Privacy notices

Purpose of this notice

The London Borough of Croydon (LBC) is committed to protecting your privacy when you use our services. This privacy notice explains who we are, how to contact us, how we use your personal data, who we share your personal data with and how we protect your privacy.

We provide a range of statutory and other services to local people and businesses and collect personal data for many businesses. At the top of this webpage, you will see a list of the services we provide. Under each service is more detailed information about how we use your information for specific services, who we may share your information with and why.

We will ensure we use simple and clear English to explain how data protection law applies to you.

Legal Terminology

See below some complex words that may be difficult to understand.

Data Subject: Is a living person whose personal data is being processed and can be
identified from the data.

Data Processor: Is a person or organisation that process personal data on behalf 
of a data controller.

Data Controller: Is a person or organisation that decides how and why personal data is processed.

Data Protection Legislation: Regulates how personal data is used and protects individuals’ privacy rights. Data Protection Act 2018 and the General Data Protection Regulations (GDPR) are the main pieces of legislation that govern data protection.

Who we are

London Borough of Croydon is registered as a data controller with the Information Commissioner’s Office (ICO) and we are regulated under the United Kingdom General Data Protection Regulations and Data Protection Act 2018.

Croydon Council, 
Bernard Weatherhill House, 
8 Mint Walk, Croydon, 
CR0 1EA

Our ICO Registration Number is Z54399989.

Our Data Protection Officer is Abimbola Dongo. 

Get independent advice

For independent advice about data protection, you can contact the Information Commissioner’s Office at:

Information Commissioner’s Office, 
Wycliffe House, 
Water Lane, 
Wilmslow, 
Cheshire, 
SK9 5A

Email casework@ico.org.uk or call 0303 123 1113.  

Personal data

Personal data can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify you. Examples of personal data could be your name, address, telephone number, date of birth or financial information.

Personal data referred to as “special”

Some data is categorised as “special category data” and needs more protection due to its sensitivity. Often, it is information that is very personal to you. The types of data defined in this way include:

• racial or ethnic origin
• religious or other beliefs of a similar nature
• physical or mental health or condition
• sexuality or sexual health
• trade union membership
• genetic or biometric data
• political opinion
• physical or mental health
• criminal history

Why we collect and use your personal information

We can collect personal data directly from you or from our third parties. We will comply with data protection principles which is set out in the London Borough of Croydon Data Protection Policy by ensuring there is a legal basis in place for the processing activities and the purpose for collecting the data. 

We may collect some of the following  information depending on our services and the purpose of processing: 

• identity (name, date of birth, gender, passport, National Insurance number, family details)
• contact (address, email address, telephone numbers)
• technical (IP address)
• social data (lifestyle, housing needs)
• education (student and pupil records)
• financial (bank account details, payment card details, transaction date, salary, benefits)
• staff records (pensions, appraisals, nationality)
• business activities (employment, licenses and permits held)
• commercial Services data (services used)
• visual images, personal appearance and behaviour
• case file information

We may also collect some special category data, as detailed above. 

We can request for criminal convictions data in some circumstances which would consist of criminal offences, including alleged offences.     

Using your information to deliver services

 We may need to use some information about you to deliver services to you, for example:

• We cannot collect your rubbish if we do not know your address.
• Deliver and manage the services and supports we provide to you.
• Vital interests of the data subject for example, life or death situation
• Help investigate any complaints or worries you have about the services provided to you.
• Train and manage employees or volunteers who deliver those services.
• Keep track on spending on services.
• Check the quality of services. 
• To help with research and planning new services.

Each service is responsible for setting out the purpose of their processing activities and legal basis of processing.

How the law allows us to use your personal information

We will collect, store and use the personal information you provide to us in accordance with the law.

There are a number of legal reasons why we need to collect and use your personal information. Each privacy notice from the menu on the top explains for each service which legal reason(s) is being used to process your personal information.

Generally, we collect and use your personal information where:

• you, or your legal representative, have given consent
• you have entered a contract with the council
• the data is necessary to perform our statutory duties, or it is required by law
• it is necessary to protect you or someone in an emergency
• it is necessary to perform a task carried out in the public interest

If we have consent to use your personal information, you have the right to remove the consent at any time. If you want to remove your consent, please contact information.management@croydon.gov.uk and tell us which service you are using so we can deal with your request.

We only use what we need

Where we can, we will only collect and use your personal information for the specified purpose for which it was collected except where the law allows us to use it for another purpose. We shall keep your personal information accurate and up to date. It shall not be kept longer than necessary and shall be relevant and not excessive in relation to the purpose or purposes for which it was collected.

If we do not need personal information, we will keep your information anonymous. For example, in a survey we may not need your contact details but only your survey responses. If we use your personal information for research and analysis, we always keep you anonymous unless you have agreed that your personal information can be used for that research or opt-out under the National Data Opt-Out (NDOO).

Your rights

The law gives you several rights to control what personal information we use and how it is used. These are some of your rights:

You can ask for access to the information we hold about you

This applies to your personal information that is in both paper and electronic records. You can ask for your records by contacting the Information Management team at SAR@croydon.gov.uk.

When we receive a request in writing, we will give you access to everything we have recorded about you. However, we cannot disclose any part of your record which contains:

• Confidential information about other people.
• Data which is likely to cause serious harm or distress to you or likely to affect your physical or mental wellbeing. 
• If we think that giving you the information may stop us or any law enforcement agency from preventing or detecting a crime.

If you cannot ask for your records in writing, we will make sure there are other ways that you can ask for your information.

If you have any concerns regarding making a request in writing, please telephone 020 8760 5444 to speak to a member of the Information Management Team.

You can ask to change information you think is inaccurate

You should let us know if you disagree with something written on your file, we may not always be able to change or remove that information, but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with it.

You can ask us to delete information (the “right to be forgotten”)

You have the right to ask us to delete your personal information, for example, where your personal information is no longer needed for the reason why it was collected in the first place, or where you have withdrawn your consent for us to use your personal information and there is no legal obligation for us to use it. Where your personal information has been shared with others legally, we will use reasonable endeavours to make sure the third  party also deletes your data where you request this.

You can ask us to limit how we use your personal information

You have the right to ask us to restrict what we use your personal information for, for example, you have identified inaccurate information and have told us about it, or where you want us to restrict what we use it for than erasing the information altogether.

You can ask to have your information moved to another provider 

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This only applies where we are using your personal information with your consent and not if we are using it under any other legal basis.

Your right to ask for computer made decisions to be explained to you and to request details of how we may have “risk profiled” you

You have the right to question decisions made about you by a computer unless it is required for any contract you have entered to require by law, or you have consented to it.

You also have the right to object if you are being “profiled”. Profiling is where decisions are made about you based on certain things in your personal information for example, your health condition.

When the council uses your personal information to profile you, to deliver the most appropriate service to you, you will be informed.

You can exercise any of these rights by contacting us at information.management@croydon.gov.uk and providing details of the right you wish to exercise and the service involved.

Who we share your information with

We use a range of organisations to either store personal information or help deliver our services to you. Where we have these arrangements there is always an agreement in place to make sure that the organisation complies with the law. We will often complete a Data Protection Impact Assessment (DPIA) before we share personal information to make sure we protect your privacy and comply with the law.

Sometimes we have a legal duty to share your personal information with other organisations. This may be because we need to give that data to the courts, including:

• if we take a child into care
• if the court orders that we provide the information
• if someone is taken into care under the mental health law

We may also share your personal information when we feel there is good reason that is more important than your privacy. This does not happen often, but we may share your information:

• in order to find or stop a crime or fraud
• if there are serious risks to the public, our staff or to other professionals
• to protect a child
• to protect adults who are thought to be at risk for example, if they are frail, confused or cannot understand what is happening to them

For all these reasons the risk must be serious before we can override your right to privacy.

If we are worried about your physical safety ,or feel we need to take action to protect you from being harmed in other ways, we will discuss this with you and, if possible, get your permission to tell others about your situation before doing so. We may still share your information if we believe the risk to others is serious enough to do so. 

There may also be rare occasions when the risk to others is so great that we need to share information straight away. If this is the case, we will make sure that we record what information we share and our reasons for doing so. We will let you know what we have done and why if we think it is safe to do so.

Set out below is a list of organisations or bodies and individuals, by way of example, we may need to share your personal information with where this is necessary and required by law.

• Customers, service users and employees
• Representatives of customers, service users and employees
• Legal representatives
• Trade unions
• Current past and prospective employers
• Healthcare, social and welfare organisations
• Educators and examining bodies
• Providers of goods and services
• Data processors
• Local and central government
• Ombudsman and regulatory bodies
• Financial organisations
• Debt collection and tracing agencies
• Credit reference agencies
• Press and the media
• Law enforcement and prosecuting authorities
• International law enforcement agencies and bodies
• Courts and tribunals
• Housing associations, landlords and tenant’s panels
• Charitable, religious and voluntary organisations
• Political organisations
• Elected members including members of parliament
• Survey and research organisations

More specific details are set out on the individual specific service notices at the top of this corporate privacy notice.

How we protect your information

We will do what we can to make sure we hold personal records about you (paper and electronic) in a secure way and we will only make them available to those who have a right to see them. Examples of our security processes include:

• Encryption, meaning that information is hidden so that it cannot be read without special knowledge, such as a password. This is done with a secret code or what is called a “cypher”. The hidden information is said to then be “encrypted”.
• Pseudonymisation, meaning that we will use a different name so we can hide parts of your personal information from view. This means that someone outside of the council could work on your information for us without ever knowing it was you.
• Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
• Training our staff to make them aware of how to handle personal information and how and when to report when something goes wrong.
• Regular testing of technology and upgrading security measures including keeping up to date on the latest security updates, commonly called “patches”.

You can find more information in our security policy by contacting information.management@croydon.gov.uk.

If you think you need to report a suspected data breach this can be done by emailing the Information Management team direct at data.breach@croydon.gov.uk.

Where your information is stored

The majority of your personal information is stored on systems in the UK. There are, however, some occasions where your information may leave the UK either in order to get to another organisation or if it’s stored in a system outside the EU. We will ensure there is additional protection if your personal information leaves the UK and ensure there are robust clauses in the International Data Transfer Agreement (IDTA) with any third party who processes personal information outside the EU.

How long we keep your personal information

We will not keep your personal information for longer than is necessary. Where your information is held for a set period of time this will always be supported by a legal reason. These reasons are set out in our document retention policy. If you wish to see the retention schedule you can send your request to information.management@croydon.gov.uk.

Website privacy provision

We will endeavour to safeguard the privacy of its website visitors. The following information explains our website data processing practice.

Email messages

We are keen to ensure that we are providing our residents with services that they need. Consequently, residents have the opportunity to opt-in to receiving occasional email messages from us on matters that we consider may be of interest to you relating to services we provide.

Information to improve our site

We collect web statistics automatically about your visit to our site based on cookies and your IP address. This information is used to help us track what people are doing on the site so that we can improve it. We do not use this information to identify you as an individual and you will remain anonymous, unless you're asked to identify yourself by completing a form or an online transaction.

Cookies

If you complete our online registration process, or subsequently log in to the site, we will use cookies to remember your preferences during your current visit, and any future visits provided the cookie was not deleted in the interim. Cookies can be deleted at the end of each visit by logging out of the site. Your browser help text will contain information about how to refuse cookies from our site should you wish. Refusing cookies from our site will not affect your ability to perform online transactions, although we will not be able to display content that is relevant to you on certain pages, nor pre-fill forms with your name and contact details where relevant. 

For more information on cookies and related technologies used on this, visit our cookies webpage.

Further information on cookies

Some independent information about cookies:

• Information Commissioners Office (ICO) cookie advice
• www.allaboutcookies.org
• www.aboutcookies.org

Online advertising privacy policy

We display adverts on our website to support the costs of providing online services. These are provided by a specialist public sector advertising agency and there is no cost to the council for displaying these adverts.

The Council Advertising Network is responsible for delivering advertising on this Croydon Council website. Please take a moment to read the Council Advertising Network privacy policy which includes cookie information and details on how to opt out.

Contact

Please contact the Information Management team at Information.Management@croydon.gov.uk to exercise any of your rights under GDPR, or if you have a complaint about the information we have collected, how it used, who we share it with, why we share it and how long we will keep it for.

You can contact the Data Protection Officer, Abimbola Dongo, at DPO@croydon.gov.uk.  

Croydon Council, 
Bernard Weatherhill House, 
8 Mint Walk, 
Croydon, 
CR0 1EA

Or call 0208 726 6000 ext.: 22635.

You also have rights to lodge a complaint with the Information Commissioner’s Office Information Commissioner or call 0303 1231 113.