1. Data protection principles

The GDPR and Data Protection Act places legal obligations on us to comply with the data protection principles. These principles are there to protect your personal data and make sure that we:

  1. process all personal information lawfully, fairly and in a transparent manner
  2. collect personal information for a specified, explicit and legitimate purpose only
  3. ensure the personal information processed is adequate, relevant and limited to the purposes for which it was collected
  4. ensure the personal information obtained is accurate and up-to-date
  5. retain personal data for no longer than is necessary for the purpose it was processed
  6. keep your personal information safe and secure, and protect its integrity and confidentiality.

The following information will explain how we collect and manage personal data about you.

2. Rights of individuals

The GDPR gives you rights relating to the processing of your personal data, which are:

  1. Right to be informed – individuals must be provided with ‘fair processing information’ through privacy notices. There must be transparency at the point of collection on how the information will be used and there is an emphasis on providing you with clear and concise privacy notices.
  2. Right of access – individuals must be able to access their data to ensure that it is being processed lawfully. This is commonly referred to as a 'subject access request'. Individuals can make a subject access request verbally or in writing. This right always applies, however, there are exemptions, which means you may not always receive all the information we process.
  3. Right to rectification – individuals have the right to have inaccurate personal data rectified or completed if incomplete. This right always applies.
  4. Right to erasure – individuals have the right to have personal information deleted or destroyed. This is also known as the ‘right to be forgotten’. This is not absolute and only applies in certain circumstances.
  5. Right to restrict processing –individuals can request the restriction or suppression of their personal data. This is not absolute and only applies in certain circumstances.
  6. Right to data portability – enables individuals to reuse and transfer their personal data across IT systems for their personal use, from one data controller to another without affecting its usability. This right only applies to information you have given us and in certain circumstances.
  7. Right to object – individuals have the right to object to processing we undertake as part of a public task or in our legitimate interests. This is not absolute and only applies in certain circumstances. Individuals can object to the processing of personal data for direct marketing purposes. They also can object to processing for scientific, historical research or statistical purposes, unless it is necessary for public interest reasons.
  8. Rights in relation to automated decision-making and profiling - automated decision-making is a decision made by automated means without any human involvement. Individuals have the right in certain circumstances not to be subject to a decision based solely on automated processing, including profiling, which significantly affects him or her. Individuals also have the right to understand the reasons behind decisions made by automated processing and the possible consequences of the decisions.

You are usually not required to pay any charge for exercising your rights. You can make a request verbally or in writing and we have one calendar month to respond to you.

Data controller

Belfast City Council is the ‘data controller’ for the personal data that it gathers from members of the public, internal staff, external contractors and other individuals who interact with us.

We have a dedicated Data Protection Officer who you can contact by email at dataprotection@belfastcity.gov.uk or by writing to:

Data Protection Officer
Belfast City Council
City Hall
Belfast
BT1 5GS

Lawful basis for processing personal data

We process personal data for specific purposes and these purposes will determine the lawful basis for the processing. This is addressed under Article 6 of GDPR. The lawful basis for processing by us as a public authority will be one or more of the following:

  1. An individual has given consent for their personal data to be processed for a specific purpose.
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which we are subject.
  4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
  6. Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are over-ridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.

Consent

There may be occasions when consent is the only lawful basis we have to process your personal data. When this occurs, we will endeavour to seek your consent at the time we gather your personal data. You will normally be asked to provide a signature or indicate consent by ticking a box, but this will only be carried out after a full explanation has been provided and you are clear as to what you are consenting to.

Consent is a core principle of data protection law and the GDPR sets a high standard for this. It must be a freely given, specific, informed and unambiguous indication of the data subject's wishes, by a statement or by a clear affirmative action, which signifies agreement to the processing of personal data relating to the individual.

Special Category Personal Data

When it is necessary to process Special Category Personal Data (also known as sensitive personal data), defined below, one of the following conditions under Article 9 of GDPR must apply:

  • Individuals have given explicit consent to processing for a specified purpose
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law (if authorised by law)
  • processing is necessary to protect the vital interests of an individual or another living person where the individual is physically or legally incapable of giving consent
  • processing is carried out by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the personal data is not disclosed outside that body without the consent of the data subjects
  • processing relates to personal data of an individual which is clearly made public by that individual
  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
  • processing is necessary for reasons of substantial public interest (with a basis in law)
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee (with a basis in law)
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross border threats to health or ensuring high standards of quality and safety of health care (with a basis in law).
  • processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purpose (with a basis in law).

Types of personal data we collect

We collect the following types of personal data. This list is not exhaustive, but provides a general guide:

Personal information

  • first name
  • family name or surname
  • address
  • telephone numbers
  • date of birth
  • age
  • health data
  • qualifications
  • training records
  • financial information
  • licensing information
  • enforcement information
  • complaint information

Special category personal data

Special category data is personal data, which GDPR considers sensitive and requires a higher level of protection. Therefore, we will apply additional security and access measures to this type of personal data. Special category personal data is defined as information that reveals an individual’s:

  • race or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (where this is used for identification purposes)
  • health data
  • sex life or sexual orientation

Personal data can include information relating to criminal convictions and offences. This also requires a higher level of protection.

Why we need your information

  • to provide you with a public service
  • contact you by post, email or telephone
  • update your records
  • establish your needs and subsequently provide you with the assistance that you require
  • prevent and detect fraud and corruption in the use of public money
  • obtain your opinion about our services
  • inform you of other relevant council services and benefits
  • ensure we meet our legal obligations including those related to diversity and equality
  • to protect citizens from harm or injury
  • for law enforcement functions, for example, licensing, planning, trading standards and food safety where we are legally obliged to undertake such processing
  • where the processing is necessary to comply with legal obligations, for example, the prevention and detection of crime
  • to assist us in responding to emergencies or major accidents. This allows us, in conjunction with the emergency services, to identify individuals who may need additional help and support.

How we collect your personal data

The following are examples of how we collect your personal data:

  • when you apply for a job with us
  • when you attend our premises for a specific purpose and provide your details
  • through the submission of optional surveys and questionnaires
  • submitting planning and building control applications
  • registering births and marriages
  • submitting feedback like complaints, compliments and comments
  • working in partnership with us
  • emergency planning
  • CCTV covering our property and land
  • enforcement related action, including information recorded on body worn cameras and other recording devices
  • licensing
  • face-to-face contact with BCC officers who you interact with.

The personal data may be collected in a variety of ways, for example, through correspondence such as emails and letters, or phone calls or completed forms. It may be held in paper and electronic format, but will always be managed in a safe and secure manner.

Some areas of our website require you to actively submit personal data in order for you to benefit from specific features, such as our range of online services, for example, email, online forms or online payments. You will be informed at each of these personal data collection points what data is required and what data is optional.

Some of this personal data may uniquely identify you, such as your name, address, email address, phone number, but we will only collect the personal data we need.

Personal data may be gathered without you actively providing it, through the use of various technologies and methods such as Internet Protocol (IP) addresses and cookies. An IP address is a number assigned to your computer by your Internet Service Provider (ISP), so you can access the internet. We collect IP addresses for the purposes of system administration and to audit the use of our site. Each time you log onto our site and each time you request one of our pages, our server logs your IP address.

Although we log your session, it will not normally link your IP address to anything that can enable us to identify you. However, we can and will use IP addresses to identify a user when we feel it is necessary to enforce compliance with our rules or terms of service or to protect our service, site, users or others.

Cookies on our website

We use a number of cookies on our website. Find out more about our use of cookies.

How we use your personal data

All the personal data processed by us is held within the UK or on computer servers within the European Economic Area. No outside organisation is allowed access to your personal data unless the law permits this to happen.

We will use the personal data we collect to ensure you receive a proper service and to improve your interaction with us on a wide range of matters.

The data is used to manage your specific needs and keep you informed about Council matters such as changes to services, initiatives and events, dealing with complaints, engaging contractors and dealing with enforcement action.

We will inform you at the time your data is gathered, why it is required and what it will be used for, both of which will be explained to you (known as fair processing information) in a privacy notice.

We will ensure that there are effective safeguards and systems in place to make sure personal information is kept safely and securely. We will provide awareness training to staff who handle personal information, and treat it as a disciplinary matter if they misuse or do not look after personal information properly.

What we ask from you

  1. That you provide us with accurate and up to date personal data.
  2. That you inform us of any changes to your personal data.
  3. That you inform us if you find any error or inaccuracies.

Disclosure of personal data

Your personal data will not be shared or disclosed to any other individual or organisation without your consent or unless the law permits or places an obligation on us to do so.

Where this criteria is met, we may share your personal data with other internal council departments to ensure we can manage your issues or requirements appropriately.

We also work closely with Central and Local Government departments throughout Northern Ireland and Great Britain and, where the above-mentioned criteria is met, may share personal data with these departments, and other statutory and non-statutory organisations for various projects and initiatives. In line with the above-mentioned criteria, we may also share personal data with the Police Service of Northern Ireland, Her Majesty’s Revenue and Customs and other law enforcement agencies for lawful purposes, including the prevention and detection of crime and animal welfare.

We may also use external organisations to carry out services on our behalf and this requires providing them with access to your personal data. These organisations will act as Data Processors for us and they are legally obliged to keep your personal data secure and only process it under the specific direct instructions issued by us and in line with data protection legislation.

We will not supply your information to any other organisation for marketing purposes without your prior consent.

How long we retain personal data

We are required to keep personal data for specified time periods to meet our statutory obligations, and business needs. We have developed a retention and disposal schedule that has been approved by the Public Record Office Northern Ireland (PRONI) and the Northern Ireland Assembly. Personal data is held for different time periods due the specific purpose it was gathered for or because the law compels we do so in this manner.

We may also retain personal data solely on the basis that you have provided your consent for this to happen. If you wish to withdraw your consent, you can to do so and request we delete and destroy your data, by writing to the relevant department (if known) or directly to our Data Protection Officer asking for this to happen.

Your personal data will be reviewed to establish if the law permits its deletion and destruction. Your personal data will only be held as long as necessary and permitted by law and will be disposed of in a secure manner when no longer needed.

Children

Children have all the same basic rights as adults and some additional specific protection. We will abide by all the data protection principles when dealing with children.

When we are dealing with children we will require consent from whoever holds parental responsibility for the child. If we are offering an online service, only children aged 13 or over are able to provide their own consent.

If we have any reason to deal with children’s personal data we will:

  • design our processing with children in mind from the outset
  • always use age appropriate language
  • make sure that the processing is fair and complies with the data protection principles.
  • as a matter of good practice, use Data Protection Impact Assessments to help us assess and mitigate the risks to children
  • consult with children as appropriate when designing our processing
  • when relying on consent, make sure that the child understands what they are consenting to, and will not exploit any imbalance in power in the relationship between us
  • when relying on ‘necessary for the performance of a contract’, consider the child’s competence to understand what they are agreeing to, and to enter into a contract.

Data matching

We are required by law to protect the public funds we administer. We may share information provided for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The NI Audit Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see if they match. This is usually personal data.

Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency, which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

We participate in the National Fraud Initiative to assist in the prevention and detection of fraud. We are required to provide personal data to the Comptroller and Auditor General or his agent for data matching under legislative powers included in the Audit and Accountability (NI) Order 2003, articles 4A to 4H. The use of data in a data matching exercise does not require the consent of the individuals concerned under the Data Protection Act 2018 or the GDPR.

Data Protection Registration

As a Data Controller, we are registered with the Information Commissioner's Office (ICO). You may view our Data Protection Registration entry by searching for our registration number ZA104779 on the Information Commissioner's website www.ico.org.uk

Monitoring of email

We may monitor your email and other online communications we receive (including members of staff). Any such monitoring will take place in accordance with the law.

Information Commissioner's Office

The ICO regulates compliance with the GDPR and Data Protection Act within the UK. If you consider us to have breached any of the requirements of the legislation, you may contact the ICO who may carry out an assessment, audit or investigation to establish whether we are compliant with it,

The ICO can be contacted at:

Information Commissioner’s Office – Northern Ireland
3rd Floor
14 Cromac Place
Belfast
BT7 2JB

Telephone: 028 9027 8757 or 0303 123 1114

Email: ni@ico.org.uk

Web: www.ico.org.uk

Notification of changes to our privacy statement

We will post details of any changes to our privacy statement on this website to help make sure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties.

This privacy statement was updated in May 2020.

Further information

To find out more information about the use of your data or to make a subject access request for copies of your personal data held by us, please get in touch with the relevant department directly. Or you can contact our Data Protection Officer by email dataprotection@belfastcity.gov.uk