Subject Access Requests, Privacy and Cookies Statements

Privacy notice

This privacy notice tells you how we use and protect your personal information. It covers what personal information we collect from you, why we collect and use it, and who we share it with. 

Personal information

Personal information is any information that can be used to identify a living person, either directly or indirectly. This may include obvious information, such as name and address, or less obvious information, such as IP address or NHS number.

We get personal information from different places, such as when you:

  • open an account or use any of our services
  • use our website
  • communicate with us
  • contact us
  • are referred to us by external services and agencies

The personal information we collect

We only collect your personal information from you or from other sources when we have a clear and lawful reason and purpose for doing so.

When we handle and use your personal information, we adhere to the data protection principles outlined in the London Borough of Bromley (LBB) data protection policy.

Types of personal information we collect:

  • identity (name, date of birth, gender, passport, national insurance number, family details)
  • contact (address, email address, telephone numbers)
  • technical (IP address)
  • social data (lifestyle, housing needs)
  • education (student and pupil records)
  • commercial services data (services used)
  • financial (bank account, payment card, transaction data, salary, benefits)
  • staff records (pensions, appraisals, nationality)
  • visual images, personal appearance and behaviour
  • business activities (employment, licences, and permits held)
  • case file information

We may collect some special or sensitive data from you, when we have a legal reason to do so. This data may include:

  • sexuality and sexual health
  • religious or philosophical beliefs
  • ethnicity
  • physical or mental health
  • trade union membership
  • political opinion
  • genetic/biometric data
  • criminal history

Our legal basis for using your personal information

We collect and use information under one or more of the following legal bases.

  • Legal obligation – we need to process your information to comply with the law
  • Public task – we need to process your information to provide you with council services
  • Public Interest- we need to process your information when there is a significant public interest in doing so
  • Contract – we need to process your information as part of a contract such as contract of employment.
  • Vital interest – we need to process you information to protect someone’s life in an emergency.
  • Consent – we need your permission to use your information

Where we require consent to use your information, we will make it clear that consent is required and explain how to go about withdrawing your consent.

We will only use your personal data for the uses and purposes set out above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original use and purpose. 

Why we collect and use your personal information

Personal information is collected to enable the Council to provide a range of services to local people and businesses as required to fulfil our duties under UK legislation, statutory or contractual requirement or obligation. This includes:

  • maintaining our own accounts and records
  • supporting and managing our employees current past and prospective employees and persons contracted to provide a service
  • promoting the services we provide
  • marketing our local tourism
  • carrying out health and public awareness campaigns
  • ensuring Trading Standards
  • managing our property
  • providing leisure and cultural services
  • provision of education
  • carrying out surveys
  • administering the assessment and collection of taxes and other revenue including benefits and grants
  • licensing and regulatory activities
  • provision of planning and building control
  • local and national fraud initiatives
  • the provision of social services
  • provision of housing services
  • provision of library services
  • crime prevention and prosecution of offenders including the use of CCTV
  • corporate administration and all activities we are required to carry out as a data controller and public authority
  • undertaking research
  • the provision of all commercial services including the administration and enforcement of parking regulations and restrictions
  • the provision of all non-commercial activities including refuse collections from residential properties
  • internal financial support and corporate functions
  • managing archived records for historical and research reasons
  • data matching under local and national fraud initiatives

If you fail to provide the personal data, the Council may not be able to deliver accurate services to you and may take action if it is required to do so by law.

Who we share information with

Once your information has been collected by the council, it may be used by other council departments, where necessary, to provide a complete service to you.  Your privacy is respected and we do not sell your personal information.  We only share your information where there is a lawful or legitimate reason to do so.

We may share your information with:

  • companies that work on our behalf
  • customers, service users and employees
  • representatives of customers, service users and employees
  • legal representatives
  • trade unions
  • current past and prospective employers
  • healthcare, social and welfare organisations
  • educators and examining bodies
  • providers of goods and services
  • data processors
  • local and central government
  • ombudsman and regulatory bodies
  • financial organisations
  • debt collection and tracing agencies
  • credit reference agencies
  • press and the media
  • law enforcement and prosecuting authorities
  • international law enforcement agencies and bodies
  • courts and tribunals
  • housing associations, landlords and tenants panels
  • charitable, religious and voluntary organisations
  • political organisations
  • elected members including members of parliament
  • survey and research organisations

London Care Record

The Council may also share your personal data with health as social care partners as part of the London Care Record initiative.

Public funds and fraud

The Council is required by law to protect the public funds it administers. We may use any of the information you provide to us for the prevention and detection of crime.

We may also share this information with other bodies that are responsible for auditing or administering public funds including the Public Sector Audit Appointments Ltd, National Audit Office, Financial Reporting Council, Cabinet Office, Department for Work and Pensions, and other local authorities, HM Revenue and Customs, and the Police.

In addition to undertaking our own data matching to identify errors and for the purpose of assisting the prevention and detection of fraud we are required to take part in national data matching exercises undertaken by the National Fraud Initiative.

How long we keep your personal data

We'll only keep your personal data for as long as we need to. To decide how long we must keep your information, we follow our retention schedule.

You can find more details in the privacy notice for each service about how long we store your data before it is securely disposed of. 

Information Security and Sovereignty

The Council employs best practice security measures to safeguard your data, aligned with guidance from the National Cyber Security Centre (NCSC). These measures include robust technical, procedural, and organisational controls designed to protect against unauthorised access, loss, or misuse of your personal information.

We do not knowingly transfer your personal data outside of the European Economic Area (EEA) unless such a transfer complies with applicable data protection laws, the legal purpose for processing, or is permitted under contract or sharing arrangement. Where permitted any transfer of your information will only occur where adequate safeguards are in place to ensure the security of your data and compliance with legal requirements. This includes relying on mechanisms such as Standard Contractual Clauses or ensuring that the transfer is to a jurisdiction deemed to provide an adequate level of data protection under EU law.

Your rights

You (data subjects) have rights under data protection laws to control what information you provide to us and what we can do with it. More details on your full rights under data protection law can be found on ICO website ico.org.uk

How we tell you about your data

This is your right know about how your data is being processed, who it is given to, for what purpose and anything else that guarantees your rights. This is sometimes referred to as a privacy notice or a fair processing notice. This web page provides a summary and both the Record of Processing Activities and the links to the service specific privacy notices gives further details. When you are provided information the Council will ensure that you have access to a privacy notice.

You can ask for access to the information we hold on you

You can ask for the information we have about you. This is called a Subject Access Request.

Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests as described under the ICO’s SAR code of practice. In this case, we will notify you and keep you updated within the month deadline.

In most cases we cannot charge you a fee to comply with a subject access request. However, where the request is considered manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request. We may also charge a reasonable fee if you request further copies of your data following a request. We would base this fee on the administrative costs of providing further copies.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of the other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. As we are a large organisation with multiple departments and systems, we may also contact you to ask you for further information in relation to your request to help locate the information you have asked for. 

How to make a Subject Access Request for the information we have about you.

Additional Rights

Unless subject to an exemption under current data protection laws, you have the following additional rights with respect to your personal data dependant on our lawful basis for processing:

  • to request that we rectify any factual data if it is found to be inaccurate or out of date;
  • to request that your personal data be erased in certain circumstances;
  • to withdraw any consent to processing which you have given;
  • to request restriction of processing in certain circumstances;
  • to ‘personal data portability’ i.e. to request a transfer of your personal data;
  • to object to processing in certain circumstances;
  • to complain to the council and to the Information Commissioner.

There are restrictions on decisions based solely on automated means without any human involvement. Also there are restrictions on profiling.

If we do this, we must notify you and give you the opportunity to request a review of the decision or to challenge it. We rarely use automated processing or profiling. If we do, we will explain why in the privacy statement for the service. 

Contact

The London Borough of Bromley is required to appoint a Data Protection Officer (DPO), who is responsible for monitoring our compliance with data protection legislation and advising on our data protection obligations.

If you have any questions or worries about how the council collects or uses your personal information you can email the Data Protection Officer at data.protection@bromley.gov.uk 

For independent advice about data protection and privacy, you can contact the Information Commissioner’s Office (ICO). The ICO oversees how organisations comply with data protection legislation in the UK.

Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

Alternatively, visit the ICO website or email ICO 

Visitors to our websites

When someone visits our website we collect routine internet log information, which allows us to see visitor behaviour patterns. We do this to determine which pages are being viewed as this assists us in improving our website. 

Internet log information is collected in a way which does not allow us to identify you and we do not make any attempts to find out the identities of individuals visiting our site.

Website Cookies

Our use of cookies is detailed on our Cookies page.

External links

This website contains external links to third party sites. Our privacy policy applies only to information collected by or on behalf of the London Borough of Bromley. When you are transferring to another site you should read their privacy statement on the use of your information before submitting any personal details.

Updating this privacy notice

We will update this privacy notice when how we collect and use your information changes. We encourage you to check this privacy notice before providing us with any personal information.

Contact Data Protection Officer

Address: Civic Centre, Stockwell Close, Br1 3UH

Contact Information Commissioner

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

Specific service privacy notices