Privacy Notice and Data Protection

Data Controller: The London Borough of Sutton 
Data Protection Officer: dpo@sutton.gov.uk

Purposes of the processing

Including but not limited to:

  • Maintaining our own accounts and records
  • HR functions
  • Promoting services we provide
  • Administration of services we provide
  • Managing our property
  • Providing leisure and cultural services
  • Provision of adult education
  • Carrying out surveys and consultations
  • Collection of taxes and other revenue including benefits and grants
  • Licensing and regulatory activities
  • Local fraud initiatives
  • The provision of adult social services
  • Crime prevention and prosecution offenders including the use of CCTV
  • Use of CCTV for public safety and traffic management
  • Corporate administration
  • Administration and enforcement of parking regulations and restrictions
  • Internal financial support and corporate functions
  • Managing archived records
  • Debt administration
  • Management of information technology systems
  • Information administration
  • Public health
  • Management of public relations, journalism, advertising and media
    • Sending promotional communications about the services we provide
    • Buy, sell, promote and advertise our products and services
    • Duty or responsibility of the local authority arising from common or statute law.

Description of the categories of data subjects

Including but not limited to:

  • Customers
  • Suppliers
  • Staff and contractors
  • Benefit claimants
  • Benefit recipients
  • Complainants/enquirers
  • Professional advisers and consultants
  • Students and pupils
  • Carers or representatives
  • Landlords
  • Licence and permit holders
  • Traders and others subject to inspection
  • People captured by CCTV images
  • Representatives of other organisations

Categories of personal data processed

Including but not limited to:

  • Personal details
  • Family details
  • Lifestyle and social circumstances
  • Goods and services
  • Financial details
  • Employment and education details
  • Housing needs
  • Visual images, personal appearance and behaviour
  • Licenses or permits held
  • Student and pupil records
  • Business activities
  • Case file information
  • Charitable interests

Special category data:

  • Physical or mental health details
  • Racial or ethnic origin
  • Trade union membership
  • Political affiliation
  • Political opinions
  • Offences (including alleged offences)
  • Religious or other beliefs of a similar nature
  • Criminal proceedings, outcomes and sentences
  • Biometric data
  • Genetic data

Categories of recipients to whom personal data have been or will be disclosed

Where allowed by law, necessary, or required by law we may share information with:

  • Customers/service users
  • Family, associates or representatives of the person whose personal data we are processing
  • Current, past and prospective employers
  • Healthcare, social and welfare organisations
  • Educators and examining bodies
  • Providers of goods and services
  • Financial organisations
  • Debt collection and tracing agencies
  • Private investigators
  • Service providers
  • Local and central government
  • Ombudsman and regulatory authorities
  • Press and the media
  • Professional advisers and consultants
  • Courts and tribunals
  • Trade unions
  • Political organisations
  • Professional advisers
  • Credit reference agencies
  • Professional bodies
  • Survey and research organisations
  • Police forces
  • Housing associations and landlords
  • Voluntary and charitable organisations
  • Religious organisations
  • Students and pupils including their relatives, guardians, carers or representatives
  • Data processors
  • Other police forces, non-home office police forces
  • Regulatory bodies
  • Courts, prisons
  • Customs and excise
  • International law enforcement agencies and bodies
  • Security companies
  • Partner agencies, approved organisations and individuals working with the police,
  • Licensing authorities
  • Healthcare professionals
  • Law enforcement and prosecuting authorities
  • Legal representatives, defence solicitors
  • Police complaints authority
  • The disclosure and barring service
  • Charities and not for profit partners

Transfers of personal data to a third country and safeguards

Transfers may take place when:

  • Technical and organisational security measures have been put in place via a contract; or
  • With the consent of the data subject; or
  • Where required by law

Time limits for erasure

In accordance with the Council's Retention Schedule

Technical and organisational security measures

Including but not limited to:

  • Encryption
  • Pseudonymisation
  • Anonymisation
  • Resilience planning including backups
  • Robust security updates including timely patching and anti-virus software
  • User access controls
  • Physical security such as clear desk policy, locking of rooms/cabinets
  • Penetration Testing
  • Risk assessment
  • Data Protection Impact Assessments
  • Staff training
  • Data sharing agreements with processors

Lawful basis for processing

Under Article 6 of the GDPR:

  • Consent
  • Contract
  • Legal obligation
  • Performance of a task
  • Vital interests

Conditions for processing special category data

Under Article 9 of the GDPR:

  • Explicit consent
  • Employment/social security
  • Vital interest
  • Legal claims
  • Substantial public interest
  • Provision of health or social care
  • Archiving

Data Subject Rights available

Under GDPR:

  • Access
  • Portability
  • Erasure
  • Rectification
  • Restriction
  • Object
  • Not subject to automated decision making or profiling