Privacy notice

Personal data includes information about you, which can be used to identify you as an individual.  Examples include:

• Your name
• Your date of birth
• Your contact details
• Your image.

Special category data is the most sensitive type of personal data and includes:

• Information about your health or any social care services that you may use
• Information that could identify your racial or ethnic origins
• Information that could identify your political beliefs
• Information that could identify your religious or philosophical beliefs
• Information that could identify your trade union membership
• Genetic data
• Biometric data (where used to identify you, e.g. use of fingerprints to access online services)
• Information about your sex life, or sexual orientation.

Please see the list of directorate and service specific notices listed at the bottom of this page for more details about the personal data that is processed in each area and where it comes from.

Our reasons for using personal information include:

• delivery of services and support to you
• managing our services
• training workers
• investigating complaints about our services
• monitoring and protecting public spending
• monitoring the quality of our services to ensure they are delivered in the most efficient and effective way
• helping us to improve and plan new services
• complying with laws that require us to provide personal information to other organisations, such as health organisations and courts.

My Care Record

The council is also part of the My Care Record approach which is supporting the work of health and care organisations across the East of England. Wherever possible, health and care professionals will be able to access your records from other services when it is needed for your care. For example, a doctor treating you in hospital, or a nurse working in the community, could view the information they need from your GP records.

For more information, including the My Care Record Privacy Notice, please visit the My Care Record website.

National Data opt-out

Under the national data opt-out everyone who uses publicly-funded health and/or care services can stop health and care organisations from sharing their “confidential patient information” with other organisations if it is not about managing or delivering their own care. For example, if this information is used for research or planning purposes.

At this time, the council does not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose.

You can find out more at Your NHS data matters.

Personal and special category data

Under data protection law, the council can only process your personal and special category data if it is lawful to do so. We will usually be allowed to use your information because we are complying with a specific public task, or because the service we are providing is set out in law, however, there may be other reasons.

To find out which legal bases different services rely on when processing your personal data, please see the service specific privacy notices which are listed at the bottom of this page.

Criminal offence data – general processing

Some services also processes criminal offence data which may include:

• Information about any criminal record or criminal history
• Allegations of criminal behaviour, including unproven allegations
• Absences of convictions, for example the results of DBS checks, or Police National Computer checks
• Personal data of victims and/or witnesses
• Personal data about criminal penalties that may have been awarded.

To find out more about whether a service is processing criminal offence data, and which lawful bases they are relying on, please see the relevant service specific privacy notice listed at the bottom of this page.

Law enforcement purposes

Some services process personal and special category data for law enforcement purposes. To make sure that this processing is lawful, the relevant services are competent authorities for the purposes of Part 3 of the DPA 2018 and they process personal data to prevent, investigate, and prosecute criminal activities, or exercise criminal penalties

To find out more about whether a service is processing personal data for law enforcement purposes, and which lawful bases they are relying on, please see the relevant service specific privacy notice listed at the bottom of this page.

Sometimes, services within the council rely on legitimate interests as a lawful basis for processing your personal data. The legitimate interest basis under the UK GDPR allows these services to process personal data in ways that you would reasonably expect and that have a minimal impact on you, or where there is a justified reason for processing your data.

Where a service relies on legitimate interests, it will only apply in respect of processing personal data that falls outside of its public authority tasks. You can find out more information about whether or not services are relying on legitimate interests to process personal information, and what those legitimate interests are, by looking at the service specific privacy notices listed at the bottom of this page.

The council will not sell or give personal information to any other organisation for direct marketing purposes without your consent.

SCC has contracts with some other organisations to help us provide services in certain areas, or to manage information. Those contracts and other arrangements have procedures in place which require the organisations to comply with data protection law so that the information will only be used to discharge those functions.

SCC will not share your personal information with third parties generally, though there are some situations in which we have a legal duty to do so, which may override your right to confidentiality in that particular circumstance. These include:

• court proceedings
• detection and/or prevention of crime or fraud
• to protect a child
• to protect a vulnerable adult.

We will always aim to share the minimum information that will enable us to fulfil our legal obligation and will try where possible to protect your information by anonymising it. We will keep you informed about what information we have shared and with whom, where we are legally able to do so.

We will sometimes share data with third parties to help us, for example, to deliver our services to you. If this happens, the department providing the service to you will tell you which organisations your information has been shared with. Please see the relevant service specific privacy notice listed at the bottom of this page.

To find out whether a service transfers any personal data to countries or international organisations outside of the EU, the EEA (European Economic Area), or to any other country that does not have an equivalent level of data protection to the UK, please see the relevant service specific privacy notice in the list below.

The council will only keep personal data for as long as we need it to provide services, fulfil its obligations, to comply with any legal requirements for keeping certain types of information, and in line with any statutory or locally determined retention periods.

To find out how long services keep different types of information for, or to find out who to contact, please see the relevant service specific privacy notice listed at the bottom of this page.

To find out whether a service is making automated decision using your personal information, or whether it uses profiling, please see the relevant service specific privacy notice listed at the bottom of this page.

Under data protection law, you have several rights regarding your personal data. These are:

• Access to records - you can ask for copies of information we hold about you.
• Correction of inaccurate information - if you think information we hold about you is inaccurate or incomplete, you can ask for this to be corrected.
• Portability - you can ask us to provide any electronic data we may hold about you in a format that allows you to transfer it from one service to another.
• The right to erasure (also known as the right to be forgotten) - you can ask for personal information we hold about you to be deleted or removed in some circumstances, for example, where we no longer need to use it. We will not always be able to agree to the request, but in those cases, we may at least be able to restrict the processing.
• Objections - you can ask us to stop processing your information for certain purposes, for example, direct marketing. However, this may delay or prevent us from being able to deliver a service, and we will not always be able to agree to your request, particularly where this relates to our public task functions.
• Restrictions - you can ask us to restrict the processing of your data, even though we still hold it, for example, if you are challenging the accuracy, or where we have to continue to hold the data for legal reasons, even though you have objected.
• Automated decision making and profiling - you are entitled to protection against damaging decisions being made about you due to automated processes based on digital or other information we hold, and without human intervention, except for some situations where this is authorised by law.

If you would like to make a request to exercise any of the rights above, please contact the Information Governance team at data.protection@suffolk.gov.uk

If you would like independent advice on this privacy notice or other matters about how Suffolk County Council processes your personal data, including how to make a complaint, you can contact the Information Commissioner's Office at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113

Email: casework@ico.org.uk