.g., a copy of a number of particular documents, or documents from a particular date range, or information relating to a particular event. Providing us with a detailed request will allow us to complete your request efficiently, and to achieve this, please only ask for information that you need.
The ICO recommend you give specific details of where to search for the personal data you want, for example:
- my Housing file
- emails between ‘person A’ and ‘person B’ (from 1 June 2017 to 1 Sept 2017)
- financial statements (between 2013 and 2017) held in account number xxxxx.]
- my EHCP plans and assessments (between 2014 and 2017)
- social care records (between 2016 to 2018), direct payments records (between 2014 to 2019) and housing benefits records (between 2014 to 2019)
Other information may also help us to locate what you’re looking for, if you think that some contextual information would be useful, then please include an explanation of why you’re seeking the information.
Requests on behalf of children
Subject access requests are often made by parents for information about their children. The Data Protection Act 2018 affords children the same rights as adults regarding access to and protection of their data. A child can request access to their data when they can understand their rights and what it means to make a request. Whilst the law in England does not specify an age at which a child is considered to have the competency to understand and exercise their rights, it does state that a child of 13 can consent to ‘information services’. Bromley uses this age as a guide for considering when a child has competency. We will need to see written and signed evidence of your appointment to act on their behalf which shows they understand the nature of the request, what information is being requested and the consequences of the disclosure. Bromley is committed to upholding the rights and freedoms of those we hold information about. As part of responsible due diligence, Bromley will take into consideration the circumstances of each request, and the level of maturity of the child including any views they may have about the disclosure before determining when disclosure is reasonable.
Requests on behalf of adults
Bromley will need to be satisfied that the person you are requesting information on behalf of has authorised you to do so. You may have the authority as their Power of Attorney, or they may have given you, their consent. Evidence of your authority to act on behalf of the Data Subject should be submitted via the webform. In cases where consent from the Data Subject has been sought, we will need to see written and signed evidence of your appointment to act on their behalf which shows they understand the nature of the request, what information is being requested and the consequences of the disclosure. We may also contact the person to discuss their disclosure with them when appropriate.
Request a copy of your personal data
Reviews and complaints
If you are unhappy with the way we have handled a subject access request you can raise your concerns in the following way:
Stage 1 - Please contact the person who sent the response to your request. It may be that we can resolve the issue there and then.
Stage 2 - If you remain dissatisfied, you can request a review through the person who sent the response to your request. Your appeal will be directed to a member of the council's legal team for consideration.
Stage 3 - If you are unhappy with the outcome of the review, you can contact the Information Commissioner's Office, which investigates complaints about public bodies' handling of information requests.
Due the majority of Bromley Council staff now remote working, some requests will take longer than others if the requested information is held in a physical format.
At any stage, we aim to respond within 30 days.