Privacy Notice

Areas covered by this notice

It applies to information we collect about people, such as:

• people who use and receive our services - see service specific privacy notices [Insert link to landing page]
• visitors to our website
• people who are referred to us by other persons, agencies, organisations
• people who contact us with an enquiry or complaint
• job applicants and our current and former employees
• people who participate in publicity for us
• people who are recorded on CCTV operated by us
• people we deal with in connection with our functions.

 

Data protection principles

When collecting personal data we must comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) which place legal obligations on us to comply with the data protection principles. These principles are there to protect your personal data and make sure that it is:

• processed lawfully, fairly and in a transparent manner
• collected for specific, explicit, and legitimate purposes
• adequate, relevant, and limited to the purposes for which it was collected
• accurate and up to date
• kept for no longer than is necessary for the purpose(s) for which it was collected
• kept safe and secure, using appropriate technical or organisational measures to protect its integrity and confidentiality.

 

Rights of individuals

Under data protection law, you have rights including:

• Your right of access - You have the right to ask us for copies of your personal information.
• Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
• Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

 

You are usually not required to pay any charge for exercising your rights. You can make a request verbally or in writing and we have one calendar month to respond to you.

 

Data Controller

Newry, Mourne and Down District Council is the data controller for the personal data it gathers from members of the public, internal staff, external contractors and other individuals who interact with us. 

      

Newry, Mourne and Down District Council has a dedicated Data Protection Officer who you can contact by email at info@nmandd.org or in writing to:

Data Protection Officer
Newry, Mourne and Down District Council
Downshire Civic Centre
Ardglass Road
Downpatrick
Co. Down
BT30 6GQ

 

Lawful basis for processing personal data

We process personal data for specific purposes and these purposes will determine the lawful basis for the processing in accordance with Article 6 of the UK GDPR.  The privacy statement for each service [Insert Link to landing page] explains which reason we have used for that service.

 

We may collect and use personal information where:

1. you, or your legal representative, have given consent, and this consent has not been withdrawn
2. you have entered into a contract with us
3. it is required by law, or we have a legal obligation to collect the information
4. it is necessary to protect someone in an emergency or to protect public health
5. it is necessary to perform our public tasks
6. it is necessary for the purposes of pursuing a recognised legitimate interest
7. it is necessary for the purpose of pursuing a legitimate interest

 

Consent

Consent, as defined in Article 4(11) of the UK GDPR must be:

• Freely given: Individuals must have a genuine choice and control over whether to give their consent.
• Specific: Consent must be given for a specific purpose, and authorities must clearly explain what the data will be used for.
• Informed: Individuals must be provided with all necessary information about the processing activities, including the purpose, data retention period, and their rights.
• Unambiguous: Consent must be given through a clear affirmative action, such as ticking a box or signing a form.

On occasion, we might need your consent as the sole legal basis for processing your personal data. In such cases, we'll make sure to request your consent when we collect your data. Typically, you'll be asked to sign or tick a box to indicate your consent, but this will only happen after we've given you a complete explanation and you fully understand what you are consenting to.

 

If you have provided us with your consent to use your personal information, you can withdraw your consent at any time by contacting us.

 

Recognised Legitimate Interests and Legitimate Interests

The recognised legitimate interest basis differs from the legitimate interests basis in that it does not require us to undertake an assessment before processing begins when it is necessary for specific recognised interests such as crime prevention, safeguarding vulnerable people, responding to emergencies, safeguarding national security or assisting other bodies deliver public interest tasks that are sanctioned by law.

 

Special Category Personal Data 

Sometimes it is necessary to process Special Category Personal Data, defined below (also known as sensitive personal data), and we may do so under Article 9 of the UK GDPR and Schedule 1 of the DPA 2018 where one or more of the following applies:

• it is necessary to perform our public tasks (which are in the substantial public interest)
• it is necessary to comply with employment, social security or social protection laws
• it is necessary for legal claims
• it is information which has already been made public by you
• it is in the public interest for public health reasons
• it is necessary for medical purposes
• it is necessary for archiving, statistical and research purposes
• the use of special category information about you is necessary to protect you or someone else in an emergency
• we have your explicit consent to use the particular special category information about you

 

In some limited circumstances we may also need to collect and use criminal history information about you. We may do so where:

• it is in the substantial public interest
• it is necessary for any legal claims
• it is necessary to protect you or someone else in an emergency
• it is information which is already in the public domain
• we have your explicit consent to use criminal history information about you

 

Where we use sensitive personal data for law enforcement purposes, we will only do this where it relates to a pressing social need, which cannot reasonably be achieved through less intrusive means. Such processing will only take place if either one of the law enforcement purposes set out in the DPA 2018 is satisfied, or you have given your consent

 

What information we collect:

The council will only collect personal, special category personal or criminal/law enforcement

data where it is required to deliver a service or to meet a statutory requirement.

 

In general, the council collects the following types of personal data (dependent on the nature of the service(s) you are applying for or receiving).  This list is not exhaustive, but provides a general guide:

• first name
• family name or surname
• address
• telephone numbers (mobile/landline)
• email address (personal/work)
• date of birth
• identification numbers, i.e. National Insurance number, driver's license number, passport number
• finance/bank/payment details
• employment history
• education i.e. qualifications, training records
• family details i.e., next of kin
• business activities
• licenses or permits
• lifestyle and social circumstances
• physical description, appearance and behaviour
• services received
• visual images i.e., photographs, CCTV

 

The council will also collect information which is not unique to you i.e., gender, postcode.

 

Special Category Personal Data we collect

Special category data is personal data which needs more protection because it is more sensitive and requires a higher level of protection.  It is often information you would not want widely known and is very personal to you. This is likely to include anything that can reveal your:

• religious or philosophical beliefs
• race or ethnic origin
• physical or mental health
• trade union membership
• political opinions
• sexuality or sexual health
• genetic data
• biometric data (where used for identification purposes)

 

The law also requires us to take special care when handling information about criminal convictions and offences.

 

Why we collect your personal data

We collect personal, special category personal or criminal/law enforcement data to enable us to:

• manage the services we provide to you including improving quality and investigating any worries or complaints about those services
• promote the services we provide
• carry out corporate administration and all activities we are required to carry out as a data controller and public authority
• support internal financial and corporate functions by maintaining accounts and records
• support and manage employees
• ensure we meet our statutory obligations, including those related to health and safety and diversity and equal opportunities
• train, support and manage our staff
• planning new services
• registering and maintaining online customer accounts
• promote and market local tourism
• conduct public/health awareness campaigns
• respond to emergencies, major accidents or civil disasters
• provide leisure and cultural services
• carry out surveys and consultations
• carry out licensing and regulatory activities
• provide non-commercial activities i.e., refuse collections from residential properties
• manage Council facilities
• prosecute offences such as littering or food safety, and enforcement functions such as dog fouling or breach of planning regulation
• carry out law enforcement, including the detection and prevention of crime
• prevent and detect fraud and corruption in the use of public money
• carry out secondary purposes such as crime prevention and prosecution of including the use of CCTV
• make or defend legal claims and other legal purposes
• conduct committee meetings including virtual meetings
• manage archived records
• carry out any other purposes for us to perform our public functions, as long as this is necessary, lawful and appropriate in the circumstances

 

This list is not exhaustive but provides a general guide and each council service area may collect, share and store your information in a unique way in order to best deliver a service to you [Insert link to landing page]. 

 

How we collect your personal data

We get information about you from different sources and the following are an example of how we collect your personal data:

• when you apply for a job with us
• when you attend our premises for a specific purpose and provide your details
• face-to-face contact with officers who you interact with.
• through the submission of optional surveys and questionnaires
• registering births, deaths and marriages
• submitting planning and building control applications
• registering food and business premises with us
• licensing
• submitting feedback like complaints, compliments and comments
• submitting requests for information
• working in partnership with us
• emergency planning
• CCTV covering our property and land
• enforcement related action, including information recorded on body worn cameras and other recording devices [pending introduction of such action]

 

We collect data both directly, e.g. you have made a complaint to us, and indirectly, e.g. a NMD Be Active member gives your details as an emergency contact. You can find more details about how your personal data is collected in our [Insert link to landing page]

 

Our service areas may collect and use your information through consultation or surveys, in a way which is not covered by the relevant service privacy notice.  If they do, they will notify you as part of the consultation or survey and will publish the associated privacy notice at Consultations.

 

Personal data may be collected in a variety of ways, for example, through correspondence such as emails and letters, phone calls or completed forms.  It may be held in paper and electronic format but, will always be managed in a safe and secure manner.

 

Some areas of our website require you to actively submit personal data in order for you to benefit from specific features, for example, email, online forms or online payments. You will be informed at each of these personal data collection points what data is required and what data is optional. 

 

Some of this personal data may uniquely identify you, such as your name, address, email address, phone number, but we will only collect the personal data we need.

 

Personal data may be gathered without you actively providing it, through the use of various technologies and methods such as Internet Protocol (IP) addresses and cookies.

 

An IP address is a number assigned to your computer by your Internet Service Provider (ISP), so you can access the internet. We collect IP addresses for the purposes of system administration and to audit the use of our site. Each time you log onto our site and each time you request one of our pages, our server logs your IP address. Although we log your session, it will not normally link your IP address to anything that can enable us to identify you. However, we can and will use IP addresses to identify a user when we feel it is necessary to enforce compliance with our rules or terms of service or to protect our service, site, users or others.  

 

Cookies

Like most websites we use 'cookies' to collect anonymous statistics about how people use the site, and to help us keep it relevant for the user. Please visit our Cookie Policy for more information.

 

How we use your personal data

We are the Data Controller for any personal information which we have collected, for example from online and paper correspondence or forms; by telephone, email, fax or in person; or when you visit the Council's website (i.e. your Internet Protocol (IP) address). This means that we collect the information and decide how it is used.

 

We use personal information to provide and manage services effectively. We do not share personal information unless it is necessary, lawful and appropriate to do so in the circumstances.

 

Sometimes you must, by law, give us personal information, such as information to register a birth, marriage or death. Not giving us this information can leave you at risk of a penalty, such as a fine or criminal proceedings.

 

In some cases you may be required to provide us with personal information under a contract.

 

The privacy notice for each service will clearly set out if there is any obligation on you to provide us with personal information.

 

We will always tell you why and how the information will be used. For some of our services, we need to collect personal information so we can get in touch with you or provide the service. Where we do not directly provide the service, we may need to pass your personal information onto the people who do. These providers must keep your details safe and secure, and only use them only for the request.

We take careful consideration to only collect and use personal information if we need it to deliver a service or meet a requirement. There will be instances where we will anonymise your data. For example, in a survey we may not need your contact details we'll only collect your survey responses.

 

We may need to use certain personal information about you to:

• provide council services to you, such as leisure centres
• promote and keep you informed about the services we provide
• carry out council functions, such as granting licenses for gambling, entertainments, etc.
• administer grants and funding
• prosecute offences such as littering or food safety, and enforcement functions such as dog fouling or breach of planning regulation
• carry out law enforcement, including crime and fraud prevention
• make or defend legal claims and other legal purposes
• keep track of spending on services and carry out money transactions including payments, grants and benefits
• manage our property
• check the quality of our services and to help with research and planning of new services, such as by consulting, informing and gauging your opinion
• carry out consultations and surveys
• train, support and manage our staff
• help investigate any worries or complaints you have about our services
• carry out secondary purposes such as crime prevention and prosecution of offenders including the use of CCTV
• ensure we meet our statutory obligations, including those to diversity and equal opportunities
• promote and market local tourism
• carry out corporate administration and all activities we are required to carry out as controller of personal data and as a public authority
• act in the event of emergencies or civil disasters
• carry out any other purposes in order for us to carry out our public functions, as long as this is necessary, lawful and appropriate in the circumstances
• allow the carrying out of technical maintenance, security and support of council ICT systems

What we ask of you

That you provide us with accurate and up to date personal data

That you inform us of any changes to your personal data  

That you inform us of any error or inaccuracies

 

Who do we share your personal data with

We use a range of organisations to either store personal information or help deliver our services to you.

 

The following is a broad summary of the types of organisations your personal information may be shared with. You can find more detailed information on how and with who individual council services share personal information in the service specific privacy notices. [Insert link to landing page]

 

Internally

To provide appropriate, timely and effective services, we may share basic information about you such as your name or address between services within the council. This is so we can keep our information on you as up to date as possible and so we can improve our services to you. However, we ensure that staff within the council can only access the information they need to do their job.

 

Partner organisations under Data Sharing Agreements or protocols

We have data sharing arrangements in place with local agencies and partner organisations, who we work with to provide certain services to you. Under data sharing arrangements, certain personal information is shared for a specific purpose. The agency or organisation receiving the information must only use that information to carry out that specific purpose and keep your data safe and secure.

 

For example, personal data may be shared between us and Department for Infrastructure in order to provide information on planning matters.

 

We may also sign up to or follow local or national protocols, such as the National Fraud Initiative, which requires us to share particular personal information in a certain way.

 

Third Parties:

Sometimes the law requires that we have to pass on your personal information to a third party. For example, personal information may be provided to the courts, either because the court has ordered such information to be provided, or because we require a court order to do something, such as enforcing a planning regulation or resolving a dispute over land ownership.

 

Even if not required to do so by law, we may also share your personal information where we feel that there is an overriding reason to do so. For all of these reasons the risk must be serious before we can override your right to privacy. This does not happen often, but we may share your information with a third party in order to:

• find and stop crime and fraud
• protect the public, our staff or other professionals against any serious risks including harm
• protect a child, for example where we suspect they may be subject to harm or abuse, or may be about to be subject to harm or abuse, their needs are not being met, or they are at risk in some other way
• protect adults who may be exposed to a risk of harm or who may need protecting from any form of harm or abuse, for example if they are confused or cannot understand what is happening and are unable to protect themselves or keep themselves safe

 

Third parties we may share personal information with include (but are not limited to):

• those who assist us in providing services, and who perform technical operations such as data storage
• families, guardians, carers, associates and representatives of the people whose personal data we are processing (including legal advisers and counsel)
• local and central government departments (such as Department for Communities, His Majesty's Revenues and Customs (HMRC))
• current, past and prospective employers
• educators and examining bodies
• healthcare, social and welfare organisations
• providers of goods and services
• financial organisations
• press and the media
• professional advisors and consultants
• professional bodies
• voluntary and charitable organisations
• religious organisations
• the National Fraud Agency
• ombudsman and regulatory authorities
• courts and tribunals
• enforcement agents
• police forces
• regulatory bodies
• customs and excise
• law enforcement and prosecuting authorities, including international law enforcement and examining bodies

 

We will not sell or give your personal information to a third party for marketing purposes unless we have your permission.

 

Automated decision making and profiling

‘Automated decision making’ is where decisions are made about you by a computer, without any human involvement. If any of our services carry out any automated decision making using your personal information, this will be explained in the service specific privacy notice.

 

‘Risk profiling’ is where decisions are made about you based on certain things in your personal information, e.g. your health conditions.

 

If we use your personal information to profile you to deliver the most appropriate service, we will tell you.

 

If you are worried about us using automated decision making or profiling, you can contact our Data Protection Officer who will be able to tell you how we are using your information.

 

Keeping your personal information

The majority of personal information is stored on systems in the UK. But there are some occasions where your information may leave the UK either in order to get to another organisation or if it’s stored in a system outside of the EU.

 

We have additional protections on your information if it leaves the UK ranging from secure ways of transferring data to ensuring we have a robust contract in place with that third party.  We will take all practical steps to make sure your personal information is not sent to a country that is not seen as ‘safe’ either by the UK or EU Governments.

 

If we need to send your information to an ‘unsafe’ location, we will always seek advice from the Information Commissioner first. 

 

We will do what we can to make sure we hold records about you (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them. Examples of our security include:

 

Our IT systems are robustly tested and monitored to ensure they provide maximum security:

• Email filter

• Firewalls

• Anti-virus defence

• Patches
• System Back-ups

• Disaster Recovery

 

All security protocols and procedures are routinely monitored and enhanced to ensure data protection compliance.

 

Our Retention and Disposal Schedule, approved by the Public Record Office Northern Ireland (PRONI) and ratified by the Northern Ireland Assembly, provides information on the legal, statutory or business rationale for retaining Council records including those holding personal data.

 

We may also retain personal data solely on the basis that you have provided your consent for this to happen.  If you wish to withdraw your consent, you can do so and request we delete and destroy your data, by writing to the relevant department (if known) or directly to our Data Protection Officer asking for this to happen. Your personal data will be reviewed to establish if the law permits its deletion and destruction. 

 

We will only hold your personal information for as long as needed and in line with legal requirements or industry guidelines and will be disposed of in a secure manner when no longer needed.

 

The storage time for personal information varies between our services. See how long each of our services store your information [Insert Link to landing page]

 

Children

Children have all the same basic rights as adults but merit additional specific protection. The council will abide by all the data protection principles when dealing with children.

 

If the Council has any reason to deal with children’s personal data it will:

• design our processing with children in mind from the outset
• always use age-appropriate language
• make sure that Council processing is fair and complies with the data protection principles.
• as a matter of good practice, use Data Protection Impact Assessments to help us assess and mitigate the risks to children.
• consult with children as appropriate when designing our processing.
• when relying on consent, make sure that the child understands what they are consenting to, and will not exploit any imbalance in power in the relationship between us.

(Only children aged 13 or over are able to provide their own consent. If the Council is dealing with children under this age it will require consent from whoever holds parental responsibility for the child).

• when relying on ‘necessary for the performance of a contract’, consider the child’s competence to understand what they are agreeing to, and to enter into a contract.

 

Data Matching

We are required by law to protect the public funds we administer. We may share information provided for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

 

The NI Audit Office is responsible for carrying out data matching exercises.

 

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see if they match. This is usually personal data. 

 

Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency, which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

 

We participate in the National Fraud Initiative to assist in the prevention and detection of fraud.   We are required to provide personal data to the Comptroller and Auditor General or his agent for data matching under legislative powers included in the Audit and Accountability (NI) Order 2003, articles 4A to 4H.  The use of data in a data matching exercise does not require the consent of the individuals concerned under the DPA 2018 or the UK GDPR.

 

Data Protection Registration

As a Data Controller, we are registered with the Information Commissioner's Office (ICO). You may view our Data Protection Registration entry by searching for our registration number ZA057622 on the Information Commissioner's website www.ico.org.uk.

 

Monitoring of email

We may monitor your email and other online communications we receive (including members of staff).  Any such monitoring will take place in accordance with the law.  See Email Disclaimer for more information [Insert link]

 

Getting help

If you have any worries or questions about how your personal information is handled please contact our Data Protection Officer:

E: info@nmannd.org

T: 0330 137 4009

A: Data Protection Officer, Newry, Mourne and Down District Council, Downshire Civic Centre, Ardglass Road, Downpatrick BT30 6GQ

 

If you have any concerns about the way we use your personal information, we would ask you to come to us first for help.  You do, however, have the right to complain to the Information Commissioner’s Office (ICO).  The ICO regulates compliance with the UK GDPR and DPA 2018 within the UK and may carry out an assessment, audit or investigation to establish whether we are compliant with the legislation.

 

You can contact the ICO:

E: casework@ico.org.uk / ni@ico.org.uk

Northern Ireland Office

T: 0303 123 1114

A: The Information Commissioner’s Office – Northern Ireland, 10th Floor, Causeway Tower, 9 James Street South, Belfast, BT2 8DN

Head Office

T: 0303 123 1113 (local rate) or 01625 545 745 (national rate number)

A: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

W: ico.org.uk