Customer feedback privacy notice
Last updated on 21 March 2022.
Who we are
Kent County Council provides a range of government services to local people and businesses and needs to collect, use and process personal data to deliver these services.
Kent County Council (KCC) collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the United Kingdom General Data Protection Regulation (‘UK GDPR’) and the Data Protection Act 2018. We are responsible as ‘controller’ of that personal information. Our Data Protection Officer is Benjamin Watts.
Personal information we collect and use
Information collected by us
In the course of responding to Customer Feedback we collect the following personal information when you provide it to us:
- name and contact details, including address, phone number, email address and preferred contact method
- equalities data - ethnicity, religion, sexuality, disability or if you are a carer
- session cookies if you submit your feedback via our online form - these help to maintain your place in the online form as you complete it
- IP address if you submit via our online form; this helps us prevent cyber attacks
You can also submit feedback anonymously without supplying any of the above information, however we will not be able to keep you updated with progress of any investigations we may make as a result of your feedback.
You do not need to submit any equalities information in the ‘About you’ section if you do not want to. KCC is committed to the principle that all our customers have the right to equality and fairness in the way they are treated and in the services that they receive. Any information you do give will be used to see if there are any differences in views for different groups of people, and to check if services are being delivered in a fair and reasonable way. No personal information which can identify you, such as your name or address, will be used in producing equality reports. We will follow our Data Protection policies to keep your information secure and confidential. Your equalities data supplied in the ‘About You’ section will be anonymised before your feedback is sent to other teams.
How we use your personal information
We use your personal information to investigate your complaints, enquiries or comments. This may include requesting comments from third parties who are commissioned by the Council and may have been responsible for delivering a service on our behalf.
We may use your complaint to help train staff in how to investigate and respond appropriately to complaints. In these cases, we will remove any information that may identify you and amend various details to ensure that you will not be identified beyond the trainers. Trainers will always be Kent County Council staff.
How long your personal data will be kept
We will hold your personal information for:
- in the majority of cases for a maximum of 6 years
- 2 years for compliments.
Exceptions will be applied in the following cases:
- children in care – records will be kept either until 75 years after the child’s birth, or if the child dies before the age of 18, for 15 years from the date of death
- approved foster carers (including relatives, friends or connected persons granted temporary approval under Regulation 24 of the Care Planning, Placement and Case Review (England) Regulations 2010) – records will be kept for at least 10 years from the date on which their approval is terminated
- adoption records where an adoption order is made – records will be kept for at least 100 years from the date of the adoption order
- adoption records where an adoption order is not made – in cases where the child is looked after by the council records will be retained until 75 years after the child’s birth
- child protection assessments/ referrals/ children in need/ serious case reviews – records will be kept until 25 years after the child’s birth, or if the child dies before the age of 18, for 6 years from the date of death.
In these cases a copy of the complaint and its conclusion may be kept with the social care record to ensure that we comply with the data retention period.
Whilst the general principle is that information obtained about children must be shared with them and not with others, there are exceptions. The public interest in child protection overrides the public interest in maintaining confidentiality and the law permits the disclosure of confidential information necessary to safeguard a child or children. Effective information-sharing underpins integrated working and is a vital element of both early intervention and safeguarding.
Disclosure should be justifiable in each case, for example to provide information to professionals from other agencies working with the child, and where possible and appropriate, the agreement of the person concerned should be obtained.
Those working with children must make it clear that confidentiality may not be maintained if the disclosure of information is necessary in the interests of the child. Even in these circumstances, disclosure will be appropriate for the purpose and only to the extent necessary to achieve that purpose.
Reasons we can collect and use your personal information
We rely on ‘processing is necessary for the performance of a task carried out in the public interest’ as the lawful basis on which we collect and use your personal data.
The provision of contact details, including name, address or email address is required from you to enable us to respond to your complaints, enquiries and comments.
If you do not provide your contact details, we will not be able to keep you updated with progress of any investigations we may make as a result of your feedback.
We rely on processing is necessary for reasons of substantial public interest as the lawful basis on which we collect and use your special category data for statutory purposes (e.g. when investigating your complaint) or for equalities monitoring, (e.g. when identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people with the view to enabling such equality to be promoted or maintained.)
We may use your complaint to help train staff in how to investigate and respond appropriately to complaints. In these cases, we will remove any information that may identify you and amend various details to ensure you will not be identified beyond the trainers.
Where you give us information regarding your health because you require a reasonable adjustment to access our service, we will keep this information with your record to ensure that we can communicate with you in the way that you need. In these cases, we rely on explicit consent.
Occasionally processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
Occasionally we may process criminal offence data where this is mentioned as part of a complaint. If that is the case, we will rely on the appropriate equivalent conditions in Schedule 1 of the Data Protection Act 2018, namely statutory purposes, legal claims and judicial acts.
We transfer your data to the following countries or organisations outside the UK:
- Amazon Web Services (AWS) using Civica software based in the EU.
As we transfer your data to AWS (in the EU) we rely on UK GDPR Article 45 which states that this transfer may take place where there are ‘adequacy regulations’ determining that data is adequately protected by the laws in that country. A copy of this decision can be found in section 102 of Schedule 2 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (2019/419).
Who we share your personal information with
We routinely share your feedback with those who may need to help us respond to your feedback. In some cases that may include your name and contact details. Your equality data submitted in the ‘About You’ section will be kept anonyomised.
We may share your personal data with:
- services within the council who can respond to your feedback
- NHS where a complaint relates to health and social care services and is being considered by both agencies
- third party suppliers who are commissioned by the council to deliver services that you have provided feedback about.This may include Care Homes, Waste and Highway Contractors, Schools, Public Health Contractors, Academies, NHS, GEN2, The Education People, Cantium Business Solutions and district and borough councils
- Members of Parliament or an advocate, if you have asked them to act on your behalf
- Local Government and Social Care Ombudsman or the Information Commissioner’s Office, if you have requested that they investigate your complaint.
This data sharing enables them to investigate any proportion of your feedback that relates to a service that they provide on our behalf.
We will share personal information with law enforcement or other authorities if required by applicable law.
There may also be situations where third parties have a statutory right of access to the information or where a court order requires that access be given.
Under GDPR you have rights which you can exercise free of charge which allow you to:
- know what we are doing with your information and why we are doing it
- ask to see what information we hold about you (subject access request)
- ask us to correct any mistakes in the information we hold about you
- object to direct marketing
- make a complaint to the Information Commissioner's Office
Depending on our reason for using your information you may also be entitled to:
- ask us to delete information we hold about you
- have your information transferred electronically to yourself or to another organisation
- object to decisions being made that significantly affect you
- object to how we are using your information
- stop us using your information in certain ways
We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.
For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individuals’ rights under GDPR.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Please contact the Information Resilience and Transparency Team at firstname.lastname@example.org to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.
You can contact our Data Protection Officer, Benjamin Watts, at email@example.com, or write to: Data Protection Officer, Sessions House, Maidstone, Kent ME14 1XQ.