FAQ's - How personal information is used

1. Why does the Council need my personal information? 
2. How does the Council use my personal information?
3. Do all Council services require the use of my personal information?
4. What personal information does the Council hold about me?
5. How does the Council collect information about me?
6. How will the Council inform me about its use of my personal information?
7. Does the Council need my consent to use my personal information?
8. If the Council doesn’t need my consent, how will I know that it is processing my personal information?
9. Are there any circumstances when the Council is not required to inform me about its use of my personal information?
10. Does the Council share my information internally between departments and if so why?
11. Who does the Council share my personal information with any why?
12. How long does the Council keep my information for?
13. How does the Council keep my information safe?
14. Links to External websites
15. Is the Council registered with the Information Commissioners Office?
16. Does the Council have a Data Protection Officer?
17. Where can I get independent advice from?

1. Why does the Council need my personal information?

The Council delivers a wide range of services to its citizens and customers. If you live within Rhondda Cynon Taf, own/run a business, visit the County Borough, browse our website and/or receive a service from us, it is likely that we will request personal information from you and process this information in order to deliver services to you, or on your behalf. Lots of the services that we provide are based upon us having a statutory duty to do so (i.e. service we are required to provide by a Law or a Regulation), but there are some non-statutory services as well.

In order to deliver our statutory duties and non-statutory services, it is necessary for us to collect and process your personal information. Regardless of whether we have a statutory duty to deliver a service or not, when we collect and use personal information about you we must make sure that you know what we intend to do with it and who it may be shared with. 

Transparency is very important to the Council, and we aim to be open, honest and upfront with you about how we use your personal information. The Council believes that if you are well informed and know from the outset what information is held about you, how it will be used, for what purpose or purposes and who it may be shared with, then you should be more confident that your privacy is protected and there should be no surprises.

2. How does the Council use my personal information?

How the Council uses your personal information depends on the services you receive. These may include statutory and non statutory services such as: 

• To respond to a request for information or support
• Collecting information from you in order to administer your council tax payments;
• Helping you to apply for Housing Benefits;
• Delivering a wide range of educational services to individuals of all ages across the County Borough;
• Providing advice and support through our social services for adults and children;
• To manage and administer your membership of the Council’s Leisure for Life scheme; and
• Making a booking to visit an attraction within the County Borough such as a Theatre or the LidoPonty for example.
• If you own/run a business in RCT, you may have provided us with your personal contact information in relation to a business matter. For example, if you are a Sole Trader, Child Minder, your personal information will be linked to your business in relation to business rates, grant applications, health and safety).
• Research and Reporting – analysis of your information may also be used by us and our partner organisations to produce reports that will help us identify needs of our service users and how we can improve our services on a Regional and National level.

When providing these services we will request and use your personal information to:

• understand your needs and provide you with the right level of service in the right place and at the right time
• maintain a record of the services we provide to you
• keep in touch with you about the services you receive
• fulfil our legal obligations as a Council

3. Do all Council services require the use of my personal information?

No – not all services.  For example, we wouldn’t need your personal information to deal with a general enquiry such as providing you with information about swimming pool opening times or registered child care providers in RCT.

Our promise to you:     If we don’t need your personal information to provide you with a service, we won’t ask for it.   Where personal information is required to provide you with a service, we will only collect and use the minimum amount of personal information that we need for that purpose.

4. What personal information does the Council hold about me?

The information held will vary depending on the service(s) you receive. For the vast majority of services we will hold basic information such as your name, address, date of birth and contact details to enable us to identify you and provide you with the right service.

In some instances we may also request and process more sensitive information about you. For example, if you are receiving a care service, then it is likely that we will require information in respect of your health and medical history.

If you receive specific services from the Council, then you can find out more about the type of information that is held and what we do with it.

5. How does the Council collect information about me?

The Council collects information about you from a number of sources:

• Your information may be provided to us by you, for example on an application or claim form, or during a conversation with a member of staff as part of an assessment, enquiry or complaint.
• Information about you may be provided to us by other organisations or agencies, for example if an organisation has a legal or statutory duty to share certain information with us such as a concern in respect of safeguarding.
• The Council may also generate its own information about you, for example when undertaking an assessment of your needs and making a decision based upon that assessment.

6. How will the Council inform me about its use of my personal information?

The Council is committed to being open and honest with you about the use of your personal information. In addition to the information contained within this section, Service Privacy Notices are available for you. These provide you with the detail that is relevant to each of the services you receive from us.

During the course of your contact with us, you will also see that this information will be communicated to you in different ways. This may include:

• Verbal information – when you speak to staff in person or on the telephone.
• In writing - on application / assessment forms, leaflets, letters and other printed correspondence.
• Signage – at our Council offices and buildings in respect of the use of CCTV for example.

7. Does the Council need my consent to use my personal information?

The Council does not need your consent to process your personal information for the vast majority of services it provides. This is because we have a statutory duty and/or are required by law to provide you with these services and to process your information in a certain way.

However, for non-statutory services where you have a clear choice about the Council’s use of your information, your consent may be required. If we rely on your consent to process your personal information we will ensure that:

• We will make the request for consent prominent and separate from other terms and conditions;
• We will ask you to positively opt in;
• We will not use pre-ticked boxes or any other type of default consent;
• We will use clear, plain and easy to understand language;
• We will specify why we want the information and what we are going to do with it;
• We will ensure that you can refuse consent without detriment;
• We will avoid making consent a precondition of service;
• We will make it easy for you to withdraw your consent at any time; and
• We will ensure that you can exercise your information rights  in relation to consent.

8. If the Council doesn’t need my consent, how will I know that it’s processing my personal information?

Even though we don’t always need your consent to process your personal information we still need to be open and honest with you about the way we use your personal information. As mentioned above, we do this in a variety of ways depending on how you contact us, the services you receive and how those services are provided. In order to understand this better, you are encouraged to review any  Service Privacy Notices that are relevant to you.

9. Are there any circumstances when the Council is not required to inform me about its use of my personal information?

Yes. There are some limited circumstances where the law permits the Council not to inform you about specific instances where it processes your personal information. This typically includes personal information that is being used to prevent, detect and/or investigate a crime or fraud, and where the knowledge of that processing for that purpose would jeopardise any potential outcome.

For example, a person is being investigated for fraud. If, from the outset, informing the person about the suspected fraud is likely to prejudice the investigation (for example because it would make it difficult for the Council to collect evidence to prove the fraud) the law permits us to process the information for this purpose without notifying the individual of the investigation.

The Council’s decision not to notify a person about the processing of its personal information is decided on a case by case basis, taking into account the specific circumstances of the case.

10. Does the Council share my personal information internally between services and if so why?  

Yes. The Council may share your information internally between services for a number of reasons. The most common are listed below.

To provide you with services

To ensure that the Council provides you with an efficient and effective service we will sometimes need to share your information between the teams that support the delivery of the service you are receiving, to arrange a response to your request, to determine if you are eligible for any Council schemes/grants that may benefit you/your household. The information we share and which teams we share your information with will vary depending on the services you receive.

Further information on who we share information with for the delivery of specific services can be found in the service privacy notice.

To create a single view and to keep your information accurate and up-to-date

In order for the Council to provide you with efficient and effective services it is important that we co-ordinate what we do for you properly and have good record keeping in place. 

Your basic customer record consists of your name, address, date of birth, contact details, a brief summary of your contact with the Council, an indicator of the services used, and a unique customer reference number. Where possible this information is linked and shared across Council services to ensure that our records about you are kept accurate and up-to-date. By sharing this information it makes it easier for you to do business with the Council, for example if you move house or update your phone number you can tell us once and this information will be shared with other relevant services on your behalf where possible.

To prevent or detect fraud and protect the public purse

The Council has a legal duty to protect the public funds it administers and to prevent / detect fraudulent activity. Personal information may be shared internally within the Council for this purpose.

View further information on the Councils Fraud Investigation work

To better understand customer needs and to improve services

As a Council we are constantly looking at ways of improving how we provide services to our residents and service users. The information you provide us with helps us to create an understanding about you, and what you may need from us. By bringing together and analysing customer information that we hold (creating insight) it allows us to adapt and deliver services that you need and where they are most needed.

11. Who does the Council share my personal information with and why?

The Council works with a number of trusted partners, agencies, business, suppliers and contractors in order to provide you with high quality, efficient and effective services. Some examples of the categories of third parties with whom we may share your information are:

Welsh Government

The Council is required to provide a wide range of information to the Welsh Government.

Examples:

• Educational achievements at key stages of a child’s learning;
• Information in respect of social care;
• If we receive specific grant finding from the Welsh Government, then we may be asked to provide updates that demonstrate what outcomes we have achieved; and
• Consultation responses when the Council is reviewing school catchment areas.

View Welsh Governments Privacy Information:

• Welsh Government’s Privacy Policy
• Welsh Government privacy notice for children receiving care and support from local authorities including those looked after

Wales Audit Office

The Wales Audit Office (WAO) work is to support the Auditor General (AG) as the public sector watchdog for Wales. The WAO aim is to ensure that the people of Wales know whether their money is being managed wisely and that public bodies in Wales, understand how to improve outcomes.

The WAO does this on behalf of the Auditor General by:

• Auditing the financial accounts of public bodies
• Reporting on how services are being delivered
• Assessing whether value for money is being achieved
• Checking how organisations are planning and delivering improvements

The Council is required to share data with the WAO in connection with their audit work and studies; this may include personal data depending on the scope of the inspection.

View further details in respect of the WAO's privacy notice.

 ESTYN

ESTYN is the education and training inspectorate for Wales. Its function is to provide and independent inspection and advice service on quality and standards in education and training provided in Wales including:

• how far education and training meet the needs of learners and contribute to their development and wellbeing;
• standards achieved; and
• the quality of leadership and training

ESTYN inspects the following organisations/bodies:

• nursery schools and settings that are maintained by, or receive funding from, local authorities;
• primary schools;
• secondary schools;
• special schools;
• pupil referral units;
• independent schools;
• further education;
• independent specialist colleges;
• adult community learning;
• local government education services;
• teacher education and training; 
• Welsh for adults;
• work-based learning;
• learning in the justice sector; and
• all-age schools.

The Council is required to share data with Estyn in connection with their audit work and studies; this may include personal data depending on the scope of the inspection. Find out more about ESTYN and to view Estyn’s privacy policy.

Care & Social Services Inspectorate for Wales (CSSIW)

CSSIW are the independent regulator of social care and childcare in Wales. Their role is to improve the quality and safety of services for the well-being of the people of Wales Its function is to:

• Decide who can provide services.
• Inspect and drive improvement of regulated services and local authority social services.
• Undertake review of social care service
• Investigate concerns raise about social services.

The Council is required to share data with the CSSIW in connection with their audit work and studies; this may include personal data depending on the scope of the inspection.

View more about CSSIW. 

National Fraud Initiative (NFI)

The Council is required by law to protect the public funds it administers and may share personal information with other organisations responsible for auditing or administering public funds in order to prevent and detect fraud. 

The Council also participates in the National Fraud Initiative (NFI) 

Partnership Working

The Council works in partnership with a number of organisations, including local Councils, Welsh Government and UK central government departments to deliver services to you and to fulfil its legal obligations.

You can see examples of how we work with others here. One of the Council’s key partnerships is the Cwm Taf Public Services Board (PSB). The PSB is a collection of public bodies working together to improve the economic, social, environmental and cultural well-being of people who live, work and visit the Cwm Taf areas of Rhondda Cynon Taf and Merthyr Tydfil. View more information about the Cwm Taf Public Service Board.

Examples of other organisations have been provided below, further information in respect of what information we share, with whom and why can be found within relevant service privacy notices.  

• HMRC
• DWP
• DVLA
• Health Board
• Welsh Government
• Courts
• Cwm Taf Safeguarding Board
• Multiagency Safeguarding Hub
• Other Councils

 Suppliers & Contractors

The Council works with a number of trusted third party suppliers and contractors who supply products and services on our behalf. All suppliers and contractors are subject to thorough security checks and will only hold the minimum amount of personal information needed in order to fulfil the services they are providing on our behalf.

 I.T Companies

The Council works with a number IT companies that provide us with business systems, solutions, support and maintenance. In order to provide us with their services, fulfil their contractual obligations and resolve any technical issues, these companies may need to access systems where personal information is stored.

I.T security is tightly controlled via robust policies and procedures, and our security arrangements are in accordance with national requirements placed upon us, such as those contained within the Public Services Network.

We also work with IT companies that make use of cloud storage or hosted technologies. This means that your data may be stored external to the Council in the suppliers own IT environment. If this IT environment is outside the European Economic Area we will ensure that we have appropriate contracts in place that provide strict rules regarding both the confidentiality and security of your information.

Payment Processing Providers

The Council works with trusted third party payment processing provides in order to securely take and manage your credit and debit card payments.

Our commitment to you when sharing your personal information with others:   We will tell you that your information will be shared, who it will be shared with and for what purpose. We will only share the minimum amount of information needed in relation to the purpose for which the information is being used.

12.  How long does the Council keep my information for?

How long we keep information for before it is disposed of varies depending on the type of information, legal requirements and business need. More information on the retention periods for specific services can be found in the Service Privacy Notices.

13. How does the Council keep my information safe?  

The Council makes every effort to keep your information safe and secure and has measures in place to ensure that your information, regardless of whether it’s held on a computer or in paper files. Examples of our security measures include:

• Approved and published information security policies, procedures and guidance which provide clear direction on information security e.g. home and mobile working procedures to ensure the security of information when working away from the normal office environment.
• Information management and data protection training so that all staff are aware of their roles and responsibilities for managing personal information.
• A dedicated Data Protection Officer whose job is to monitor the Council’s compliance with data protection law and to investigate any concerns regarding the use of an individual’s personal information.  
• A dedicated Information Security Officer whose job is to take responsibility for protecting the Councils computer networks, infrastructure and computer systems.
• Encryption for removable media to prevent unauthorised access of the personal information stored on it.
• Physical controls to restrict access to Council buildings and equipment to prevent unauthorised physical access to personal information e.g. CCTV, entry controls to secure areas.
• Secure storage arrangements to protect records and equipment in order to prevent loss, damage, theft or compromise of personal information e.g. locked storage rooms and filing cabinets with restricted access.
• Arrangements for the secure disposal of records and equipment when no longer required.
• Strong user access and password controls that help to ensure that only authorised individuals have access to Council information and systems. 
• Regular testing of our IT systems and technology to date on the latest security updates (e.g. upgrades and patching).

 14. Links to External websites

Where we provide links to websites of other organisations, our privacy notice and cookie policy does not cover how that organisation processes personal information or uses cookies. We encourage you to read the privacy notices and cookie policies on the other websites you visit.  We aim to mark all external links with the standard external link icon

15. Is the Council registered with the Information Commissioners Office?

Yes. The law requires every organisation that processes personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt. Failure to do so is a criminal offence.

The Council is registered with the ICO as follows.

• Rhondda Cynon Taf Country Borough Council – Registration Number Z4870100
• Rhondda Cynon Taf Country Borough Council - Registrars of Births, Deaths and Marriages – Registrations Number ZA091000
• Rhondda Cynon Taf Country Borough Council – Electoral Registration Officer – Registration Number Z5276952

Please note that Schools and Elected Members (when processing personal information when representing a constituent) are registered separately.

You can find out more or search the Data Protection Public Register

16. Does the Council have a Data Protection Officer?

Yes. The Council is required by law to have a Data Protection Officer who is responsible for:

• Monitoring the council's compliance with the GDPR and other data protection laws.
• Monitoring our data protection policies, awareness-raising, training, and audits.
• Advising the council in respect to their data protection obligations.
• Provide advice and monitor the Data Protection Impact Assessment process.
• Acts as a point of contact for the Information Commissioner's Office (ICO) and members of public on any matter relating to Data Protection.

The Councils Data Protection Officer can be contacted as follows:

RCTCBC
ICT – Information Management
FAO: Data Protection Officer
Rhondda Fach Leisure Centre
Tylorstown
RCT
CF43 3HR

Email: information.management@rctcbc.gov.uk

17. Where can I get independent advice? 

If you have any worries or questions about how your personal information is handled please contact our Data Protection Officer at information.management@rctcbc.gov.uk.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner's Office
Churchill House,
17 Churchill Way,
Cardiff
CF10 2HH 

Alternatively, visit ico.org.uk or email casework@ico.org.uk.