Havering data privacy statement and your data rights
This is our privacy statement. It outlines your rights regarding the personal details we store about you.
London Borough of Havering (‘the Council’ or ‘we’ or ‘us’ or ‘our’) gather and process your personal information in accordance with this privacy notice and in compliance with the relevant data protection law. This notice provides you with the necessary information regarding your rights and obligations, and explains how, why and when we collect and process your personal data.
London Borough of Havering’s registered office is at Havering Town Hall, Main Road, Romford, RM1 3BB, and acts as the Data Controller.
Our designated Data Protection Officer for the organisation is Lauren White, at oneSource, who can be contacted at:
Access to Information Team
London Borough of Havering
Havering Town Hall
Or via email:
Why we collect personal information
We may collect and process personal data about you in order to comply with any legal or statutory obligations, or in order to enforce or apply our contracts with you or where you have consented to the processing. This includes, but is not limited to, information you or your legal representative provide when:
- you/they contact us in person, on our website, over the telephone, by e-mail or by post
- you apply for a job vacancy with us
- you receive a service from us
How we use your personal data
The Council takes your privacy very seriously and will never disclose, share your personal data without your knowledge, unless required to do so by law.
We only retain your data for as long as is necessary and for the purposes specified in this notice. Where you have consented to us processing your personal data, you are free to withdraw consent at any time.
The purposes and reasons for processing your personal data are to:
- ensure that content from our website is presented in the most effective manner for you and for your computer/device
- verify your identity
- ensure the data we hold about you is accurate and up to date
- process job applications;
- deliver services and support to you
- manage those services we provide to you
- better inform decisions about how we deliver and promote our services, ensuring best use of our resources
- investigate and respond to complaints
- train and manage the employment of our workers who deliver those services
- help investigate any worries or complaints you have about your services
- keep track of spending on services
- check the quality of services
- help with research and planning of new services
- notify suppliers and local authorities about your new property and about any property we have purchased from you in part exchange
- provide you with information, products or services that you request from us
- notify you about changes to our services
- support and maintain our network, systems and applications
- manage and support the Councillors enquiries
- comply with legal obligations to process and share data with government agencies, statutory bodies, police and health
- comply with contractual arrangements to provide services for the Council
- comply with security requirements
There are a number of legal reasons why we need to collect and use your personal information.
Generally we collect and use personal information where:
- you, or your legal representative, have given consent
- you have entered into a contract with us
- it is necessary to perform our statutory duties
- it is necessary to protect someone in an emergency
- it is required by law
- it is necessary for employment purposes
- it is necessary to deliver health or social care services
- you have made your information publicly available
- it is necessary for legal cases
- it is to the benefit of society as a whole
- it is necessary to protect public health
- it is necessary for archiving, research, or statistical purposes
If we have consent to use your personal information, you have the right to remove it at any time.
We only use what we need
Where we can, we’ll only collect and use personal information if we need it to deliver a service or meet a requirement.
If we don’t need personal information we’ll either keep you anonymous if we already have it for something else or we won’t ask you for it. For example in a survey we may not need your contact details we’ll only collect your survey responses.
If we use your personal information for research and analysis, we’ll always keep you anonymous or use a different name, unless you’ve agreed that your personal information can be used for that research.
Sharing and disclosing your personal information
We do not share or disclosure any of your personal information without your consent, other than for the purposes specified in this notice or where there is a legal requirement.
The Council uses third-parties to provide the below services and business functions, however all processors acting on our behalf only process your data in accordance with instructions from us and comply fully with this privacy notice, the data protection laws and any other appropriate confidentiality and security measures.
We may disclose your information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our contracts with you; or to protect our rights, or our safety and/or the safety of our service users, or others.
We may also disclose your information to our suppliers and contractors to provide information to you on our behalf and/or in order to fulfil our legal and statutory obligations.
We will share your personal information with suppliers of services in respect of any service you receive from us.
We will share your information with relevant government agencies where it is necessary, or we have a legal obligation to do so.
We do not sell your information to anyone else.
Your personal data is not transferred outside the EEA unless it is necessary and in compliance with the requirements of data protection law.
How long we keep your data
The Council only ever retains personal information for as long as is necessary and we have retention policies in place to meet these obligations.
We are required under some laws or regulations to retain your personal data for a set period of time for example.
Where there is nothing laid down by law we will make a business decision, taking into account the necessity of the processing in order to define the retention period.
Where you have consented to us using your details, we will keep such data until you notify us otherwise and/or withdraw your consent.
The right of access to your information
You have the right to access any personal information that the Council processes about you and to request information about:
- what personal data we hold about you
- the purposes of the processing
- the categories of personal data concerned
- the recipients to whom the personal data has/will be disclosed
- how long we intend to store your personal data for
- if we did not collect the data directly from you, information about the source
This is called a Subject Access Request (SAR).
Can an individual make a request on behalf of someone?
An individual may prefer a third party (eg a relative, friend or solicitor) to make a SAR on their behalf.
However, Havering Council needs to be satisfied that the third party making the request is entitled to act on behalf of the individual.
It is the third party’s responsibility to provide us with evidence of this eg providing a written authority, signed by the individual, stating that they give the third party permission to make a SAR on their behalf or evidence of power of attorney.
Subject access requests on behalf of an adult who may lack mental capacity
Clients who lack mental capacity may already have someone appointed to act on their behalf, for example a Lasting Power of Attorney (formerly Enduring Power of Attorney), a Deputy from the Court of Protection, a Mental Capacity Advocate who makes decisions for them or a litigation friend.
The Mental Capacity Act: Code of practice gives advice on how to ascertain if people have mental capacity and if not how to proceed.
If you are making a subject access request/data request on behalf of someone who lack’s mental capacity, please make this clear in your request and provide evidence for this so we can deal with the request appropriately.
These will be considered on a case by case basis even when formal appointments haven’t been agreed or in place.
The right to have inaccurate data corrected
If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to update/correct it as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.
You should let us know if you disagree with something written on your file.
We may not always be able to change or remove that information but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with it.
The right to erasure (or be forgotten)
In some circumstances you can ask for your personal information to be deleted, for example where:
- your personal information is no longer needed for the reason why it was collected in the first place
- you have removed your consent for us to use your information (where there is no other legal reason us to use it)
- there is no legal reason for the use of your information
- deleting the information is a legal requirement
Where your personal information has been shared with others, we will do what we can to make sure those using your personal information comply with your request for erasure.
Please note that we can’t delete your information where:
- we’re required to have it by law
- it is used for freedom of expression
- it is for public health purposes
- it is for, scientific or historical research, or statistical purposes
- where it would make information unusable
- it is necessary for legal claims
The right to limit what we use your personal data for
You have the right to ask us to restrict what we use your personal information for, where:
- you have identified inaccurate information, and have told us of it
- where we have no legal reason to use that information, but you want us to restrict what we use it for rather than erase the information altogether.
When information is restricted it can’t be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interests of the UK.
Where restriction of use has been granted, we’ll inform you before we carry on using your personal information.
You have the right to ask us to stop using your personal information for any Council service. However, if this request is approved this may cause delays or prevent us delivering that service.
Where possible we’ll seek to comply with your request, but we may need to hold or use information because we are required to by law.
The right to move your personal data to another provider (data portability)
You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.
However, this only applies if we’re using your personal information with consent (not if we’re required to by law), and if decisions were made by a computer and not a human being.
It’s likely that data portability won’t apply to most of the services you receive from the Council.
You can ask to have any computer made decisions explained to you, and details of how we may have ‘risk profiled’ you.
You have the right to question decisions made about you by a computer, unless it’s required for any contract you have entered into, required by law, or you’ve consented to it.
You also have the right to object if you are being ‘profiled’; where your personal information is used to make more informed decisions about things that affect you.
If and when the Council uses your personal information to profile you, in order to deliver the most appropriate service to you, you will be informed.
If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer who will be able to advise you about how we use your information.
If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the relevant request; this is to ensure that your data is protected and kept secure.
Where you have consented to us using your details, you can withdraw that consent at any time by contacting us directly by telephone, email or letter using the contact details below.
Our communications with you
We try to ensure that our communications are as effective as possible so that we make the best use of the money we spend on them. This means communicating with people in different ways, appropriate to them.
On occasion, we will use information you have given us directly, to tailor our communications with you about future activities. We will also use information about how you use our website or interact with our emails so we can make them more effective.
Lodging a complaint
The Council only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority. (The Information Commissioners Office)
London Borough of Havering
Customer Insight, Information and Investigations Team
Town Hall, Main Road, Romford, RM1 3BB
Information Commissioners Office (ICO)
Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF.
Tel: 0303 123 1113 (local rate) or 01625 545745
Havering – Data Protection Registration – Z6044618
Havering – Births Death and Marriages – Z7094498
Havering - Electoral Registration – Z7124701
When you make use of a service with the Council, the personal data you provide is required for statutory reasons, legal reasons, contractual reasons or we have gained your consent.
You are not obligated to provide your personal information to the Council, however, as this information is required for us to provide you with our services, unless you withdraw your consent, if obtained, we will not be able to offer our full range of services without it.
The Council takes your privacy seriously and we take every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction, and have several layers of security measures in place both technically and by means of training and policies. The Council also has annual independent technical health checks and system audits.
OneSource shared service
OneSource is a shared back office support service for Havering, Newham and Bexley Councils.
We provide a shared service solution covering a range of transactional, operational and strategic services.
There is a data sharing agreement between the Councils to share resources.
OneSource services include HR, Finance, Payroll, Legal, Facilities Management and ICT.
Use of 'cookies'
They collect statistical data about your browsing actions and patterns and do not identify you as an individual.
Links to other websites
Our website may contain links to other websites run by other organisations.
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.
Transferring your information outside of Europe
On exceptional occasions we transfer data outside of the UK and Europe. The information which you provide to us may be transferred to countries outside the European Union (“EU”). By way of example, application support, the use of a hosted solution or a social care matter. If data is hosted or transferred we ensure that the Council is compliant with the data protection laws and that there is adequate and appropriate protection of the data.
As the UK will be subject to Article 45 of the GDPR, data transfers will only be permissible if we comply with one of the following:
- Transfers will be permissible if the country is approved to have an adequate level of data protection and formally accepted as an ‘adequate’ third country.
- Transfers can be made if the UK makes use of model contractual clauses (approved by the European Commission and/or the relevant Supervisory Authority).
- Transfers can be made if the UK makes use of ad-hoc contractual clauses (approved by the relevant Supervisory Authority).
- Transfers may be made on the basis of approved codes of conduct/approved certification mechanisms; or Supervisory Authority agreed binding corporate rules (BCRs) may be used to transfer data to/from the UK, when dealing with transfers between organization within a corporate group (probably not applicable to councils).
National Data Opt-Out
The National Data Opt-Out service was introduced as part of the National Health Service (NHS) in the UK. It replaced the previous "Type 2" opt-out and came into effect on 25 May 2018, in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
The national data opt-out applies to data for patients/clients where their care is provided in England by a publicly funded organisation or the care has been arranged by a public body such as the NHS or a Local Authority.
By using the National Data Opt-Out service, individuals can choose to prevent their confidential patient information from being used for research or planning purposes, such as improving healthcare services or conducting medical research.
There are instances where we may be required to disclose confidential information about you with organisations across the health and social care system in England for purposes beyond your direct care.
- research into the improvement of new treatments
- plan services
- improve the value and standards of care delivered
- monitor safety
- avoid illness and diseases
To opt out, individuals can visit the official NHS National Data Opt-Out website or by calling the helpline 0300 303 5678.
They will be provided with options to select what types of data they want to opt out of sharing. The service applies to confidential patient information held within the NHS in England.
If you are happy for your data to be extracted and used for purposes described in this privacy notice, then you will not need to do anything.
Please note you can change your mind on this at any time.
The Council will respect your decision unless we are not legally obliged to do so.