Privacy statement

This is an overview of how Kent County Council makes sure you understand how we use your personal information. The law requires us to provide information about who we are, how to contact us, the purpose for which your personal data is used and who we share it with.

To understand how your own personal information is processed refer to any personal communications you have received, check the privacy notices for the service or contact the service directly to ask about your personal circumstances.

The council provides a range of statutory and other services to local people and businesses and collects personal data for many purposes, so this general statement explains how we make sure you have the information you need at the point it is collected. Each service that collects personal data therefore provides a separate Privacy Notice to explain the purpose and legal basis for that service.

See privacy notices for Kent County Council's services

Who we are

Kent County Council is registered as a data controller with the Information Commissioner’s Office (Reg. No. Z5297748) and is regulated under the General Data Protection Regulation 2016. Our Data Protection Officer is Benjamin Watts.

The personal information we collect and use

Information collected by us

Our services either collect personal information directly from you or receive it from third-parties. We only receive your personal data from outside agencies or third- parties where there is a sound legal basis and purpose for doing so.

When gathering and using personal information, we will comply with the data protection principles, as set out in the KCC data protection policy  . Depending on the needs of the service and the purpose of processing, we may collect some or all of the following types of information:

  • Identity (name, date of birth, gender, passport, national insurance number, family details)
  • Contact (address, email address, telephone numbers)
  • Technical (IP address)
  • Social data (lifestyle, housing needs)
  • Education (student and pupil records)
  • Commercial Services data (services used)
  • Financial (bank account, payment card, transaction data, salary, benefits)
  • Staff records (pensions, appraisals, nationality)
  • Visual images, personal appearance and behaviour
  • Business activities (employment, licences and permits held)
  • Case file information

Under certain circumstances we may need to collect and process the following special categories of personal data:

  • medical (physical or mental health details)
  • racial or ethnic origin
  • trade union membership
  • political affiliation
  • political opinions
  • offences (including alleged offences)
  • religious or other beliefs of a similar nature
  • genetic data or biometric data
  • sexual orientation

We recognise that personal information concerning criminal convictions and offences is not special category personal data but is a very sensitive type of personal information which can only be shared in narrow circumstances.

Reasons we collect and use your personal information

We may need to use some information about you to:

  • deliver and manage the services and support we provide to you;
  • respond to enquiries or complaints
  • train and manage employees or volunteers who deliver those services;
  • control spending on services;
  • monitor the quality of our services; and
  • research and plan new services

For the Council to be able to process your personal information we need to demonstrate that we have a lawful basis for doing so. Each service is responsible for setting out the purpose and legal basis of their processing of your personal data.

The table below provides examples of some of our purposes for processing data and their lawful bases. This is by no means comprehensive. Please refer to the specific service privacy notice for more detailed information.

Purpose/ActivityType of DataLawful basis for processing including the basis of any legitimate interest grounds
To register you as a customer/complainanta. Identity
b. Contact

For a customer:

  • consent of the data subject, or performance of a contract with you, or
  • necessary for the performance of a task carried out in the public interest.

For a complainant:

Necessary for the performance of a public task in the public interest

To manage payment, fees and charges

To collect money owed to us

a. Identity
b. Contact
c. Financial

Performance of a contract with you

Necessary for the performance of a task in the public interest

Necessary to comply with a legal obligation

To administer and protect our website (including data analysis, testing, system maintenance, support)a. Identity
b. Contact
c. Technical
Necessary for our legitimate interests (provision of administration and IT services, network security, to prevent fraud)

Provision of education and education support services

a. Identity
b. Contact
c. Social Educational records
d. Special category
e.case files

Necessary to comply with a legal obligation

Necessary for the performance of a task in the public interest

For special category: Necessary for carrying out the obligations and rights of the individual or the data controller in the social protection law field

Data matching under local and national fraud initiativesa. Identity
b. Contact
c. Financial
d. Business Activities

Necessary to comply with a legal obligation

Licensing and regulatory activities

a. Identity
b. Contact
c. Business activities

Necessary to comply with a legal obligation

Provision of social services

a. Identity
b. Contact
c. Social
d. Education
e. Financial
f. Special category
g. Criminal
h. Case files

Necessary to comply with a legal obligation

Necessary for the performance of a public task in the public interest

For special category: Necessary for the establishment, exercise or defence of legal claims whenever Courts are acting in their judicial capacity

Necessary for the delivery of health and social care services

Processing is necessary for the purposes of social protection law

Necessary for reasons of substantial public interest (safeguarding of children and individuals at risk)

Provision of Early Help Services (including family support, youth justice, inclusion and attendance)a. Identity
b. Contact
c. Social
d. Education
e. Financial
f. Special category
g. Criminal
h. Case files

Necessary to comply with a legal obligation (youth justice and attendance enforcement)

Necessary for the performance of a public task in the public interest (family support)

For special category: Processing is necessary for the purposes of social protection law

Necessary for reasons of substantial public interest (safeguarding of children and individuals at risk)

Crime prevention and prosecution offenders including the use of CCTV (under the Law Enforcement Directive)

a. Identity
b. Contact
c. Business activities
d. Visual images, personal appearance and behaviour
e. Special categories
f. Criminal

Necessary for the performance of a task carried out in the public interest for the purposes of the prevention, investigation, detection or prosecution of criminal offences

For special category: Necessary for the establishment, exercise or defence of legal claims whenever Courts are acting in their judicial capacity

Promoting the services we provide

a. Identity
b. Contact
c. Technical

Consent of the data subject

Necessary for the performance of a public task in the public interest

Marketing our local tourism and events

a. Identity
b. Contact
c. Technical

Consent of the data subject

Necessary for the performance of a public task in the public interest

Carrying out health and public awareness campaigns

a. Identity
b. Contact
c. Technical

Necessary for the performance of a public task in the public interest

Necessary to comply with a legal obligation

Managing our property

a. Identity
b. Contact
c. Business activities
d. Financial

Necessary for the performance of a public task in the public interest

Necessary to comply with a legal obligation

Necessary for the performance of a contract

Providing leisure and cultural services

a. Identity
b. Contact
c. Special category

Consent of the data subject

Necessary for the performance of a public task in the public interest

For special category: Explicit consent of the data subject to process their special category data

Undertaking surveys, focus groups and/or depth interviews. We do this to help us to understand the needs of our service users and how they feel about the services that we providea. Identity
b. Contact
c. Technical
d. Special category
e. Education
f. Commercial services
g. Staff records
h. Business activities

Necessary for the performance of a public task in the public interest

For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment)

Necessary for statistical purposes

Consultationsa. Contact
b. Technical
c. Special category

Necessary for the performance of a public task in the public interest

Necessary to comply with a legal obligation

For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment)

Equality Monitoringa. Contact
b. Technical
c. Special category

Necessary for the performance of a public task in the public interest

Necessary to comply with a legal obligation

For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment)

Statistical research/ analysis a. Identity
b. Contact
c. Special category
d. Education
e. Commercial services
f. Staff records

Necessary for the performance of a public task in the public interest

For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment); or necessary for historical research or statistical purposes

Necessary for reasons of legitimate interest (to evaluate our commercial operations)

Necessary for reasons of substantial public interest (necessary for statutory and government purposes and/or to enable equality of opportunity or treatment)

Necessary for archiving purposes, scientific or historical research purposes or statistical purposes

To contact you to ask you to participate in a research survey and/or qualitative research carried out by universities, e.g. as part of a government funded evaluation of the impact of national policies on the quality of public servicesa. Identity
b. Contact
c. Special category
d. Commercial services

Necessary for third party legitimate interests for the purpose of facilitating university research

Necessary for the performance of a task carried out in the public interest

For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment); or necessary for historical /statistical purposes.

Automated processing - profilinga. Identity
b. Contact
c. Special category

Necessary for the performance of a public task in the public interest

For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment); or necessary for statistical purposes.

The provision of all commercial services both for staff and public accessa. Identity
b. Contact
c. Special category
d. Financial
e. Commercial services data

Necessary for our legitimate interests to ensure the public receive an efficient and effective service

Necessary for the performance of a contract

For special category:

the data subject has given explicit consent.

Necessary for carrying out the obligations and rights of the individual or the data controller in the employment field

Substantial public interest (preventing or detecting unlawful acts, protecting the public against dishonesty, equality of opportunity, preventing fraud)

Necessary for occupational health assessment purposes

CCTV

a. visual images, personal appearance and behaviour

Necessary for the legitimate interests of us or a third party

Necessary for the performance of a public task in the public interest

Managing archived records for historical and research reasonsa. Identity
b. Contact
c. Special category

Necessary for the performance of a public task in the public interest

For special category: Necessary for archiving purposes, scientific or historical research purposes or statistical purposes

Administering the assessment and provision of grants

a. Identity
b. Contact
c. Financial
d. Business activity

Necessary for the performance of a public task in the public interest

Performance of a contract with you

County Councillor enquiriesa. Identity
b. Contact
c. Technical
d. Special category
e. Education
f. Commercial services
g. Staff records
i. Business activities

Necessary for the performance of a public task in the public interest

For special category:

Substantial public interest (elected representative responding to requests)

We may use your personal information where necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

Occasionally it may be necessary to provide certain information to us e.g. for us to provide a service to you or to comply with one of our legal duties. We will let you know if this is the case and the possible consequences of not giving us the information we ask for.

How long your personal data will be kept

We will only hold your personal information for as long as necessary. To work out how long we need to keep your information for we use our retention schedule. You will be informed in the service specific privacy notice of how long your data will need to be kept prior to secure disposal.

Who we share your personal information with

Your personal information may be shared with internal departments or with external partners and agencies involved in delivering services on our behalf. However, we will only share information with organisations who will also comply with appropriate data protection laws. You will be informed in the service specific privacy notice of who your data may be shared with, if at all.

Sharing of information is crucial to the successful delivery of local services. The GDPR specifically recognises that “data protection” should not be an excuse to prevent proper sharing of personal data. The Kent and Medway Information Sharing Agreement (KMSA) provides a framework to enable a number of organisations and public bodies across Kent and Medway to share personal information. The Agreement reflects the requirements of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA 2018).

The following are examples of third parties who we may need to share your information with if appropriate:

  • family, associates or representatives of the person whose personal data we are processing
  • current past and prospective employers
  • healthcare, social and welfare organisations
  • educators and examining bodies
  • financial organisations
  • debt collection and tracing agencies
  • private investigators
  • good and service providers
  • local and central government
  • ombudsman and regulatory authorities
  • press and the media
  • professional advisers and consultants
  • courts and tribunals
  • trade unions
  • political organisations
  • credit reference agencies
  • professional bodies
  • survey and research organisations
  • police forces including non-home office police forces
  • housing associations and landlords
  • voluntary and charitable organisations
  • religious organisations
  • students and pupils including their relatives, guardians, carers or representatives
  • data processors
  • customs and excise
  • international law enforcement agencies and bodies
  • security companies
  • partner agencies, approved organisations and individuals working with the police,
  • licensing authorities
  • healthcare professionals
  • law enforcement and prosecuting authorities
  • legal representatives, defence solicitors
  • police complaints authority
  • the disclosure and barring service
  • university students undertaking research as part of their coursework, dissertation or thesis

KCC does not pass personal data to third parties for marketing, sales or any other commercial purposes without your prior explicit consent.

We only share your information where we have a legal basis to do so, for example where

  • we take an individual into care; or
  • the court orders us to do so.

Transfer outside of the EEA

We may transfer your information outside of the European Economic Area (EEA). You will be informed in the service specific privacy notice if your information is to be transferred outside of the EEA in this way.

Such countries do not necessarily have the same data protection laws as the United Kingdom and EEA. If we do transfer information outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll use one of these safeguards:

  • Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA. Learn more on the European Commission Justice website.
  • Put in place a contract with the recipient that means they must protect it to the same standards as the EEA. Read more about this here on the European Commission Justice website,
  • Transfer it to organisations that are part of     Privacy Shield. This is a framework that sets privacy standards for data     sent between the US and EU countries. It makes sure those standards are     similar to what is used within the EEA. The     European     Commission has given a formal decision that the United States does have an     adequate level of data protection (within the EU-US Privacy Shield     framework).

You can find out more about data protection on the European Commission Justice website.

If you would like further information, please contact us (see our ‘how to contact us’ section below). We will not otherwise transfer your personal data outside of the United Kingdom or EEA.

How we use your information to make automated decisions

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. (e.g. monitoring your online activities or events which trigger actions such as sickness triggering a capability policy and profiling). This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know. These automated decisions can affect the services we may offer you now or in the future.

We are allowed to use automated decision-making in the following circumstances:

  1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
  2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  3. In limited circumstances, with your explicit consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision based on any particularly sensitive personal information we must have either your explicit written consent or it must be justified in the public interest, and we must put in place appropriate measures to safeguard your rights.

Tailoring services

We make decisions about how and where services are delivered by looking at the needs of our services users as a whole, and by understanding as much about them as possible in terms of their demographics (e.g. age, gender, disabilities etc) and lifestyle.

One of the ways that we do this is to create profiles using software that uses your address details to place you in one of a number of groups that describe the social characteristics and lifestyles of the UK population as a whole.  These segments have been created by external companies that provide the software that we use.  We analyse the profiles of our service users as a whole and compare it to the profile for the Kent population. Carrying out this type of analysis helps us to manage the planning and delivery of our services more effectively.

No decisions about an individual’s access to a service are made using these tools, as each service uses its own tailored assessment processes where these are required. We do not share the profiles of individual service users with any other organisation or business other than those acting as data processors on our behalf.

Market and social research surveys and qualitative research

To help us to understand the needs of our service users, we will from time to time carry out market research surveys and qualitative research (such as Focus Groups and Depth Interviews) amongst our service users, their families, and/or the adults who are responsible for them. Carrying out market research helps us to make better decisions about what services to deliver and where they are needed, by understanding the needs of our service users. You will be informed in the service specific privacy notice if this applies to your personal information.

We may contact you to ask you whether you are willing to participate in a market research survey and/or qualitative research.  Your decision about whether or not to participate in the research will not affect the services that you receive from Kent County Council. We may ask a market research agency and/or independent qualitative researcher to undertake the research on our behalf.  Any third party that we use (including online survey tools such as Snap Surveys) will be acting on our behalf as our data processor and will adhere to the data protection regulations.  Your details will not be used for direct marketing purposes.

We are sometimes contacted by University students wanting to carry out research amongst our service users and/or staff, as part of their coursework, dissertation or thesis. All such applications are subject to our Research Governance Approval process, which includes approval from the relevant ethics committees (such as the Health Research Authority) where appropriate.

Our website

We collect certain information or data about you when you use kent.gov.uk. We collect:

  • questions, queries or feedback you leave, including your name, postcode and email address
  • details of which version of web browser you used and other information about your device
  • information on how you use the site, using cookies and page tagging techniques.

For more information on cookies and related technologies used on this site, and how to disable them read our cookie policy.

The data we collect on this site can be viewed by authorised people in Kent County Council as well as our suppliers, to:

  • improve the site by monitoring how you use it
  • gather feedback to improve our services
  • respond to any feedback you send us, if you’ve asked us to
  • allow you to access council services and make transactions
  • provide you with information about local services if you want it

Storing your website data

We store your data on secure servers in the EEA. Sending information over the internet is generally not completely secure, and we can’t guarantee the security of your data while it’s in transit. Any data you send is at your own risk. We have procedures and security features in place to keep your data secure once we receive it.

Links to other websites

Kent.gov.uk contains links to other websites. This privacy statement only applies to kent.gov.uk and doesn’t cover other services and transactions that we link to. These services will have their own terms and conditions and privacy policies. If you go to another website from this one, read the privacy policy on that website to find out what it does with your information.

Online forms (also known as “e-forms”)

In order to provide certain services or activities, we need to be able to collect information from individuals and organisations. We use software provided by Firmstep, Snap, GovMetric and UserZoom to create these online forms.  These companies are acting as data processors for Kent County Council and only process personal information in line with our instructions. Each individual form will have its own Privacy Notice.

Reliance on UK exemptions from GDPR

KCC may process information in reliance on the exemptions under the Data Protection Act where allowed (for example where the personal data is processed and a claim to legal professional privilege would apply; in relation to the provision of confidential references; or where personal data is processed for the purposes of management forecasting (to the extent that such activity would be prejudiced by advance notification).

Your rights

Under the GDPR you have rights which you can exercise free of charge that allow you to:

  • know what we are doing with your information and why we are doing it
  • ask to see what information we hold about you (known as a Subject Access Request)
  • ask us to correct any mistakes in the information we hold about you
  • object to direct marketing
  • make a complaint to the Information Commissioners Office
  • where we process information based on your consent, you have the right to withdraw your consent at any time

Depending on our reason for using your information you may also be entitled to:

  • ask us to delete information we hold about you
  • have your information transferred electronically to yourself or to another organisation
  • object to decisions being made that significantly affect you
  • object to how we are using your information
  • stop us using your information in certain ways

We will always seek to comply with your request, however, we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.

You may not, however, have the right to object to the Council using your personal data for statistical purposes where it is necessary for the performance of a public task carried out for reasons in the public interest.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) under GDPR.

If you would like to exercise a right, please contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

Emails that we send to you or you send to us may be retained as a record of contact and your email address stored for future use in accordance with our record retention schedule. If KCC needs to email sensitive or confidential information to you, we will perform checks to verify the correct email address and may take additional security measures. If sending us such information we recommend using our secure online forms where provided, or the postal service.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Contact

Please contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk to exercise any of these rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.

You can contact our Data Protection Officer, Benjamin Watts, at dpo@kent.gov.uk or by writing to Data Protection Officer, Sessions House, County Hall, Maidstone, Kent ME14 1XQ

You also have the right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner.