Health, Safety and Resilience Service

In order to comply with the UK General Data Protection Regulation (UK GDPR), where personal data relating to a data subject is collected, Lancashire County Council would like to provide you with the following details.

Identity and contact details of the data controller

  • Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Contact details of the data protection officer

  • Our Data Protection Officer is Paul Bond. You can contact him at dpo@lancashire.gov.uk or Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Purposes for processing

We collect your personal data only where required to provide:

  • the information required for the recording and where necessary the reporting and review of accidents and incidents
  • robust risk assessments for ensuring, so far as is reasonably practicable, the health, safety and wellbeing of those affected by the Authority’s activities.
  • Support to displaced persons in the event of an emergency response, to protect life and support the needs of those adversely affected by the incident.
  • effective systems for the monitoring of health and safety performance throughout the Authority together with means for reporting and responsibility for instigating any corrective measures found necessary
  • a robust audit and review process designed to measure safety performance generally and the compliance with national standards, the Authority’s policies and relevant statutory provisions
  • appropriate levels of information, instruction, training and supervision to ensure that all employees are aware of any hazards to which they may be exposed and the measures used to control any significant risks arising
  • support services to benefit the wellbeing of employees
  • help to manage the health and safety of school pupils including whilst on educational visits.
  • ensuring compliance against the Code of Practice for infection prevention
  • support in the event of a major incident where required
  • required mitigation measures and protection actions to reduce the impact of emergencies in Lancashire

Category of personal data being processed

  1. Personal data (information relating to a living, identifiable individual)
  2. Special category personal data (racial, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation)

Legal basis for processing personal data

The legal basis for processing your personal data, in accordance with the UK GDPR is:

(c) Legal Obligation: the processing is necessary for you to comply with the law. You must reference the applicable legislation if you wish to rely on this basis for processing.

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (the law gives us a power to do it but it is not an obligation)

The legislation that informs this legal obligation is:

  • Health and Safety at Work Act 1974
  • Workplace (Health, Safety and Welfare) Regulations 1992
  • Management of Health and Safety at Work Regulations 1999
  • Health and Safety (Display Screen Equipment) Regulations 1992
  • Personal Protective Equipment at Work Regulations 1992
  • Provision and Use of Work Equipment Regulations 1998
  • Manual Handling Operations Regulations 1992
  • Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995
  • Noise at Work Regulations 1989
  • Electricity at Work Regulations 1989
  • Control of Substances Hazardous to Health Regulations 2002
  • Civil Contingencies Act (2004)
  • Control of Major Accident Hazards Regulations (2015)
  • Radiation (Emergency Preparedness and Public Information) Regulations (2019)
  • Pipeline Safety regulations (1996)
  • The Reservoir Act (1975) as amended by the Water Act (2003)
  • Coroners Act (2009)
  • Merchant Shipping Act (1995) (subsequent amendments and associated Acts and regulations)
  • Flood and Water Management Act (2010)
  • Civil Aviation Regulations (1991)
  • The Health and Social Care Act 2012
  • The Health and Social Care Act 2008 Code of Practice on the prevention and control of infections and related guidance
  • The NHS Public Health Outcomes Framework and related health outcomes framework.
  • Regulatory Reform (Fire Safety) Order 2005
  • Health and Safety (First Aid at Work) Regulations 2013
  • Asbestos Regulations 2012
  • Construction Design Management Regulations 2015
  • Pressure Systems Safety Regulations 2000
  • Working at Height Regulations 2005
  • Legionnaires Disease ACOP and Guidance L8
  • Corporate Manslaughter Act 2007
  • Health and Safety Offences Act 2007
  • Health and Safety Fees Regulations 2012
  • Gas Safety Regulations 1998
  • Radioactive Substances Regulations 1993
  • The Control of Vibration at Work Regulations 2005
  • Lifting Operations and Lifting Equipment Regulations 1998
  • Ionising Radiations Regulations 1999
  • The Control of Lead at Work Regulations 1998
  • Safety Representatives and Safety Committees Regulations 1977
  • Health and Safety (Consultation with Employees) Regulations 1996
  • Confined Spaces Regulations 1997

Legal basis for processing special categories of personal data

The legal basis for processing your special categories of personal data, in accordance with the UK GDPR is:

(b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

The legislation that informs this legal obligation is the Health and Safety at Work Act 1974 section 2.

(g) processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

The legislation that informs this legal obligation is Data Protection Act (2018) Schedule 1 Part 2 (16) Support for individuals with a particular disability or medical condition

Recipients of the data

The Health Safety and Resilience Service may share your personal data with the following organisations where there is a lawful basis to do so:

  • External providers of our Lone Worker System
  • Health and Safety Executive
  • Schools and other educational settings as required
  • Trade Unions
  • Partner organisations as part of a response to an incident
  • Law enforcement agencies
  • Our providers and suppliers of services
  • Stakeholders within the health sector

We will only share the minimum required personal data to achieve the purpose for which it is shared.

Information we share

The Health Safety and Resilience Service may share the following categories of personal data when required and where there is a lawful basis to do so:

  • Name
  • Address
  • Number of Adults/Children at Address
  • Mobile telephone number
  • Email address
  • Age
  • Date of birth
  • Next of kin
  • Gender
  • Ethnicity
  • NHS number
  • Hair and skin colour and other applicable physical description or identifiers
  • Medical conditions

Where your data is required for the purposes of responding to an emergency, and evacuations are required, the service may also request from you the following information:

  •  Pets
  • Status (staying put, evac)
  • Support required
  • Record of supported given
  • Date attended centre

We will commit to ensure the security and confidentiality of your personal data at all times.

Any transfers to another country

  • No

Retention periods

Lancashire County Council will only store your information for as long as is legally required or in situations where there is no legal retention period they will follow established best practice.

File type Description Security Retention period
Response Information Information related to an emergency response. Accessible by a secure login.
  • 6 months after the incident, unless the following applies;
  • Debrief: 2 years
  • Investigation: 7 years after decision not to proceed.
  • Prosecution: 7 years after final hearing.
  • Fatalities: 10 years after closure.
email emails held in Outlook that haven't been exported or moved elsewhere. encrypted used when emailing personal data to partners. Retained in accordance with appropriate internal retention guidelines
Project documentation Personal data exchanged with processors and sub-processors of personal data Data processors bound by contract with LCC (data controller). Maintained on secure networks. Destroyed at the end of the contract by data processors and sub-processors

Your rights

You have certain rights under the UK General Data Protection Regulation (UK GDPR), these are the right:

  • to be informed via Privacy Notices such as this.
  • to withdraw your consent. If we are relying on your consent to process your data then you can remove this at any point.
  • of access to any personal information the council holds about yourself. To request a copy of this information you must make a subject access request in writing. You are entitled to receive a copy of your personal data within 1 calendar month of our receipt of your subject access request. If your request is complex then we can extend this period by a further two months, if we need to do this we will contact you. You can request a subject access request, either via a letter or via an email to Information Governance Team, address below.
  • of rectification, we must correct inaccurate or incomplete data within one month.
  • to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information.
  • to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.
  • to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked.
  • to object. You can object to your personal data being used for profiling, direct marketing or research purposes.
  • in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

If you want to exercise any of these rights then you can do so by contacting:

Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Or email: dpo@lancashire.gov.uk

To ensure that we can deal with your request as efficiently as possible you will need to include your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), as much detail as possible regarding your request so that we can identify any information we may hold about you, this may include your previous name and address, date of birth and what council service you were involved with.

Further information

If you would like more information about this specific service then please contact Alan.Wilton@lancashire.gov.uk.

For more information about how we use personal information see Lancashire County Council's full privacy notice.

If you wish to raise a complaint on how we have handled your personal data, you can contact the Information Governance team who will investigate the matter.

Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ or email: dataprotection@lancashire.gov.uk

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).