Privacy statement

In order to meet its responsibilities as a local authority, Runnymede Borough Council collects, holds and processes considerable amounts of information.

Where personal data is involved, such as your name, address and other information that could identify you, we must comply with the General Data Protection Regulation (GDPR) and Data Protection Act 2018. The law imposes additional requirements on special category personal data of a private nature which is often information that is not widely known and is very personal to you, such as the state of your health.
We are committed to protecting your privacy when you use our services. Please see our Departmental Privacy Notices.

The Privacy Notice below explains how we use information about you and how we protect your privacy.

What type of information do we collect?

The information we require may include personal or sensitive information such as:

  • Name, address and contact details
  • Date of birth
  • National Insurance number
  • Gender, ethnicity and marital status
  • Religious or other cultural beliefs
  • Physical or mental health or condition
  • Sexuality
  • Offences (including alleged offences)
  • Financial information, including bank account details
  • Employment status and details

This list does not represent of all the information the Council collects. Please see the Privacy Notices for the individual services for a comprehensive record.

Using your Personal Data

Most of your information will have been provided by yourself or collected through your interactions with our services. We will only use your personal information when we have a legitimate basis for doing so and will process it in a fair and lawful way.
The law requires us to specify a lawful basis for processing your personal data. The reason for processing your personal data will determine the lawful basis. The lawful basis for processing has to meet at least one or more of these conditions:

  1. You have given us consent to the processing of your personal data for one or more specific purposes.
  2. Processing is necessary for the performance of a contract to which you are party, or in order for us to take steps, at your request, prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which we are subject.
  4. Processing is necessary in order to protect the vital interests of either yourself or another person.
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
  6. Processing is necessary for the purpose of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms, particularly where the data subject is a child.

The Council may use your personal information for the purpose it was obtained and other compatible reasons.

We will process your personal data only where necessary and in a proportionate way, including in the following circumstances:

  • To allow the Council to communicate with you and provide appropriate services
  • To plan, monitor, and improve service performance
  • Where the Council exercises its statutory obligations and enforcement functions, for instance licensing and planning
  • Legal proceedings, including prosecutions by the Council
  • To process financial transactions such as payments and benefits, including where the Council is acting on behalf of other government bodies such as the Department for Work and Pensions
  • To prevent and detect fraud and other crimes
  • To protect individuals from harm or injury
  • To ensure our records are up to date and accurate
  • To fulfil its legal duties including those under the Equalities Act 2010 and Health and Safety Acts

How we take care of your personal data

We ensure your personal information is held securely and safely, whether electronically or in hardcopy. We have controls in place to protect information whilst stored, and transferred, and to minimise risks associated with inappropriate disclosure. This includes:

  • Encryption, meaning that information is hidden so that it cannot be read a 'cypher'. The hidden information is said to then be 'encrypted'
  • Pseudonymising, meaning that we remove identifiers so your personal information cannot be attributed to you.
  • Controlling access to systems and networks to stop people who are not authorised to view your personal information from gaining access
  • Training for our staff to make them aware of how to handle information and how and when to report when something goes wrong
  • Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches). Maximising our use of electronic, rather than paper, records.

We manage information throughout its lifecycle, so only personal data relevant for a particular purpose is collected.
We take steps to ensure data we input is accurate and, where necessary, updated. This includes where accuracy is challenged.
We ensure information is not kept longer than necessary. That is, not beyond the business need or what the law may require, in accordance with our retention policy.
Redundant data is permanently deleted or disposed of securely.  
Staff are trained to properly handle personal information. A failure to take proper care or misuse of information may be treated as a disciplinary matter.

Who do we share the information with?

In most cases, only our staff will use your personal data, which we are under a general duty not to disclose. Nonetheless, there are some occasions when the Council will share information with other organisations or make it publicly available.
However, unless a specific exemption applies, we will advise you who your information may be shared with, either directly or in the relevant Privacy Notice which you will be referred to when your information is collected.
Where we share sensitive personal data, such as health information, we might need your permission. We may request this when the information is first obtained.
When we provide a support service we may share personal information with another agency to ensure the appropriate service is delivered.
The police and other agencies may request personal information as part of an investigation, to prevent crime, or prosecute offenders. We will consider these requests under an exception to non-disclosure.
We may approach other organisations to share personal information to prevent crime, for instance to stop a vulnerable person being abused.
For matching purposes, we may share your personal data with other bodies responsible for auditing or administering public funds, or where undertaking a public function, to prevent and detect fraud. Data matching compares computer records held by one body against those held by the same or another body. Computerised data matching allows potentially fraudulent claims and payments to be identified as a match may indicate an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error, or other explanation until an investigation is carried out.
The Council participates in the statutory National Fraud Initiative; a data-matching exercise with other public bodies run by the Cabinet Office for the purposes of preventing and detecting fraud.
Information collected for public registers, such as planning or licensing applications, must be published or made available on request.
Please see below the type of organisation that we may share information with and reasons why. This is not an exhaustive list and the relevant service Privacy Notice should be reviewed for all potential sharing which may occur.

Organisations we may share your information with
Doctors, Surrey County Council social services and other local authorities

We may process  personal data to connect with social services provided by Surrey County Council  that:     
· Signpost relevant local services
· Ensure vulnerable people are protected from harm and exploitation

We only disclose the minimum amount of personal data to local authorities to enable them to provide services. They must not use personal data for any other purpose, and we require them to keep personal data secure.

Government, council teams and other agencies including police, Health Protection Agency, Home Office, fire and rescue authorities, Department for Work and Pensions, JobCentre Plus or the Pension Service, Environmental Health

We will share personal information where required by law.  We may approach, or be approached by, other organisations to share personal information if we believe it is necessary to prevent a crime, for instance to stop a vulnerable person from being abused.
We only disclose the specified personal data requested to a government agency if there is a legal obligation or for a legitimate reason such as to investigate or prevent crime. This data must be kept secure.

Freedom of Information (FOI) and Environmental Information Regulations (EIR)

We may receive FOI and EIR requests for third party personal data and in most cases will consider whether disclosure would contravene Article 5, Principle 1 (a) of the GDPR. We have a legal obligation to process any personal data we hold when considering requests under these laws.

Privacy notices

Please see our Departmental Privacy Notices.

Provision of personal data

Provision of data is obligatory in cases where the Council exercises its enforcement functions.
Failure to provide some voluntary data may mean certain support services cannot be delivered.

Your rights and access to the information we hold

Data protection law gives you a number of rights to control what personal information we can hold and how it is used by us. To enquire about any of these rights please contact our Data Protection Officer, 

You can ask for access to the information we hold on you

We would normally expect to share what we record about you with you whenever we assess your needs or provide you with services. However, you also have the right to ask for all the information we have about you and the services you receive from us. When we receive a request from you either verbally or in writing, we will review the records held and respond to you within one month. For further details on how to make a subject access request please refer to our page about how to make a request.
Please note some information within records held about you may be exempt such as:

Confidential information about other people

Information that may cause serious harm to your or someone else's physical or mental wellbeing

Information that would prejudice the prevention or detection of crime

You can ask to change information you think is inaccurate

You should let us know if you disagree with something in our records about you.
We will correct factual inaccuracies and may include your comments in the record to show that you disagree with it where necessary.  

You can ask to withdraw consent previously given

Where we have previously had your consent to use your personal information, you have the right to remove your consent at any time.

You can ask to delete information (right to be forgotten)

In some circumstances you can ask for your personal information to be deleted, for example:

  • Where your personal information is no longer needed for the purpose it was collected
  • Where you have removed your consent for us to use your information (where there is no other legal reason for us to keep it)
  • Where deleting the information is a legal requirement
  • Where we are relying on legitimate interests for processing, and there is no overriding legitimate interest to continue this processing;
  • Where we have processed the personal data for direct marketing purposes and the individual objects to that processing
  • Where we have processed the personal data unlawfully

Where your personal information has been shared with others, we will make sure those using your personal information comply with your request for erasure where possible. We have one month to respond to your request. Please note we can refuse to comply with a request for erasure if we deem it manifestly unfounded or excessive.
The right to erasure does not apply if processing is necessary for one of the following reasons:

  • We are required to process the data by law
  • It is used for freedom of expression
  • It is used for public health purposes
  • It is for, scientific or historical research, or statistical purposes where it would make information unusable
  • It is necessary for legal claims
  • For the performance of a task carried out in the public interest or in the exercise of official authority

You have the right to ask us to restrict the use of your personal information

You can ask us to restrict the use of your personal information where either:

  • You have identified inaccurate information
  • The processing was unlawful and although you do not want your information erased you want its use restricted
  • You need your personal information held by us for your use of it for legal reasons, even though we have no further use for it
  • You object to the processing of your personal information and we need to provide legitimate grounds for the processing

You have the right to move your automated data to another provider (data portability) and object or restrict automated decision making

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.
However this only applies to information you have provided us where we are processing the information with your consent or as part of a contract with you. The processing must also be by automated means i.e. using a computer system.
You can ask to have any decisions made by automated means to be explained to you, and to request the decision to be reviewed by a human being.
You also have the right to object if you are being 'profiled'. Profiling is where decisions are made about you based on your personal information, e.g. to predict aspects concerning your performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer who'll be able to advise you about how we are using your information. 

Questions and further information

If you have any questions or communications about this statement you can contact our data protection officer:
Further information about data protection and privacy matters can be found on the Information Commissioner's Office website.