Privacy notice

The London Borough of Bexley is a ‘data controller’ as we collect and process personal information about you.

The information we collect is used in accordance with data protection and other relevant legislation. If you follow a link to a service provided by another government department, agency or local authority, that organisation will:

  • be the data controller
  • be responsible for processing any data you share with them
  • publish and manage their own privacy notice with details of how to contact them

A data controller determines how and why personal data is processed. For more information, read the London Borough of Bexley's entry in the Data Protection Public Register.

What data we collect

We collect certain information or data about you when you use our website. This includes:

  • forms you complete, questions, queries or feedback you leave, including your email address if you send an email to our website
  • your Internet Protocol (IP) address, and details of which version of web browser you used
  • information on how you use the site, using cookies and page tagging techniques to help us improve the website
  • details to allow you to access our services and transactions, e.g. an email address (you'll always be told when this information is being collected, and it will only be used for the purpose you provide it for)

Why we need your data

We collect this information to help us to:

  • deal with your requests and administer our departmental functions
  • meet and perform our statutory functions and obligations including those related to equalities and diversity
  • prevent and detect fraud
  • conduct our own surveys and research
  • improve the site by monitoring how you use it
  • respond to any feedback you send us if you’ve asked us to
  • provide you with information about local services if you want it
  • deliver and manage the services we provide to you
  • confirm your identity
  • process financial transaction such as invoices, payments and benefits
  • train and manage the employment of our workers who deliver those services
  • investigate any complaints you have about our services
  • monitor spending on services
  • emergency response management
  • protect individuals from harm

We cannot personally identify you using your data.

Disclosing your information

We may pass on your personal information if we have a legal obligation to do so, or if we have to enforce or apply our terms of use and other agreements. This includes exchanging information with other public-sector organisations including:

  • other departments within the Council (including the Councillors)
  • central government departments
  • law enforcement agencies
  • other organisations which deal with, or handle, public funds
  • organisations set up under Acts of Parliament
  • organisations which provide community services
  • contractors that process data on our behalf

We may also use and disclose information, in ways which do not identify individuals, for research and strategic development purposes.

How long do we keep your data?

We will only keep your personal information for as long as we consider that it is necessary to be retained. We have a Record Retention Schedule which lists how we would intend to keep your personal information.

Where your data is processed and stored

Transmitting information over the internet is generally not completely secure, and we can’t guarantee the security of your data. Any data you transmit is at your own risk. We have procedures and security features in place to try and keep your data secure once we receive it.

We won't share your information with any other organisations for marketing, market research or commercial purposes, and we don't pass on your details to other websites. Payment transactions are always encrypted.

We store your data on our secure servers in the UK or in the European Economic Area (EEA). It may also be stored outside of Europe, where it could be viewed by our staff or suppliers. By submitting your personal data, you agree to this.

Your rights under data protection legislation

The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). Under the Data Protection Act, we have a legal requirement to ensure that all personal information is kept secure, accurate and up to date. It should also only be used for specified, explicit purposes and kept for no longer than necessary.

Further information about your rights can be viewed on the Information Commissioner's Office website.

If you have any questions about your rights under data protection legislation, please direct these to the Complaints and Freedom of Information Team by emailing foi@bexley.gov.uk or by phoning 020 3045 4700.

You can view the Complaints and Freedom of Information.

What personal information do we process?

Personal information can be any information that relates to or identifies a living person, including a name, date of birth, postal address, email address, telephone number and debit or credit card details.

The law regards some personal information as being in a special category given its sensitivity and is therefore given more protection. This includes information that identifies racial/ethnic origin, political opinions, religious/philosophical beliefs, sexual orientation and information regarding physical and mental health.

Service-specific privacy notices below will explain in more detail the lawful basis for processing your personal information. The Council is a signatory to a number of data-sharing agreements. The types of purposes for which it is legitimate to share your personal information are set out in these Agreements. We may share the personal information of our service users where it is fair and lawful to do so and where the sharing takes place in a transparent manner.

The right to withdraw consent

Where the legal basis for processing your personal information is consent, you have the right to withdraw that consent at any time by notifying us. If you withdraw your consent it may take longer or not be possible to continue to provide you with that service. Service-specific privacy notices below will explain in more detail how you can exercise your rights.

Contact us or make a complaint

However, if you have any queries or concerns with how your information is being processed please contact data.protection@bexley.gov.uk.

You have the right to complain to the Information Commissioners Office at:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Email: casework@ico.org.uk or Tel: 0303 123 1113

Changes to this policy

We may change this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

Adult Social Care Privacy Notice

The London Borough of Bexley is a ‘data controller’ as we collect and process personal information about you. The information we collect for adult social care is used in accordance with data protection and other relevant legislation. Contact details for the data controller’s representative are:

Nick Hollier
Data Protection Officer
London Borough of Bexley
Civic Offices
2 Watling Street
Bexleyheath
DA6 7AT

Email Data.protection@bexley.gov.uk
Telephone 020 8303 7777

What personal information do we process?

When we have contact with you either in person, by phone, email or any other form of communication we may need to collect and store the personal information about you or your family provided so that we can offer the appropriate service. The types of information we require from you will include at a minimum the following personal information, such as:

  • name
  • address
  • date of birth
  • national insurance number
  • NHS number
  • contact information
  • telephone number(s)
  • email address

As well as Personal Information where applicable, we may collect and share additional information known as ‘Special Categories of Personal Data’ where appropriate including:

  • health/social care joint assessment
  • professional’s referrals
  • race
  • gender
  • ethnic origin
  • religion
  • genetics
  • sexual orientation

What is the purpose of processing your personal information?

We process personal information to enable us to provide a range of adult social care services:

  • to enable us to carry out statutory social care functions which we are legally responsible for
  • to allow us to communicate and provide services appropriate to your needs
  • gather information which informs planning and service delivery decisions
  • where we are legally obliged to undertake data processing prevention and/or detection of fraud and crime
  • to process financial transactions such as the Department for Work and Pensions or where the Council is acting on behalf of other Government Bodies including the Department of Health and Social Care
  • where necessary to safeguard people to protect them from harm or injury
  • conduct research or statistical analysis that allows us to target and plan the provision of services for adults
  • to identify residents/users for notifying them of proposed or planned changes to services that may affect them
  • to assist the council in responding to emergencies or major accidents. This allows the council, in conjunction with the emergency services, to identify citizens who may need additional support

What are the lawful basis for processing your personal information?

The majority of the Health and Social care information that you provide us will be processed under Lawful Processing Article 6(1)(e) ‘… necessary for the performance of a task carried out in the public interest or in the exercise of official authority …’ and Article 9(2)(h) ‘...medical diagnosis, the provision of health or social care treatment or the management of health and social care systems…’ of the General Data Protection Regulations. Processing in this context means the organisation, retrieval, consultation, use and deletion or destruction of information and its disclosure to other agencies necessary for tasks to be carried out in the public interest or for the provision of health or social care services.

When we share your information between the LB Bexley and NHS services, we will only do this for the provision of your care, when doing so we rely on the following legislation:

Who are recipients or categories of recipients of your personal information?

When an adult receives care from Bexley Adult social care we get your information from many sources, but most commonly from you:

  • by agreement or request (you volunteer)
  • from a carer or other family member.
  • safeguarding concerns (so agencies can share information about an individual without their consent)
  • referral from another organisation – for example your GP, Hospitals, Community health services.
  • referral from the police or fire services
  • referral from the voluntary sector 

Adult social care will share your information with a number of bodies for the provision of direct care under the processing reasons above.

We will share your details with health bodies such as GPs, community NHS trusts, hospitals and mental health trusts for direct care.

We commission health and social care providers for a range of services such as home care, residential care, residential and nursing care, day care, transport services, mental health services, personal assistants, shared lives and other specialist care services.

We also commission community and residential packages (Learning Disability, Physical Disability and Mental Health) on behalf of Bexley CCG and we make payments on behalf of the CCG. Whilst the CCG may have their own contract with the provider, we commission and manage the package on their behalf using LB Bexley contracts. The CCG does not have access to your information during this process.

We will therefore give the providers of services above access to your personal information to ensure a safe and accurate service can be delivered which is relevant to your needs.

Personal information may also be shared with the following broad category of organisations when we are either permitted to or are required by law:

  • Councillors and Members of Parliament
  • Other LB Bexley internal teams
  • Central Government Departments
  • Courts
  • Schools and colleges
  • Other Health organisations
  • Housing Associations and or other registered social landlords
  • Other Local authorities
  • Police
  • London Fire Brigade
  • Voluntary sector organisations

Intent to transfer personal information to a third country or international organisation?

Should it be necessary to transfer personal information outside the European Economic Area it will only be transferred to a third country or international organisation which the European Commission has decided has appropriate safeguards, including binding corporate rules.

How long do we keep your personal information?

We will only keep your personal information for as long as we consider that it is necessary to be retained or where there is a legal requirement over a set number of years. We have a  Record Retention Schedule (PDF)* which lists how we would intend to keep your personal information.

* This file may not be suitable for users of assistive technology. Request an accessible format

Your individual rights

At any point while we are in possession of or processing your personal data, you, have the following rights:

  • the right to access your personal information that we hold about you. To access your personal information see Information requests
  • the right to rectification of your personal information
  • the right to erasure of your personal information (sometimes called the ‘right to be forgotten’)
  • the right to object to the processing of your personal information
  • the right to data portability allowing you to obtain and reuse your personal data for your own purposes
  • the right to restrict processing of your personal information
  • the right to not being subject to a decision based solely on automated decision making including profiling

If you wish to contact us to exercise the rights above please email scip@bexley.gov.uk this is a group email address that is monitored daily.

The right to withdraw consent

Where the legal basis for processing your personal information is consent, you have the right to withdraw that consent at any time by notifying us. As stated we have an explicit legal requirement under the acts above and under GDPR exemptions to share your information with health for the provision of direct care. If you withdraw your consent it may take longer or not be possible to continue to provide you with that service.

The NHS National Data Opt-out

National data opt-outs apply to a disclosure when an organisation, for example a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation responsible for the data (the data controller) such as an NHS Trust (or for this notice Bexley adult social care).

The CAG approval is also known as a section 251 approval and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002. The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.

In practice, this means that the organisation responsible for the information (the data controller) can, if they wish, disclose the information to the data applicant, for example a research body, without being in breach of the common law duty of confidentiality. To be clear - it is only in these cases where opt-outs apply and were Bexley adult social care to have such an agreement in place we would apply the opt-out. Currently no such agreements exist.

Reference - Understanding the national data opt out

The right to lodge a complaint

You have the right to complain to the Information Commissioners Office at:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email casework@ico.org.uk or telephone 0303 123 1113

Councillors Privacy Notice

As a representative of residents of my ward in the borough of Bexley, I am a Data Controller in my own right. A search of the Member index page will provide you with my contact details.

Personal information can be any information that relates to or identifies a living person. Typically it could include:

  • name
  • date of birth
  • postal address
  • email address
  • unique id
  • telephone number
  • debit or credit card details

The law regards some personal information as being in a special category and is given more protection by the law and includes information about an individual’s:

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life
  • sexual orientation

Under the Data Protection Act, because I am your Councillor I am able to use information that you provide for the purpose of dealing with casework and responding to queries on behalf of my constituents. However, it is best practice that I ask for your consent to me using your personal and special sensitive information for that purpose.

I may pass your personal data on to a third party in the course of dealing with you, such as:

  • other Councillors and Members of Parliament
  • educational establishments
  • health organisations
  • housing associations and or landlords
  • local authorities
  • police and voluntary sector organisations.

Unless specifically requested by you, I will only hold your personal data until your casework or policy query has been dealt with.

At any point, while I am in possession of or processing your personal data, you, have the following rights:

  • to access personal information that I hold about you
  • to rectification of your personal information
  • to erasure of your personal information (sometimes called the ‘right to be forgotten’)
  • to restrict processing of your personal information
  • to object to the processing of your personal information
  • to data portability allowing you to obtain and reuse your personal data for your own purposes

You have the right to withdraw consent to me processing your personal data at any time. However, in withdrawing consent it may not be possible to deal with your casework or policy query.

For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

Alternatively, visit ico.org.uk or email casework@ico.org.uk.

Council Tax Privacy Notice

The London Borough of Bexley is a ‘data controller’ as we collect and process personal information for the purposes of applicable data protection legislation in relation to administering Council Tax.

What information do we hold?

  • your contact details and other persons liable for Council Tax at a property
  • contact details for the owner of the property (if this is different)
  • your Council Tax liability, discounts and payments made for each financial year
  • if you pay by direct debit, we will hold your bank account details
  • if you apply for a discount or an exception, we will hold information concerning the reason for the discount, including the name of the person(s) who it applies to
  • if you apply for Council Tax Reduction, we will hold additional information such as your national insurance number, date of birth, household composition and income details
  • your online portal registration details if you register for an online account or e-billing

Who is processing my data?

All personal data we hold is treated as confidential and will be held securely in accordance with data protection legislation.  It will only be used for the assessment and collection of Council Tax unless otherwise stated.

The Council has contracts with suppliers who may process your data on our behalf and are designated data processors. Contracts include: software suppliers, scanning bureau, credit reference agencies, debt collection and enforcement agents.

Legal basis for processing your data

The legal basis for processing your data is Article 6(1) (c) legal obligation (Local Government Finance Act 1992). 

This includes The Council Tax (Administration and Enforcement) Regulations 1992, which place certain obligations on residents, owners and managing agents to provide information to determine who is liable for Council Tax. It also places additional obligations on Council Tax payers who are in arrears to supply personal information once the Council has obtained a Liability Order, or where an attachment of earnings or benefit order is in place. A Council Tax payer may be guilty of an offence and liable for a fine if the person fails, without reasonable excuse, to supply the information in accordance with these regulations.    

The Council has a duty to protect public funds and prevent and investigate all allegations of fraud and error. This includes the use of powers contained within The Council Tax Reduction Scheme (Detection of Fraud and Enforcement) (England) Regulations 2013.

How do we use the information we hold about you?

We collect information about you:

  • to correctly assess your liability for Council Tax, including entitlement to any discounts, exemptions and reductions
  • to recover any Council Tax due
  • to allow the Council to communicate with you and to provide services appropriate to your needs including the take-up of relevant services
  • to protect public funds, including: the prevention and detection of fraud

Who we will share your information with and why?

We will only disclosure information to other bodies where it is allowed by law. This includes:

  • departments within the London Borough of Bexley for the purpose of holding accurate records in respect of residency or where it is allowed for by law. Your representatives - including but not limited to appointees, Members of Parliament, Councillors, where you have provided consent
  • courts - for recovery purposes
  • enforcement agents and collections agents authorised to collect debt in accordance with agreed contracts
  • credit reference agencies - appointed to undertake debt tracing or verify discounts and exemptions
  • other local authorities, in respect of the administration and collection of local taxes
  • fraud prevention - including the National Fraud InitiativeBexley - National fraud initiative and National Anti-Fraud Network
  • other contractors - where we have a legal agreement for them to process your data on our behalf
  • tribunals and ombudsman - in response to appeals or complaints you have made
  • police, law enforcement agencies and prosecuting authorities - for the prevention or investigation of crime
  • upon receipt of a Liability Order, we may seek recovery from other bodies including your employer or the Department for Work and Pensions

Transfers out of EU:

  • no data will be transferred or held outside the EU

We will receive information from the following sources:

  • other Council Tax payers, landlords and elected members
  • other local authorities responsible for administration of local taxation
  • department for Work and Pensions, if you claim Council Tax Reduction
  • other organisations, including government departments, where we have a legal right to request information or to verify information you have provided including employers, debt support agencies such as the Citizens Advice Bureau and credit reference agencies

How long do we retain your information for?

  • council Tax liability and collection information is retained for financial and audit purposes since April 1993. It is also required if a Council Tax banding is retrospectively changed.
  • applications forms and other information that you provide in respect of Council Tax liability will be retained for a maximum of six years.

Automated decision making

  • automated decision making is where an electronic system uses personal information to decide without human intervention. This may occur in certain processes which meet defined criteria.  Applications that fail to meet defined criteria will be reviewed manually  
  • if you are not satisfied with a decision, you have the right to ask for the decision to be reviewed. In certain circumstances, you may also be able to make an appeal to an independent tribunal

Your rights

These rights may be restricted subject to London Borough of Bexley undertaking its statutory obligations in accordance with The Local Government Finance Act 1992 and other legislation.

Further information is available at the Information Commissioners Office.

If you have a concern about the way that we are collecting or using your personal data, we ask that you contact us in the first instance. Alternatively, you can contact the Information Commissioners Office.

How to contact us?

If you have any questions about how we collect, store, or use personal data for Council Tax, please email bexley.ctax@secure.capita.co.uk.

Contact details for the data controller’s representative are:

Data Protection Officer
London Borough of Bexley
Civic Offices
2 Watling Street
Bexleyheath
Kent DA6 7AT

Email: data.protection@bexley.gov.uk

Electoral Services Privacy Notice

This privacy notice sets out how the Electoral Services Department for the London Borough of Bexley will use and process your information.

The Electoral Registration Officer (ERO) and Returning Officer (RO) are data controllers who collect and use information about residents, candidates, election agents and election and electoral registration staff to enable us to carry out specific functions for which we are statutorily responsible.

What type of information is collected about you?

We keep records about potential and actual electors, voters, citizens, candidates and their agents, staff employed at an election and the people we need to pay. These may be written down or kept on a computer.

These records may include:

  • basic details about you - for example, your name, address, date of birth and nationality
  • unique identifiers (such as your NI number)
  • scanned application forms & dates of any letters of correspondence
  • copies or details of proof of identity and eligibility
  • notes about any relevant circumstances that you have told us
  • your previous or any redirected address
  • the other occupants in your home
  • if you are over 76 or under 18
  • whether you have chosen to opt-out of the Open version of the Register of Electors
  • your signature
  • contact details including telephone numbers and email addresses
  • previous or forwarding addresses

In addition, if you work for the Returning Officer on election duties, or for the Electoral Registration Officer for registration duties, these may also include:

  • tax status
  • next of kin/emergency contact details
  • details of previous employment

If you are a candidate at an election, an appointed agent at an election or a campaigner we may also hold these details:

  • political party affiliation
  • campaign group affiliation

We need your information for the following services and functions:

Your information will be used for the functions of the Electoral Services Department. The functions of the department are undertaken on behalf of the Electoral Registration Officer (ERO)/Returning Officer (RO) who is a data controller and collects your personal data from you for the purpose of:

  • registering your right to vote
  • processing any absent (postal or proxy) voting requests
  • producing and maintaining an accurate register of electors
  • delivering elections and referendums

Who your information may be shared with

To verify your identity, the data you provide on any application form to register to vote will be processed by the Individual Electoral Registration Digital Service (IER-DS) managed by the Cabinet Office. As part of this process, your data will be shared with the Department of Work and Pensions and the Cabinet Office suppliers that are data processors for the Individual Electoral Registration Digital Service.

You can find more information about this here: https://www.gov.uk/register-to-vote

The Electoral Registration Officer publishes two versions of the register:

1. The Electoral Register lists the names and addresses of everyone who is registered to vote in public elections. The register is used for electoral purposes, such as making sure only eligible people can vote. It is also used for other limited purposes specified in law, such as:

  • detecting crime (e.g. fraud)
  • calling people for jury service
  • checking credit applications

2. The Open Register is an extract of the electoral register but is not used for elections. It can be bought by any person, company or organisation. For example, it is used by businesses and charities to confirm name and address details. Your name and address will be included in the open register unless you ask for them to be removed. Removing your details from the open register does not affect your right to vote.

If you are concerned that having your name or address on the electoral register may affect your safety, there could be other options available to you, such as anonymous registration. In certain limited circumstances, you can register without your name and address showing on the register.

The electoral register is published once a year (usually each December) and is updated on the first working day of each month between January and September. The law restricts who can be supplied with the electoral register, extracts of the electoral register and absent voter records. Details of who can be provided with this data can be found here.

Anyone can inspect the electoral register because it is a public document. Inspection can be made of a hard copy held by Electoral Services. Information is listed in address order for each polling district.

  • Inspection of the register is conducted under supervision.
  • Hand written notes may be made during inspection, but no copies of photographs of the register are allowed.
  • Any information recorded must not be used for direct marketing purposes, in accordance with data protection legislation, unless it has been published in the open register.
  • Anyone who fails to observe these conditions may be charged a penalty of up to £5,000.

We also have to share your information with our software providers and contracted printers for the purpose of carrying out our duties of electoral registration and delivering elections and referendums.

Staffing data may be shared with other Returning Officers and Electoral Registration Officers as appropriate. All staff details will also be shared with the payroll team and HMRC in order to make payments.

Details of candidates, election agents, subscribers to nomination papers and other political campaigners may be published where the law requires.

The legal basis for processing your data

The collection and retention of data from individuals and inspection of other council records is governed by legislation (including):

  • Representation of the People Act 1983
  • Representation of the People Regulations 2001
  • The Electoral Registration and Administration Act 2013

The law makes it compulsory to provide information to an Electoral Registration Officer when requested. This is for the compilation and maintenance of an accurate electoral register.

Records are kept for:

  • potential electors who need to register to vote
  • non-eligible citizens so we can stop inviting them to register
  • electors who have registered to vote

Returning Officers have statutory duties to collect and retain information from:

  • candidates and their agents
  • staff employed at an election
  • voters

This information may be kept in either digital format (i.e. data within a software system or as scanned copies of documents) or hard copy printed format or both.

Housing Services Privacy Notice

What information do we process?

When we have contact with you, we may need to process personal information about you or your family, so that we can offer you the correct and appropriate service. Personal information can be any information that relates to or identifies a living person. The types of personal information we process may include:

Basic personal details

  • Name
  • Address
  • Gender
  • Contact details: Email address, telephone number(s)
  • Date of birth
  • Nationality
  • National Insurance Number

Marital status

  • Reason why you have contacted us
  • Previous contacts that we have had with you
  • Details of your current accommodation and household, including keyholder
  • Details of family makeup, including next of kin
  • Immigration status

As well as personal information, we may need to process additional information, known as special category information. This information is more sensitive and could potentially be used against individuals for unlawful discrimination. The types of special category information we process may include:

Personal characteristics 

  • Ethnicity
  • First language
  • Religious beliefs
  • Sexual orientation

Financial information

  • Proof of income
  • Savings
  • Investments
  • Pension
  • Benefits

Medical information (including details of GP, and any other people providing professional support)

  • housing needs and risk factors
  • proof of housing ownership/occupancy
  • physical and mental health factors
  • criminal record and offending history*

*The processing of criminal offence data also has additional legal safeguards. Criminal offence data includes information about criminal allegations, criminal offences, criminal proceedings and criminal convictions.

What is the purpose of processing your personal information?

We process information to enable us to provide a range of housing services and to carry out specific functions, including statutory duties and regulatory enforcement for local people and businesses. As such, we may require your information to deliver effective services in the following core areas:

  • allocation and administration of social housing
  • advice and support around housing options, including:
    • residents facing eviction or homelessness
    • residents who have no recourse to public funds
    • residents with independent living (repairs, equipment, adaptations, etc.)
  • provision of accommodation
  • homelessness prevention
  • assessment and administration of Disabled Grant Applications
  • investigating empty properties
  • management of our fixed Traveller Site

We may also use your personal information for statutory investigations and inspections, in the following ways:

  • housing standards and enforcement, including administering Property Licensing Schemes
  • assessing applications for licences, registrations and permits
  • investigating environmental and nuisance issues (noise complaints, air quality, pest control, litter, etc.)
  • possession orders for unauthorised Gypsy and Traveller encampments
  • improving fire safety and prevention
  • protecting local assets, amenities and the environment

In addition, we may need to use some personal information about you to:

  • monitor and analyse the quality and statistical performance of our services, to seek continuous improvement
  • inform decisions on requirements, design and commissioning of services
  • help investigate complaints about our services and commissioned services
  • comply with government department research and deliver national government programmes and decisions

What are the lawful bases for processing your personal information?

Housing Services process personal data under the following categories of lawfulness, according to the General Data Protection Regulation:

  • Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject
  • Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Article 9(2)(b) - processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement
  • Article 9(2)(g) - processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards.

The tasks that we carry out where we have a legal obligation or are in exercise of official authority, are required under the following laws:

  • Animal Health Act 1981
  • Antisocial Behaviour Crime and Policing Act 2014
  • Building Act 1984
  • Caravan Sites Act 1968
  • Caravan Sites Control of Development Act 1960
  • Care Act 2014
  • Clean Air Act 1956, 1993
  • Control of Pollution Act 1974
  • Criminal Justice and Public Order Act 1994
  • Criminal Justice and Public Order Act 1994
  • Environment Act 1995 (Section 108)
  • Environmental Protection Act 1990
  • Equality Act 2010
  • Homelessness Reduction Act 2017
  • Housing Acts 1985, 1988, 1996, 2002, 2004
  • Housing and Planning Act 2016
  • Housing Grants, Construction and Regeneration Act 1996
  • Licensing Act 2003
  • Local Government (miscellaneous provisions) Act 1976, 1982
  • Local Government Act 1972
  • Local Government Act 1985
  • Local Government Act 2000
  • Localism Act 2011
  • Performing Animals (Regulations) Act 1925
  • Prevention of Damage by Pests 1949
  • Public Health (Control of Diseases) Act 1984
  • Public Health Act 1936, 1961
  • Refuse Disposal Amenity Act 1978
  • Town and Country Planning Act 1990

Other legislation may apply. For the full list of functions delegated to officers on behalf of the council, see London Borough of Bexley’s Scheme of Specific Delegations to Officers.

Who are the recipients, or categories of recipients, of your personal information?

We will generally only allow your personal information to be used by those staff within Housing Services who require the data to perform their functions.

In other situations, we only pass personal information about you to people or organisations that have an identifiable need for it. In such a situation, a Data Sharing Agreement will be in place between the London Borough of Bexley and partners, to ensure personal information remains secure and the process remains transparent.

For example, the council has outsourced some of its services in various arrangements, such as:

  • joint arrangements with other local authorities
  • partly owned (‘arms-length’) companies
  • private sector companies commissioned to provide services on our behalf
  • collaboration with Registered social landlords

As such, we may need to supply your information to these organisations, in order to ensure an effective service is delivered, relevant to your needs.

Additionally, it can be necessary to share your personal information with other professionals and services, where they can provide additional information and professional opinion to assist us in our decision making, or where service users would benefit from a particular local service. Any information shared with other professionals and services will strictly adhere to this Privacy Notice, with specific regards to purpose and lawful basis.

Similarly, personal information may also be shared with the following broad categories of organisations, when we are either permitted to or are required to, by law:

  • banks, credit reference agencies and debt Collection Agencies
  • Councillors and Members of Parliament
  • Fire Brigade
  • government agencies and departments
  • health organisations
  • Local Government Ombudsman (LGO)
  • other Local Authorities
  • police
  • prison and court services
  • private sector letting companies
  • schools and colleges
  • voluntary sector organisations
  • general public*

Housing Services may also receive information from the parties listed in this section, so that we can carry out our core services and statutory functions. Please note this list is not exhaustive.

*We will provide information to the general public where we have a legal obligation to do so, such as when we receive Freedom of Information (FOI) requests, Subject Access Requests (SAR) and Environmental Information Requests (EIR).

Intent to transfer personal information to a third country or international
organisation?

Should it be necessary to transfer personal information outside the European Economic Area, it will only be transferred to a third country or international organisation which the European Commission has decided has appropriate safeguards, including binding corporate rules.

How long do we keep your personal information?

We will only keep your personal information for as long as we consider that it is necessary to be retained. We maintain an Information Asset Register to manage and keep secure the personal information we hold. We also publish a Record Retention Schedule, which lists how long we intend to keep your personal information.

Your individual rights and further information

At any point while we are in possession of or processing your personal data, you, have the following rights:

  • to access the personal information that we hold about you
  • to rectification of the personal information that we hold about you
  • to erasure of the personal information that we hold about you (sometimes called the ‘right to be forgotten’)
  • to object to the processing of the personal information that we hold about you
  • to data portability - allowing you to obtain and reuse your personal data for your own purposes
  • to restrict the processing of the personal information that we hold about you
  • to not be subject to a decision, based solely on automated decision making, such as profiling

The right to withdraw consent

Where the legal basis for processing your personal information is consent, you have the right to withdraw that consent at any time by notifying us. If you withdraw your consent, it may result in Housing Services being unable to provide you with a certain service.

To exercise your right to withdraw consent, please email housingoptions@bexley.gov.uk.

The right to lodge a complaint

You have the right to complain to the Information Commissioners Office at:
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Email: casework@ico.org.uk or Tel: 0303 123 1113

Human Resources Service Privacy Notice

The HR Service collects and processes personal data relating to candidates for employment (for whom a separate privacy notice applies), Council employees and workers (including agency workers and consultants) and elected Members to manage the employment/other relationship and/or to administer payment of salary, allowances or expenses. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.

The information we collect

We collect and process a range of information about you. Depending upon whether the individual concerned is a direct employee, worker (including agency workers and consultants) or elected Member this may include:

  • your name, address and contact details, including email address and telephone number, date of birth and gender
  • the terms and conditions of your employment
  • details of your qualifications, skills, experience and employment history, including start and end dates, and dates of continuous service
  • information about your remuneration, including entitlement to benefits such as pensions or insurance cover;
  • details of your bank account and national insurance number
  • information about your marital status, next of kin, and emergency contacts
  • information on dependants where required for pension purposes or child care vouchers or benefits;
  • information about your nationality and entitlement to work in the UK
  • details of your working arrangements (days of work and working hours) and attendance at work
  • details of periods of leave taken by you, including holiday, sickness absence, family leave and the reasons for the leave
  • details of any disciplinary, performance, absence or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
  • assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence
  • information about medical or health conditions, including whether or not you have a disability for which the Council needs to make reasonable adjustments
  • details of trade union membership
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief

We collect this information in a variety of ways. For example, data is collected through application forms or CVs; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of or during employment (such as pension benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

In some cases, we collect personal data about you from third parties, such as references supplied by former employers and information from Disclosure and Barring checks permitted by law.

Data is stored in a range of different places, including in your personnel file, (details are held electronically on the Council’s DocStor system known as Estor), in the HR management systems (TOPS) and in other IT systems (including the Council’s email system).

Processing personal data

We process data to enter into an employment contract with you and to meet our obligations under your employment contract. For example, we need to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefit, pension and insurance entitlements.

In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, we are required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled. For certain positions, it is necessary to carry out Disclosure and Barring checks to ensure that individuals are permitted to undertake the role in question.

In other cases, we have a legitimate interest in processing personal data before, during and after the end of the employment relationship. Processing employee data allows us to:

  • run recruitment and promotion processes
  • maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights
  • operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace and for the purposes of safeguarding of children and vulnerable adults
  • operate and keep a record of employee performance and related processes, to support career development and for workforce management purposes
  • operate and keep a record of absence and the application of absence procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled
  • obtain occupational health advice, to ensure that we comply with duties in relation to the health and wellbeing of our workforce, individuals with disabilities, meet our obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled
  • operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure we comply with duties in relation to leave entitlement and to ensure that employees are receiving the pay or other benefits to which they are entitled
  • ensure effective general HR and business administration
  • provide references on request for current or former employees
  • respond to and defend against legal claims
  • maintain and promote equality in the workplace

Some special categories of personal data, such as information about health or medical conditions is processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). Information about trade union membership is processed to allow us to operate check-off (membership fees) for union subscriptions.

Where we process other special categories of personal data such as information about race, sex, sexual orientation, religion or belief, age, gender reassignment, marriage or civil partnership, pregnancy and maternity and disability, this is done for the purpose of equal opportunities monitoring and the implementation of any equality related employment initiatives.

Access to data

Relevant information will be shared internally across the HR Service, your line manager and managers in the service area. Information shared is limited. In respect of data relating to any protected characteristics this is restricted to the HR Service. Where an employee or worker has a disability that requires workplace adjustments relevant information will be provided to the appropriate line managers to comply with this legal obligation. Detailed medical information and records are restricted to the Occupational Health Service.

Occupational Health will, however, provide reports to managers and HR regarding fitness for employment and any measures required to support employees at work that are affected by health conditions.

We share only relevant and necessary data with third parties to the extent necessary in order to undertake pre-employment checks, for example, references and DBS checks. We also share your data to the extent necessary with third parties that process data on our behalf, for example in connection with pension and other benefit provisions. We also share relevant and necessary data with external third parties in order to meet our statutory and regulatory obligations.

The Council is under a duty to protect the public funds it administers and to this end must use the information you provide within its authority for the prevention and detection of crime and fraud. It may also share this information with other bodies administering public funds solely for this purpose.

We will not transfer your data to countries outside the European Economic Area.

Protecting your data

We take the security of your data seriously and have controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except where this is authorised.  Where we engage third parties to process personal data on our behalf (for example the administration of pensions), those third parties are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Retaining Data

We will hold your personal data for the duration of your employment. The periods for which your data is held after the end of employment are set out in the Council’s Retention Schedule.

Your rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data on request
  • require us to change incorrect or incomplete data
  • require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
  • object to the processing of your data where we are relying on its legitimate interests as the legal ground for processing
  • ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing data

If you would like to exercise any of these rights, please contact hradmin@bexley.gov.uk.

You can make a subject access request by completing the form which can be found at the following link https://www.bexley.gov.uk/services/complaints-and-InformationRequests/information-requests.

If you believe that we have not complied with your data protection rights, you can complain to the Information Commissioner.

Providing personal data

You have some obligations under your employment contract to provide us with data. In particular, you are required to report absences from work and you may be required to provide information about convictions, charges or criminal investigations where these may impact upon your role. You may also have to provide us with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean non-compliance with a contractual obligation and/or that you are unable to exercise your statutory rights.

Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the Council to enter a contract of employment with you. The failure to provide details of a right to work in the UK will mean that we cannot employ you. If you do not provide other information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently.

Automated decision-making

No employment decisions are based solely on automated decision-making.

Job Applicant Privacy Notice

The HR Workforce Resourcing Team collect and process personal data relating to job applicants. We are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.

The information we collect

We will collect and process a range of information about you. Depending upon whether you will be a direct employee or worker (including agency workers and consultants) this may include:

  • your name, address and contact details, including email address and telephone number
  • details of your qualifications, skills, experience and employment history
  • information about your current level of remuneration, including entitlements to benefits such as pensions or insurance cover
  • whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process
  • information about your entitlement to work in the UK
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief

We collect this information in a variety of ways. For example, data is collected through application forms or CVs; obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of your employment (such as pension benefit nomination forms); from correspondence with you; or through interviews, meetings or other assessments.

We will also collect personal data about you from third parties, such as references supplied by former employers and in some cases information from Disclosure and Barring checks permitted by law.

Data is stored in a range of different places, including in your HR file, (details are held electronically on the Council’s DocStor system known as Estor), in the HR management systems (TOPS) and in other IT systems (including the Council’s email system).

Where unsolicited speculative CV’s are received for a role which is not currently being advertised/recruited to, in particular for hard-to-fill roles, we may share this with relevant managers and may hold it on file in line with the Council’s retention schedules.

Processing personal data

We process data in order to make decisions on recruitment and appointments. For candidates that are appointed to the Council please also refer to our Privacy Statement covering employees.

We need to process data to ensure that we are complying with our legal obligations. For example, we are required to check a successful applicant’s eligibility to work in the UK before employment starts. For certain positions, it is necessary to carry out Disclosure and Barring checks to ensure that individuals are permitted to undertake the role in question.

We have a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the organisation to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.

We also process health information to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out our obligations and exercise specific rights in relation to employment.

Where we process other special categories of data, ie any information related to a protected characteristic such as information about ethnic origin, sexual orientation, health, religion or belief, age, gender or marital status, this is for equal opportunities monitoring purposes.

For some roles, we are obliged to seek information about criminal convictions and offences. Where we seek this information, we do so because it is necessary to carry out our obligations and exercise specific rights in relation to employment.

If your application is unsuccessful, we will keep your personal data on file for a period of one year in accordance with the Council’s published retention schedules.

Access to data

Relevant information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR and Workforce Resourcing Teams, interviewers involved in the recruitment process, managers in the service area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

Information shared is limited. In respect of data relating to any protected characteristics, this is restricted to the HR Service. Where an applicant has a disability that requires adjustments to the recruitment processes, relevant information will be provided to the recruiting managers to comply with this legal obligation. Detailed and medical information and records are restricted to the Occupational Health Service.

Occupational Health will, however, provide reports to HR regarding fitness for employment and any measures required to support prospective employees who are affected by health conditions for when they commence their employment with us.
We will not share your data with third parties other than sharing relevant and necessary data with former employers to obtain references for you, employment background check providers to obtain necessary background checks, the Disclosure and Barring Service to obtain necessary criminal records checks and any other relevant professional bodies as necessary to undertake pre-employment checks or to fulfil any other statutory requirements.

The Council is under a duty to protect the public funds it administers and to this end must use the information you provide within its authority for the prevention and detection of crime and fraud. It may also share this information with other bodies administering public funds solely for this purpose. We will not transfer your data to countries outside the European Economic Area.

Protecting your data

We take the security of your data seriously and have controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

Where we engage third-party recruiters to process personal data on our behalf (for example a recruitment agency), those third parties are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Retaining data

If your application for employment is unsuccessful, the organisation will hold your data on file for one year after the end of the relevant recruitment process. When registering for vacancy alerts, by indicating that you wish to be notified of any future vacancy if you are unsuccessful, you are providing consent to your data being retained for these purposes.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your HR file and retained during your employment for the performance of your employment contract and thereafter the Council’s Privacy Notice relating to employees will also apply.

The periods for which your data is also held during and after the end of employment are set out in the Council’s Retention Schedule.

Your rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data on request
  • require us organisation to change incorrect or incomplete data
  • require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
  • object to the processing of your data where we are relying on its legitimate interests as the legal ground for processing
  • ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing data

If you would like to exercise any of these rights, please contact hradmin@bexley.gov.uk You can make a subject access request by completing the form which can be found at the following link: https://www.bexley.gov.uk/services/complaints-and-Information-Requests/information-requests.

If you believe that we have not complied with your data protection rights, you can complain to the Information Commissioner.

Providing personal data

You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the Council to enter a contract of employment with you. The failure to provide details of a right to work in the UK will mean that we cannot employ you. If you do not provide other information, this will hinder our ability to administer the rights and obligations arising as a result of the employment relationship efficiently.

You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Automated decision-making

Recruitment processes are not based solely on automated decision-making.

Parking Services Privacy Notice

The London Borough of Bexley is a 'data controller' as we collect and process personal information about you. The information we collect is used in accordance with data protection and other relevant legislation. Contact details for the data controller's representative are:

Nick Hollier - Data Protection Officer
London Borough of Bexley
Civic Offices
2 Watling Street
Bexleyheath 
Kent 
DA6 7AT
data.protection@bexley.gov.uk
0208 303 7777

Our contact details:

Shared Parking Service of the London Boroughs of Bexley & Bromley
Bromley Civic Centre
Stockwell Close
Bromley
Kent
BR1 3UH

www.bexley.gov.uk/parking

parking.services@bexley.gov.uk

020 3045 3000

The type of personal information we collect

We currently collect and process the following information:

  • personal identifiers, contacts and characteristics (for example, name and contact details)
  • vehicle registration mark
  • personal name and addresses
  • business name and addresses
  • email addresses
  • payment details
  • any other relevant information in relation to the issue, processing and recovery of a civil traffic or parking Penalty Charge Notice, including but not limited to, evidence of vehicular breakdown, medical certificates, Police reports, documentary evidence of delivery or collection of goods or items
  • any other relevant information relating to the application and processing of any parking dispensation or suspension or parking permit administered by or on behalf of Parking Services

How we get the personal information and why we have it

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • to challenge the issue of a civil traffic or parking penalty charge
  • to resolve an outstanding debt payable to the Authority in relation to a civil traffic or parking penalty charge
  • to serve as supportive evidence in relation to a controlled parking permit issued by or on behalf of Parking Services

Information can be supplied through direct online portal exchange, email, corporate enquiry forms, telephone and face to face exchanges.

We may also receive information from external bodies such as:

  • the Driver and Vehicle Licensing Agency
  • the Traffic Enforcement Centre
  • enforcement agents (engaged on recovery of debt outstanding as a result of the issue of civil traffic or parking penalty charges
  • third-party hire or lease companies to support claims that liability has transferred

We use the information that you have given us in order to:

  • process and resolve civil traffic and parking penalty charges
  • process applications for parking permits or dispensation/suspension requests

We may share this information with:

  • London Borough of Bexley Parking Services Officers
  • London Borough of Bexley Officers from other Council departments
  • our civil traffic and parking service contractor (APCOA)
  • enforcement agents tasked with the recovery of debt outstanding in relation to the issue of civil traffic and parking penalty charges
  • the Traffic Enforcement Centre at Northampton County Court
  • London Councils
  • other Local Authorities
  • London Tribunals
  • cashless parking provider - RingGo
  • Videalert
  • Edesix
  • European Parking Collection
  • law enforcement agencies in connection with any investigation and to prevent unlawful activity
  • the National Fraud Initiative
  • Imperial Civil Enforcement Solutions

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

(c) We have a legal obligation

Under Part 6 of the Traffic Management Act and related statutory guidance and moving traffic legislation, the London Borough of Bexley is required to follow the statutory regulations set down in pursuit of outstanding charges in relation to the issue of civil traffic and parking penalty charges

(e) We need it to perform a public task

Local Authorities have a statutory responsibility to manage the public highway as the relevant highway authority on behalf of and in the best interest of the general public.

Civil traffic and parking enforcement is one required aspect to facilitate the action of managing the public highway.

How we store your personal information

Your information is securely stored on secure servers, maintained by Imperial Civil Enforcement Solutions, (the ICT service provider for Parking Services). The servers are located on mainland England and the information can only be accessed by authorised Officers and those that have been authorised to access the information. The information is not transferred outside of the United Kingdom.

Penalty charge debt can be pursued for up to six years from the date of issue in accordance with the Traffic Management Act.

The following types of information will be retained for 1 year after the date of resolution of a civil traffic and parking penalty charge, they will then be redacted:

  • registered keeper/vehicle ownership details
  • digital images
  • video recordings
  • scanned images
  • letters
  • emails
  • supportive documents

6 years after the date of resolution of a civil traffic or parking penalty charge all personal data will be removed.

There is a programme within the Notice Processing system that allows for personal data in relation to civil traffic and parking penalty charges to be managed as per above.

Your data protection rights

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information.

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us using one of the methods below if you wish to make a request by:

How to complain

  • if you have any concerns about our use of your personal information, you can make a complaint to us at by completing the compliments, complaints and enquiries form
  • by email to complaints@bexley.gov.uk (please ensure you quote your address and telephone number to ensure we can handle your complaint appropriately)
  • by letter to The Complaints Team, London Borough of Bexley, 2 Watling Street, Bexleyheath, Kent, DA6 7AT
  • telephone 020 8303 7777
  • in person at the Civic Offices

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:      
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

Public Health Privacy Notice

All local authorities have a duty to improve the health of the population they serve. To help us do this, we use data from a range of sources including the Office for National Statistics, NHS Digital, Bexley Clinical Commissioning Group hospitals and residents to understand more about the nature and causes of disease and ill-health in Bexley.

The Public Health team at the London Borough of Bexley also have a legal status allowing the processing of personal confidential data for certain public health purposes. The statutory responsibilities for public health services are clearly set out in the Health and Social Care Act 2012. Bexley Council is registered with the Information Commissioners Office (ICO) under the provisions of the Data Protection Act 2018. Any personal information we hold is collected and processed in accordance with the requirements of the Data Protection Act 2018, EU General Data Protection Regulation (GDPR) and the Caldicott Principles. 

This Privacy Notice should be read in addition to the Bexley Council Privacy Notice at the top of this page and gives more details about how personal information is collected to improve the health of Bexley residents.

Who do we collect information about?

Bexley Council collects and holds information for public health purposes about all to whom it has a public health duty of care may include:

  • residents of Bexley
  • people receiving preventative, health, and social care services in Bexley
  • people who work or attend school in Bexley

What personal information do we process?

We work with many types of data to be able to promote health and support improvements in the delivery of health and care services in Bexley. Broadly these can be described as:

  • Special Category data - personal data which is more sensitive including race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation. Depending on the service, the provider may require information about your health or other data which is classed as sensitive. Further information can be found in the Data Protection Act 2018
  • Identifiable data - this is personal data that can identify individuals such as name, date of birth, gender, address, postcode and NHS number. Personal information includes expressions of opinion about an individual or any indications of intention in respect of the individual
  • Pseudonymised data - this contains information about individuals but with the identifiable details replaced with a unique code. The purpose is to render the data record less identifying and therefore lower customer or patient objections to its use
  • Anonymised data - all identifying details are anonymised so individuals cannot be identified
  • Aggregated data - data that has been grouped together so that it does not provide information on individuals, only groups of people

Bexley Council Public Health is committed to using pseudonymised or anonymised information as much as is practical, and in many cases, this will be the default position.

What is the purpose of processing your personal information?

Bexley Council Public Health uses personal identifiable information about residents and users of health care, to enable it to carry out specific functions for which it is responsible, such as:

  • control of infection and health protection activities
  • management of risks to public health
  • organising the National Child Measurement Programme
  • organising the NHS Health Check Programme
  • organising and supporting the 0 to 19 Children’s Public Health Service (Health visiting and school nursing)
  • contract monitoring of adult weight management service to satisfy eligibility is met
  • improving health outcomes, evaluating the quality of services and patient experience

Bexley Council Public Health also uses information about residents and users of health care to derive statistics and intelligence for research and planning purposes. In these cases, personal identifiable details are removed as soon as is possible in the processing of intelligence so that individuals cannot be identified from them.

This enables Bexley Council Public Health to carry out specific functions for which it is responsible, such as:

producing assessments of the health and care needs of the population, in particular, to support the statutory responsibilities of the:

  • Joint Strategic Needs Assessment (JSNA)
  • Director of Public Health Annual report
  • Health and Wellbeing Strategy
  • identifying priorities for action
  • informing decisions on, for example, the design and commissioning of services
  • to assess the performance of the local health and care system and to evaluate and develop them
  • to report summary statistics to national organisations
  • undertaking equity analysis of trends, particularly for vulnerable groups
  • to support clinical audits

What are the lawful bases for processing your personal information?

In order to fulfil the local authority public health responsibilities set out in the Health and Social Care Act 2012, Bexley Council has a legal basis to process personal confidential data for certain public health purposes:

  • GDPR Article 6(1)(e) Lawfulness of processing -  to allow us to perform a public task carried out in the public interest or in the exercise of official authority vested in the controller
  • GDPR Article 9(2)(i) Processing of special categories of personal data - for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular, professional secrecy

Information may also be provided directly by you as members of the public to The Council when you sign up to use a service. This is collected in appropriate systems and used to provide or administrate that service. These systems are access controlled, so only relevant employees have access to them. With consent, we may also make referrals to other services, such as a GP from these systems.

If the legal basis for processing is explicit consent, we will need to ensure you are provided with a clear:

  • explanation of exactly what is being consented to
  • clear "opt-in"
  • clear option to withdraw your consent later by use of an "opt-out"

What identifiable data do we collect?

Bexley Council Public Health and our commissioned service providers  collect identifiable data for the following public health programmes and services:

  • National Child Measurement Programme (NCMP) 
  • immunisations and control of infection
  • drug and alcohol treatment services
  • sexual health services
  • 0-19 services
  • school nursing services
  • lifestyle and behaviour change services
  • NHS population screening programmes
  • public health initiatives 
  • health and social care use including GP services, hospital services, NHS community services, mental health services, social care services
  • business owner names and contact details for the Healthier Catering Commitment
  • public health events during which contact details of residents who provide us with feedback from the events are collected.
  • Public Health England’s Data Capture System provides an integrated data reporting and analysis system for the mandatory surveillance of:
    • Staphylococcus aureus
    • Escherichia coli
    • Klebsiella spp.
    • Pseudomonas aeruginosa bacteraemia
    • Clostridium difficile infections

This data is available to Infection prevention and control and health protection professionals to enable the required mandatory surveillance including Post-infection Reviews of clostridium difficile infections and methicillin-resistant staphylococcus (MRSA) bloodstream infections.

Each commissioned provider will collect different data in order to provide each service.  The data is likely to be:

  • name
  • address
  • date of birth
  • NHS number
  • contact phone number
  • details of circumstances relevant to the service being provided (for example gender, occupation, ethnicity etc.)

London Borough of Bexley has access to the following data from NHS Digital which is supplied under a Data Sharing Agreement (DSA) and in accordance with Section 42(4) of the Statistics and Registration Service Act 2007 as amended by Section 287 of the Health and Social Care Act 2012, and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

This data is only supplied by NHS Digital under strict license and data disclosure controls.

  • Primary Care Mortality Database (PCMD) - the PCMD provides Bexley Council with identifiable mortality data which is based on death registrations. The data includes the address, postcode of residence of the deceased, postcode of the place of death, NHS number, date of birth, date of death, name of certifier, and cause of death but not names. Our access is limited to those deaths which occurred within Bexley’s borders, deaths in Bexley residents and deaths in the registered population of GP Practices within Bexley’s Clinical Commissioning Group.
  • Births data tables - this dataset provides Bexley Council with access to identifiable data about the number of births that occur within Bexley (London Borough of Bexley and Bexley Clinical Commissioning Group). It includes the address of usual residence of the mother, place of birth, postcode of usual residence of the mother, postcode of place of birth of the child, NHS number of the child and date of birth of the child but no names
  • Vital Statistics tables - this dataset provides Bexley Council with aggregated data which does not identify individuals. It contains data on live and stillbirths, fertility rates, maternity statistics, death registrations and cause of death analysis within Bexley (London Borough of Bexley and Bexley Clinical Commissioning Group).
  • Hospital Episode Statistics (HES) - HES is a data warehouse containing details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England. This data is collected during a patient’s time at hospital and is submitted to allow hospitals to be paid for the care they deliver. HES data is designed to enable secondary use, that is use for non-clinical purposes, of this administrative data and contains pseudonymised records.

How do we keep information secure?

We are required to comply with the Data Protection Act 2018 to ensure information is managed securely and this is reviewed every year as part of our NHS Data Security and Protection Toolkit assessment (formerly NHS Information Governance Toolkit). 

In order to comply with this, Bexley Council Public Health and our commissioned service providers use the following measures:

  • any personal identifiable data is sent or received using secure email
  • all data is stored electronically on encrypted equipment and is managed using the principles of medical confidentiality and data protection
  • the number of staff accessing and handling such data is limited to only those key professionals named on relevant signed information sharing agreements (where applicable), all of whom undertake regular training about data protection and managing personal information
  • confidential public health data will only be shared with other areas of the NHS, local authorities or care organisations with the permission of the Caldicott Guardian, once the necessary legal basis has been established and data protection safeguards have been verified so that the data is managed and used under the same restrictions. Anyone who receives information from Bexley Council Public Health is also under a legal duty to keep it confidential
  • we only keep hold of information for as long as is necessary. This will depend on what the specific information is and the agreed period of time. Data is permanently disposed of after this period, in line with Bexley Council’s Retention Schedule or specific requirements of the organisation who has shared the data with us
  • in relation to the specific NHS Digital datasets described above, the data will only be processed by Local Authority employees in fulfilment of their public health function, and will not be transferred, shared, or otherwise made available to any third party, including any organisations processing data on behalf of the Local Authority or in connection with their legal function.

Who do we share information with?

We will generally only allow your personal information to be used by those Council staff who need the data to perform their functions.

The following are Data Processors collecting information for the purpose of providing Public Health services on behalf of the London Borough of Bexley:

  • Bexley Stop Smoking Service
  • The Pier Road Project
  • Everyone Health
  • Adult Weight Management Programme contracted through Slimming World 
  • GP Practices delivering the NHS Health Checks programme
  • Research partners using anonymised personal data
  • Public Health England
  • Bexley Clinical Commissioning Group (CCG)
  • Councillors
  • other Local Authorities
  • organisations that are commissioned or engaged for specific short-term health projects or initiatives

There are occasions where service providers will have a legal duty to share information, for example for safeguarding or criminal issues. Your data will not be shared or stored in or be accessible to any country with no UK-equivalent Privacy Law protection.

Your individual rights and further information

The London Borough of Bexley is a ‘data controller’ as we collect and process personal information about you. The information we collect is used in accordance with data protection and other relevant legislation outlined in previous sections.

For more information about how Bexley Council processes your information, including your rights with regards your personal data that we are in possession of or processing, please see the Privacy Notice at the top of this page.

To exercise any of your rights, please contact the Bexley Council Data Protection Team or the Public Health Team using the contact details below:

Postal address:

Data Protection Team
London Borough of Bexley
Civic Offices
2 Watling Street
Bexleyheath
Kent DA6 7AT
Email: data.protection@bexley.gov.uk

Postal address:    
Public Health
London Borough of Bexley
Civic Offices
2 Watling Street
Bexleyheath
Kent DA6 7AT 
Email: Public.health@bexley.gov.uk

The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest. Further information and independent advice, including complaints, can be found on the Information Commissioner’s Office website.

NHS National Data Opt-out

National data opt-outs apply to a disclosure when an organisation, for example, a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation responsible for the data (the data controller) such as an NHS Trust (or for this notice Bexley Public Health).
 
The CAG approval is also known as a section 251 approval and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002. The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.

In practice, this means that the organisation responsible for the information (the data controller) can, if they wish, disclose the information to the data applicant, for example, a research body, without being in breach of the common law duty of confidentiality. To be clear - it is only in these cases where opt-outs apply and were Bexley Public Health to have such an agreement in place we would apply the opt-out. Currently, no such agreements exist. Further information about this programme, including how to opt-out, can be found on the NHS Digital website.

Coronavirus (COVID-19) Privacy Notice

Who is the data controller for this processing?

The London Borough of Bexley is a ‘data controller’ as we collect and process personal information about you. The information we collect is used in accordance with data protection and other relevant legislation.

Contact details for the data controller’s representative are:

Nick Hollier
Data Protection Officer
London Borough of Bexley
Civic Offices
2 Watling Street
Bexleyheath
Kent DA6 7AT
Email data.protection@bexley.gov.uk
Telephone 020 8303 7777

Whose data are we processing and why?

Groups of people defined on medical grounds as requiring shielding

Personal data is being collected to assess and provide support to adults, children and young people who are in high-risk categories and would be considered vulnerable, if they became infected with the coronavirus.

Citizens requiring emergency support and assistance

Personal data is being collected to assess and provide support to adults, children and young people in this category.

Track and Trace

Personal data belonging to staff, customers and visitors will be collected when working or visiting our premises to support NHS track and tracing for COVID 19. Further information about how your personal information is used by the NHS for test and trace purposes can be found on the NHS Test and Trace website.

Child Protection - information sharing

NHS England has identified a risk that health visitors and school nurses will not receive information about vulnerable children whilst social distancing is in place. Consequently, NHS Digital will provide data from the Child Protection - Information Sharing (CP-IS) system to 0-19 Services about children subject to a Child
Protection Plan, pregnant women with an Unborn Child Protection Plan and children who are designated a Looked After Child, in particular children being cared for under the Children's Act 1989.

Data recorded by the council on CP-IS will be included in the extracts and shared with health visitors and school nurses so that the health and welfare of vulnerable children and young people can be protected during a period where face to face contact with statutory services is reduced. Further details can be found on the NHS Digital website.

What personal information do we hold?

We only collect and share the minimum amount of personal information required when providing you with assistance and support. This includes but is not limited to the following:

  • information about you - this could include your name, address, date of birth
  • national identifiers - such as NHS number, National Insurance number
  • financial information - such as your benefit entitlement
  • information about your family and social circumstances
  • physical or mental health details (where appropriate)
  • social care support/involvement

We get most of this information from you, but we may also get some of this data from:

  • central government agencies
  • other local authorities
  • health and social care providers
  • police and probation services
  • members of the public (referrer)
  • commissioned partners
  • family members
  • local charities and other community support groups

Who else might we share your personal information with?

Sometimes we may need to share your information, but we will only do so where it is necessary or required by law. We will only share the minimum information for each circumstance.

We may sometimes need to share some of your information with:

  • health service providers - including NHS agencies (GPs, hospitals, ambulance, health visitor, mental health services, school nurses)
  • education providers
  • care providers - such as day care, domiciliary, residential
  • government agencies - such as Department of Health, Department of Work and Pensions
  • support groups for people with disabilities
  • local government
  • prepaid card providers
  • Direct Payment Support Services
  • housing associations and organisations supporting
  • technology assistance providers
  • charities and volunteers, whom are supporting the Councils response to the Coronavirus

What is the legal basis for our use of your personal information?

This includes but is not limited to the following set out within the GDPR:

  • Article 6.1(a) – the data subject has given consent
  • Article 6.1(b) – processing is necessary for the performance of a contract
  • Article 6.1(c) – processing is necessary for compliance with a legal obligation
  • Article 6.1(d) – processing is necessary to protect the vital interests of individuals
  • Article 6.1(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

For the processing of 'special category data' such as someone’s physical and mental health:

Article 9.2(g) of the GDPR

Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The processing of special category under Article 9 also requires the following conditions for processing from the UK Data Protection Act 2018 to be met:

  • Schedule 1, Part 2 section 6(a), processing is met under the exercise of a function conferred on a person by an enactment
  • Schedule 1, Part 1 section 2(1), this condition is met if the processing is necessary for health and social care purposes

Your rights

Further information about your rights and how to exercise them, can be found on our Privacy Notice page

How long will we keep your personal information?

We will only use your personal information whilst delivering support and assistance to you, unless the law requires us to keep it for a longer period.

Personal data collected to support NHS Track and Trace, will be retained for a period of 21 days.

How to complain

You have the right to complain to the Information Commissioners Office at:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Email casework@ico.org.uk
Telephone 0303 123 1113

Last updated 16 September 2020