Privacy notice

Overview

Being transparent and providing accessible information to individuals about how we use personal information is a key element of the UK General Data Protection Regulation (UK GDPR). The most common way to provide this information is in a privacy notice.

Alongside this privacy notice we also provide service and project specific privacy notices that give further details on how we process your personal data.

Data controller

A Data Controller is an individual or organisation that determines the purposes and means of processing personal data.

Lancashire County Council is registered as a data controller with the Information Commissioner's Office (registration number: Z542705X).

Contact details for the council's data controller are:
Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Email: dataprotection@lancashire.gov.uk

Coronavirus – Supplementary Privacy Notice for our service users

In order to comply with the UK General Data Protection Regulation (UK GDPR), where personal data relating to a data subject is collected, Lancashire County Council would like to provide you with the following details.

Identity and contact details of the data controller

Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Contact details of the data protection officer

Our Data Protection Officer is Paul Bond. You can contact him at dpo@lancashire.gov.uk or Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Purposes for processing

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. This supplements our main Privacy Notice.

In these difficult times, we are working very closely with our partners with central government, health and care providers and other partner organisations who are helping to deliver the vital care and support to our local communities. This means that we will need to receive and share personal information about our residents.

This notice provides information about what kind of personal information that may be, what we may do with it and who may have access to it.

We will use the information we collect to deliver a number of services, which may include:

Identifying those in higher risk groups to offer them support such as food collection, medical collection and deliveries
The provision of social care and support
The provision of health and/or mental health support
Awareness and advice
Enabling plans to be made to support children returning to school
Facilitating safe and controlled access to Lancashire County Council premises both for service users and our employees.
Working with the NHS and other system partners to complete recovery work following the restart of the Continuing Health Care Framework, from 1st September 2020.

This list may change depending on the needs of the response efforts however any use of data will be proportionate and necessary for the delivery of those efforts.

Purposes for processing – Interaction with Lancashire County Council services and premises

When visiting Lancashire County Council premises, we may ask that you provide us with personal data prior to your visit and at the point at which you visit our buildings.

This is to ensure the safety and security of visitors and our employees. We will always ensure the safety and security of any personal data we process for these purposes.

During this period of emergency, services may be provided or offered to you via video conferencing in an effort to reduce the risks associated with face-to-face contact. Where such services are offered, Lancashire County Council will ensure that your personal data is processed lawfully and your personal data is handled securely.

Purposes for processing - Test and Trace personal data processing

To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, some Lancashire County Council premises have been mandated by law to collect and keep a limited record of staff, customers and visitors who come onto our premises for the purpose of contact tracing.

By maintaining records of staff, customers and visitors, and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.

As a customer/visitor to Lancashire County Council premises where this is a requirement, you will be asked to provide some basic information and contact details. The following information will be collected:

the names of all customers or visitors
a contact phone number for each customer or visitor
date of visit and arrival time and departure time

Lancashire County Council as the data controller for the collection of your personal data, will be responsible for compliance with data protection legislation for the period of time it holds the information. When that information is requested by the NHS Test and Trace service, the service would at this point be responsible for compliance with data protection legislation for that period of time.

The NHS Test and Trace service as part of safeguarding your personal data, has in place technical, organisational and administrative security measures to protect your personal information that it receives from the venue/establishment, that it holds from loss, misuse, and unauthorised access, disclosure, alteration and destruction.

In addition, if you only interact with one member of staff during your visit, the name of the assigned staff member will be recorded alongside your information.

NHS Test and Trace have asked us to retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them.

For example, if another customer at the venue reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).

We may require you to pre-book appointments for visits or to complete a form on arrival.

Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing, it will be destroyed by us 21 days after the date of your visit.

However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name, date of birth and phone number). Where this is the case, this information only will continue to be held after 21 days and we will use it as we usually would, unless and until you tell us not to.

LAMP Covid-19 Testing

The Department of Health and Social Care has appointed Lancashire Teaching Hospitals NHS Foundation Trust as hosts of the Lancashire and South Cumbria Pathology Collaborative, to establish a regional COVID-19 LAMP saliva testing hub to enable the carrying out of LAMP saliva testing for staff in participating NHS and non-NHS organisations across Lancashire and South Cumbria.

Lancashire County Council is supporting these efforts and is acting as a provider of this kind of testing. Lancashire County Council staff will be involved in the testing process and in collecting personal data from you as part of this process. We will always process the minimum personal data required for this purpose and will ensure the security and confidentiality of your personal data at all times. Further information regarding this programme and the processing of your personal data .

Covid Winter Grant Scheme

Lancashire County Council may process your personal data for the purposes of administering the Covid Winter Grant Scheme. Where we have a requirement to do so we will maintain the security and confidentiality of your personal data at all times and adhere to Data Protection legislation.

Lancashire County Council from May 2021 is utilising an external partner organisation to facilitate the distribution of vouchers for the purposes of provisioning the Covid Winter Grant Scheme. Where this takes place, your personal data will be handled in a way that ensures its security and confidentiality at all times.

Purposes for processing – Planning mental health support to young people

The County Council is working with the University of Bristol to better understand the impact of the Covid-19 pandemic on the mental health of children and young people in the care of the local authority, and to inform the development of support and services needed by young people.

During this period, a survey will be sent to a sample of young people in care so that, if they chose to do so, they can share some of their experiences. The survey will be issued by Lancashire County Council but minimal information such as a unique identifier will be shared with the University of Bristol so that analysis can be undertaken of the responses

Participation in the survey is entirely voluntary and individual-level data from the surveys will not be shared with the county council except in any instances where any serious safeguarding concerns are raised in the children’s survey responses; the research team will then notify the local authority of the ID number of the child or young person concerned.

Young people participating in the research will be anonymous to the research team and no child in care in any local authority will be identifiable to the research team with this information.

Category of personal data being processed

Personal data (information relating to a living, identifiable individual)
Special category personal data (racial, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation)

Legal basis for processing personal data

The legal basis for processing your personal data, in accordance with the UK GDPR is:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(c) Legal Obligation: the processing is necessary for you to comply with the law. You must reference the applicable legislation if you wish to rely on this basis for processing.

(d) Vital Interests: the processing is necessary to protect someone's life.

(e) Public Task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. You must reference the applicable task/function and its' basis in law if you wish to rely on this basis for processing.

(f) Legitimate Interests: pursued by the controller or by a third party.

Legal basis for processing special categories of personal data

The legal basis for processing your special categories of personal data, in accordance with the UK GDPR is:

(a) The data subject has given explicit consent to the processing of this personal data.

(c) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

(g) Processing is necessary for reasons of substantial public interest.

(h) Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

(i) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

When relying on the above Article 6 and Article 9 lawful basis for processing personal data, we do so by virtue of the following legislation where applicable:

We have a duty to protect and improve the well-being of our residents under laws like the Local Government Act 1972, the Public Health Act 1984, the Children Act 1989 and the Care Act 2014.

There may also be circumstances where we rely on the Health Protection (Coronavirus) Regulations 2020 and the Inquiries Act (2005) for the processing of personal data where it is necessary to do so. This may be linked to Lancashire County Council's response to the Covid-19 public inquiry.

We also have powers under the Civil Contingencies Act 2004, which allows personal/sensitive information to be used where it is necessary to protect the vital interests of individuals, where either consent cannot be given or cannot reasonably be expected to be obtained. Vital interests do not just mean ‘life or death’ but also situations where there is a risk of significant harm to life and relate to emergency operations where individuals lives are potentially at risk.

The Government has issued advice on the sharing of data, they have also provided a link to frequently asked questions about the law.

The Information Commissioners Office and the National Data Guardian have released statements on the use of Health and Social Care data at this time.

For the administering of the Covid Winter Grant Scheme we rely on the Local Government Act 2003 section 31 (3) and Section 31 (4)

Recipients of the data

We are working with our partners both locally and nationally to make sure that we are delivering a coordinated and best service for residents. It is critical that we do this because then we can make sure that the right people are receiving the right support from the right resources.

This means that we will only share information where is it necessary and proportionate to delivering care and support. We will share information with and receive information from the list below:

Department for Health
Department for Education
NHS
Our local NHS Trusts
Hospitals
GPs and our local Clinical Commissioning Group (CCG)
Local authorities in Lancashire including city and district councils
Voluntary sector providers
Health and care providers that we work with
Schools/colleges
County, city, district and parish councillors who will support our efforts across the county in their roles
Third party providers for the purposes of administering grant scheme programmes
Research institutions (using anonymised data only or where a clear lawful basis exists to do so)

This is not an exhaustive list and may change as the situation does.

Information we share

The kind of personal information we may process are names, age, household composition, addresses and contact details (email, phone numbers, mobile numbers and social media contacts).

We may also process special category around health and care needs to help us identify and provide the support to those who most need it.

We may also ask you for details of your ethnicity, current employment and recent contacts.

The information we collect is recorded on our existing platforms or dedicated databases on the councils’ secure networks where it is accessible only to staff who need to see it to deliver services to support our work around COVID-19.

Any transfers to another country

Retention periods

We will only keep your information for as long as it is necessary, taking into account of Government advice and the on-going risk presented by Coronavirus.

Health information provided by you in relation to this outbreak of Coronavirus will not be used for any other purpose unless there is a clear lawful basis to do so.

When the information is no longer needed for this purpose, it will be securely deleted.

Your rights

You have certain rights under the UK General Data Protection Regulation (UK GDPR), these are the right:

to be informed via Privacy Notices such as this.
to withdraw your consent. If we are relying on your consent to process your data then you can remove this at any point.
of access to any personal information the council holds about yourself. To request a copy of this information you must make a subject access request in writing. You are entitled to receive a copy of your personal data within 1 calendar month of our receipt of your subject access request. If your request is complex then we can extend this period by a further two months, if we need to do this we will contact you. You can request a subject access request, either via a letter or via an email to Information Governance Team, address below.
of rectification, we must correct inaccurate or incomplete data within one month.
to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information.
to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.
to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked.
to object. You can object to your personal data being used for profiling, direct marketing or research purposes.
in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

If you want to exercise any of these rights then you can do so by contacting:

Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Email: dpo@lancashire.gov.uk

To ensure that we can deal with your request as efficiently as possible you will need to include your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), as much detail as possible regarding your request so that we can identify any information we may hold about you, this may include your previous name and address, date of birth and what council service you were involved with.

Further information

Further details regarding Lancashire County Council's wider Coronavirus response.

For more information about how we use personal information see Lancashire County Council's full privacy notice.

If you wish to raise a complaint on how we have handled your personal data, you can contact the Information Governance team who will investigate the matter.

Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ or email: dataprotection@lancashire.gov.uk

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).

Coronavirus – Supplementary Privacy Notice for our employees

Privacy Notice Coronavirus – Supplementary Privacy Notice for our employees

Identity and contact details of the data controller

Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Contact details of the data protection officer

Our Data Protection Officer is Paul Bond. You can contact him at dpo@lancashire.gov.uk or Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Purposes for processing

This notice describes how we may use your personal data to protect you and others during the Covid-19 outbreak. It supplements our main privacy notice, which is available here,

This privacy notice is to make it easier to understand and provide you with more information about how Lancashire County Council may seek to collect and hold information about you in relation to the unprecedented challenges we are all facing during the Coronavirus pandemic (COVID-19).

Lancashire County Council may seek to collect and process your personal data in response to the recent outbreak of Coronavirus, which is above and beyond what would ordinarily be collected from its employees and their dependents, to ensure their safety and well-being.

Such personal data will be limited to what is proportionate and necessary, taking into account the latest guidance issued by the Government and health professionals, in order to manage and contain the virus. It will enable the Council to effectively fulfil our functions to keep people safe, put contingency plans into place to safeguard those vulnerable and aid business continuity.

Where the information is to be used to make organisational decisions, steps will be taken to anonymise the data and general statistics/numbers used, wherever possible.

Employee personal data would be collected to enable the Council to identify any staff (or those closely linked to staff/dependents) who are in any of the high-risk categories and would be considered vulnerable, if infected with Coronavirus.

As part of the vaccination roll-out process, we are asking our employees to record their vaccination status. We are doing so to ensure the safety and wellbeing of both the employees themselves as well as that of our service users. Lancashire County Council may also ask employees to voluntarily provide the reason for non-vaccination. This is done for the purposes of informing our efforts to encourage take-up of the vaccination.

Category of personal data being processed

Personal data (information relating to a living, identifiable individual)
Special category personal data (racial, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation)

Legal basis for processing personal data

The legal basis for processing your personal data, in accordance with the UK GDPR is:

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(d) Vital Interests: the processing is necessary to protect someone's life.

The lawful basis that is applied will depend on individual circumstances.

Legal basis for processing special categories of personal data

The legal basis for processing your special categories of personal data, in accordance with the UK GDPR is:

(b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

(c) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

(g) Processing is necessary for reasons of substantial public interest.

The lawful basis that is applied will depend on individual circumstances.

When relying on the above Article 6 and Article 9 lawful basis for processing personal data, we do so by virtue of the following legislation where applicable:

We have a duty to protect the wellbeing of our employees under laws like the Health and Safety at Work Act 1974.

The Government has issued advice on the sharing of data.

The Information Commissioners Office and the National Data Guardian have released statements on the use of Health and Social Care data at this time.

Recipients of the data

The council may need to share this information with organisations such as:

Central government
Health authorities
Relevant partner organisations

Information we share

For these purposes, the Council may collect:

Name and contact details
Current job role and responsibilities
Medical information, age or any other personal information which would mark a vulnerability to the virus
Recent history of contacts with other individuals whilst at work or with service users; or any other personal information which could help prevent or trace transmission of the virus
Any other personal information which the council is asked to be collected by the relevant health or government authorities to mitigate the risks associated with Coronavirus (Covid-19) this includes health risks, economic risks and social risks
Vaccination status

Any transfers to another country

Retention periods

We will only keep your information for as long as it is necessary, taking into account of Government advice and the on-going risk presented by Coronavirus.

Health information provided by you in relation to this outbreak of Coronavirus will not be used for any other purpose.

When the information is no longer needed for this purpose, it will be securely deleted.

Your rights

You have certain rights under the UK General Data Protection Regulation (UK GDPR), these are the right:

to be informed via Privacy Notices such as this.
to withdraw your consent. If we are relying on your consent to process your data then you can remove this at any point.
of access to any personal information the council holds about yourself. To request a copy of this information you must make a subject access request in writing. You are entitled to receive a copy of your personal data within 1 calendar month of our receipt of your subject access request. If your request is complex then we can extend this period by a further two months, if we need to do this we will contact you. You can request a subject access request, either via a letter or via an email to Information Governance Team, address below.
of rectification, we must correct inaccurate or incomplete data within one month.
to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information.
to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.
to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked.
to object. You can object to your personal data being used for profiling, direct marketing or research purposes.
in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

If you want to exercise any of these rights then you can do so by contacting:

Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Email: dpo@lancashire.gov.uk

Further information

For further details regarding Lancashire County Council's wider Coronavirus response, please find these details at the following website,

https://www.lancashire.gov.uk/health-and-social-care/your-health-and-wellbeing/coronavirus/

For more information about how we use personal information see Lancashire County Council's full privacy notice.

If you wish to raise a complaint on how we have handled your personal data, you can contact the Information Governance team who will investigate the matter.

Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ or email: dataprotection@lancashire.gov.uk

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).

Purpose of processing personal information

As a local authority, the council delivers services to you. In order to do this in an effective way we will need to collect and use personal information about you.

If you use a specific council service, we will usually let you know how that service will use your personal information via a separate privacy notice.

The UK General Data Protection Regulation ensures that we comply with a series of data protection principles. These principles are there to protect you and they make sure that we:

Process all personal information lawfully, fairly and in a transparent manner.
Collect personal information for a specified, explicit and legitimate purpose.
Ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected.
Ensure the personal information is accurate and up to date.
Keep your personal information for no longer than is necessary for the purpose(s) for which it was collected.
Keep your personal information securely using appropriate technical or organisational measures.

Service or project specific privacy notices

Services using large amount of personal or special categories of information will have their own dedicated privacy notice to tell people what information is being shared. These notices will map out how personal information flows through the service or project and how it is processed.

As a local authority, the council delivers services to you. In order to do this in an effective way we will need to collect and use personal information about you.

If you use a specific council service, we will usually let you know how that service will use your personal information via a separate privacy notice.

The UK General Data Protection Regulation ensures that we comply with a series of data protection principles. These principles are there to protect you and they make sure that we:

Process all personal information lawfully, fairly and in a transparent manner.
Collect personal information for a specified, explicit and legitimate purpose.
Ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected.
Ensure the personal information is accurate and up to date.
Keep your personal information for no longer than is necessary for the purpose(s) for which it was collected.
Keep your personal information securely using appropriate technical or organisational measures.

Service or project specific privacy notices

Consent and categories of personal data

Consent

We will usually seek your consent prior to processing or sharing your information, however, if there is a legal reason, as outlined under the UK GDPR, we may not require your consent, e.g. where the disclosure is necessary for the purposes of the prevention and/or detection of crime. Where we need to disclose special category or confidential information such as medical details to other partners, we will do so only with your prior explicit consent or where we are legally required to. We may disclose information when necessary to prevent risk of harm to an individual.

Categories of personal data

We process:

Personal information relating to identified natural persons used to deliver services such as:

Adult and children's social care, human resources, special educational needs, planning applications, access to information requests, legal claims, school appeals, library cards, blue badges, customer services, highways claims and complaints, pensions, children's services, parking services, care homes, early years, youth offending, trading standards and more.

Special categories of information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning health or sex life.
Health and wellbeing information. All local authorities have a duty to improve the health of the population they serve. To help with this, we use information from a range of source data, including data collected at the registration of a birth or death to understand more about the health and care needs in the area.
Research and statistical data to provide intelligence about Lancashire including demographic data, population projections, the economic situation, health and wellbeing information. This personal information is often pseudonymised when an identifier such as name is replaced with a unique number.

Lawful basis for processing

The lawful basis for processing this personal data must be one of the following.

Consent: the individual has given clear consent for the council to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract the council has with the individual.
Legal Obligation: the processing is necessary for the council to comply with the law.
Vital Interests: the processing is necessary to protect someone's life.
Public Task: the processing is necessary for the council to perform a task in the public interest and has a clear basis in law.
Legitimate Interests: Processing is necessary for the purposes of legitimate interests pursued by the local authority – (the local authority will not use this lawful basis for any tasks it performs as a public authority).

Individual service and project specific privacy notices will include further details of the lawful basis for processing specific categories of personal data.

Information sharing and retention periods

To ensure that the council provides you with an efficient and effective service we will sometimes need to share your information between teams within the council as well as with our partner organisations that support the delivery of the service you may receive, for example:

NHS
District Councils
Police
Fire Service
HMRC
DWP
Voluntary organisations
Government departments and agencies
Regulatory bodies

We will also need to supply your information to organisations we have contracted to provide a service to you.

We will only ever share your information if we are satisfied that our partners or suppliers have sufficient measures in place to protect your information in the same way that we do.

We will never share your information for marketing purposes.

Before sharing information the council will ensure that:

Privacy Notices are completed if appropriate.
Technical security such as encryption and access controls are in place to keep information secure.
Information Sharing Agreements are completed showing the rules to be adopted by the various organisations involved in the sharing exercise.
Data Protection Impact Assessments are completed to assess any risks or potential negative effects.
Common retention periods and deletion arrangements are set for the information.
Subject access rights are catered for.

Details of transfers to other countries and additional safeguards

We will always process as little personal data as is necessary to meet the purpose of the processing activity. We will inform you where your personal and sensitive data will be stored and of the additional safeguards that we have taken to ensure compliance with UK GDPR and data protection legislation which applies within the country where your personal and sensitive information is held, should this be outside of the UK.

Retention periods

We will only keep your information for as long as it is required to be retained. The retention period is either dictated by law or by our discretion. Once your information is no longer needed it will be securely and confidentially destroyed. Service and project specific retention periods can be found in our service and project specific privacy notices.

Your rights

You have certain rights under the UK General Data Protection Regulations (UK GDPR), these are the right:

to be informed via Privacy Notices such as this.
to withdraw your consent. If we are relying on your consent to process your data then you can remove this at any point.
of access to any personal information the council holds about yourself. To request a copy of this information you must make a subject access request in writing. You are entitled to receive a copy of your personal data within 1 calendar month of our receipt of your subject access request. If your request is complex then we can extend this period by a further two months, if we need to do this we will contact you. You can request a subject access request, either via a letter to Information Governance Team, address below.
of rectification, we must correct inaccurate or incomplete data within one month.
to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information.
to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.
to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked.
to object. You can object to your personal data being used for profiling, direct marketing or research purposes.
in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

If you wish to exercise any of these rights then you can do so by contacting:

Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Email: DPO@lancashire.gov.uk

Data protection officer

As a public authority we are required to have a Data Protection Officer who is responsible for:

Monitoring the council's compliance with the UK GDPR and other data protection laws. Monitoring our data protection policies, awareness-raising, training, and audits.
Advising the council in respect to their data protection obligations.
Provide advice and monitor the Data Protection Impact Assessment process.
Acts as a point of contact for the Information Commissioner's Office (ICO) and members of public on any matter relating to Data Protection.

If you need to contact the Data Protection Officer their details are:

Paul Bond
Data Protection Officer
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Email: dpo@lancashire.gov.uk

Incidents, complaints, comments and compliments

Information security incident

Should you wish to report an information security incident you can use our electronic reporting tool: Report an information security incident

Complaints, comments and compliments

If you wish to make a compliment, comment or complaint about how the council are processing your data, then please visit send a compliment or comment or make a complaint to the council.

Information Commissioner's Office

If you are still dissatisfied with how the council have handled your complaint, you may contact the Information Commissioner's Office.

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Phone: 08456 30 60 60

Website: www.ico.org.uk

The authority also creates and holds information that does not contain personal information about a living individual to view of access this information you can access council official information.

Access to the council's official information

Under the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 you have a right to request any recorded official information held by the council. The information you require may already be publicly available. The council has a duty to make official recorded information available The council has a duty to make information available via a publication scheme. Before you submit a request please check the publication scheme.

If you need to make a request, it must be done in writing. You can:

Submit a request online
Email freedomofinformation@lancashire.gov.uk
Write to:
Information Governance Team
Lancashire County Council
PO Box78
County Hall
Preston
PR1 8XJ

You do not need to say why you want the information. Your request must include your name, and an address for correspondence (if you apply by email, your email address is a suitable address for correspondence). Please ensure you identify the information you want as clearly as possible.

With certain limited exceptions, you are entitled to a response within 20 working days.

It costs nothing to make a freedom of information request. However, the county council can refuse to deal with your request if doing so would cost more than £450 (which equates to 18 hours' work). In extreme circumstances, the county council may also charge for the cost of photocopying and postage.

You may not get the information you asked for:

If the council does not hold the information you have requested
If the information is exempt from disclosure
if finding the information you have requested would take longer than 18 hours

If we are unable to supply any of the information you have requested, we will tell you the reasons why. More information available in the exemptions guide.

For more details please refer to the Information Commissioner's Office website.

Access to the council's decision making process

Information on the decision making process of the council can be found in the constitution.

National data opt-out

The National data opt-out is a system covering health and social care that allows members of the public the opportunity to make an informed choice about whether they wish their confidential information to be used just for their individual care and treatment or also used for research and planning purposes.

For further details, please visit the website: www.nhs.uk/my-data-choice

How the NHS and care services use your information

Lancashire County Council is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

improving the quality and standards of care provided
research into the development of new treatments
preventing illness and diseases
monitoring safety
planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this webpage you will:

See what is meant by confidential patient information
Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
Find out more about the benefits of sharing data
Understand more about who uses the data
Find out how your data is protected
Be able to access the system to view, set or change your opt-out setting
Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.

Patient control of information

You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care. You have a right to opt-out of Lancashire County Council or other organisations using your information for these further purposes. If you wish to do this please contact Lancashire County Council via the contact details highlighted below:

Paul Bond
Data Protection Officer
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Email: dpo@lancashire.gov.uk

Councillors as data controllers

Lancashire County Councillors can also be data controllers but this depends in what capacity they are working in:

As a member of the council, for example, as a cabinet member or a member of a committee. In this circumstance the council is the registered data controller. Personal information held by the council will not be used for political purposes unless both the council and the individuals concerned agree.
As a representative of residents of their ward, for example, in dealing with complaints. In this circumstance, the councillor is the data controller. Whilst Councillors are considered to be 'data controllers' for constituency casework purposes, they are exempt from payment of the Information Commissioner's Office registration fee, with a few exceptions such as if councillors are personally responsible for of any kind of CCTV, either recording or live feed cameras. All Councillors take into account the context in which personal information is collected to decide whether their use of the information will be fair and lawful, as required by the first data protection principle. Where a councillor is representing an individual resident who has made a complaint, the councillor will usually have the implied consent of the resident to retain relevant personal data provided and to disclose it as appropriate. The resident will also expect that the organisation who is the subject of the complaint will disclose personal data to the councillor. If there is any uncertainty regarding the resident’s wishes, it will be appropriate to make direct contact with the resident to confirm the position. Special Category information, such as health data, racial origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, sex life or sexual orientation is treated differently, and to process this data the councillor will always obtain your explicit consent.
They may represent a political party, particularly at election time. In this circumstance, the political party will be the data controller. When campaigning for election as the representative of a political party, candidates can use personal information, such as mailing lists, legitimately held by their parties. However, personal information they hold in their role as representative of local residents, such as complaints casework, will not be used without the consent of the individual. When campaigning for election to an office in a political party, councillors will only use personal information controlled by the party if its rules allow this. Candidates for election are also aware that political campaigning falls within the definition of direct marketing. Consequently, they have regard to the requirements of data protection legislation and the Privacy and Electronic Communication (EC Directive) Regulations 2003 which set out specific rules that must be complied with for each type of marketing communication.

All councillors will comply with the council's information governance policies and data protection legislation including the UK general data protection regulation (UK GDPR). Personal information will be processed in line with data protection legislation and will be kept for as long as it is required to be retained. The retention period is either dictated by law or by the councillors' discretion. Once your information is no longer needed it will be securely and confidentially destroyed.

Contact the Information Governance Team

To access your personal information or make a request in relation to other rights, contact the Information Governance Team:

Information Governance Team,
Lancashire County Council,
PO Box78,
County Hall,
Preston,
PR1 8XJ

Email: dataprotection@lancashire.gov.uk.

This is called a subject access request and must be made in writing.

You are entitled to receive a copy of your personal data within 1 calendar month of our receipt of your subject access request. If your request is complex then we can extend this period by a further two months, if we need to do this we will contact you.

To ensure that we can deal with your request as efficiently as possible you will need to include as much detail as possible regarding your request.

This should include your current name and address and proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address).

It may also help to include your previous name and address, date of birth and what council service you were involved with.

This is so that we can identify any information we may hold about you.

Child friendly privacy notice

This page is our Privacy Notice. A Privacy Notice tells you how we use your personal data, so you know what happens with it when people give it to us.

Sometimes there are links to other pages. You might want to ask an adult to help with these because it can be confusing.

Child Friendly Privacy Notice - print version PDF 212 KB

Who are we?

We are Lancashire County Council and we offer lots of services to people who live in Lancashire.

We provide care for people who need it, we help your local school to function, and we make sure you have a local library service.

Personal data? What’s that?

Anything that can identify you is your personal data. You might know this could be things like your name or a photo of you, but it is also things like your email address or your online gamertag.

There are some types of data we have to be extra careful with. These are known as special category data. This could be something like an illness you have, or what religion you are.Sometimes we have to use data about crimes and breaking the law.

The Council uses a lot of personal data. If you want to read a long list, it’s on our main Privacy Notice.

Why do you need my personal data?

The main reason we need to use your personal data is to know who you are.

If you have been in care, or if you are at school, it makes sure that we give you the help you need from us.

We could also use it because of an event you have taken part in, or competition that we organised, to make sure if you win you get your prize.

If we don’t have your personal data it could mean you miss out on the things we can do for you.

Sometimes we need to tell you more about what we’re doing with your personal data. You can see some of these on this page.

So, can you use my personal data for anything?

Just because we have your personal data, it doesn’t mean we can do what we want with it, we have to follow some rules.

Sometimes we have to ask you if we can use it, and if you say no then we can’t.

The Council does a lot of work, so there are times that there are more rules that say we have to use your personal data to do our work, and we can do this without asking you first.

There are different rules for personal data and special category data. If we are using any of your data, we make sure we are following all the rules, which are on our main Privacy Notice.

Can anyone else see my personal data?

Sometimes in order to do our work we have to share your personal data, or other people might share it with us. We’re very careful about how we do this, meaning there are even more rules.

We might need to share your data with your school, doctor or family if they are helping you, or with the police or fire service.

We keep a lot of data on secure systems. There are times we let other people, like care providers or the NHS, access our systems to make sharing easier, but we always make sure that they know all our rules first, so only people who are helping you will look at your data.

There are too many people to list here, but there is a longer list of who we could share with on our main Privacy Notice.

There are times we might need to ask for help doing our work, and someone else will use your data for us. This could mean your personal data might go around the world, but don’t worry – we’ll make sure it’s safe.

Do you keep my personal data forever?

We only keep your personal data for as long as we need it and sometimes this might be for years.

There are times we have to follow rules about how long we can keep your personal data, and we have a special page that tells you how long we keep it. It’s really long, because we do a lot of work.

Do I have a say in what happens to my personal data?

Yes you do. You have what we call 'rights' when we use your data. One of these is the right to know what we do with it. That’s what this page is for.

You can ask us to tell you what personal data we have about you, or if we will stop using it or delete it. If your personal data is wrong, you can tell us and we will fix it.

The rights you have depend on what we use your data for, and there is more information on our main Privacy Notice.

Who makes sure you follow all the rules?

We have someone in the Council called our Data Protection Officer, and their job is to protect your data. This means they make sure we are following all the rules, and your data is safe. If they see something wrong, they tell us how we can fix it.

Because of how important it is to keep your data safe, and to follow all the rules, you can email or write a letter to our Data Protection Officer if you are worried about what we do:

Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Email: dpo@lancashire.gov.uk

There is a business whose job it is to make sure we follow the rules, and can tell us off if we do things wrong.

You can also email or write to them:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF or look online at www.ico.org.uk