Privacy notice relating to the processing of personal data by Rhondda Cynon Taf County Borough Council for the purpose of Emergency Planning
Introduction
This privacy notice is intended to provide information about how Rhondda Cynon Taf County Borough Council (referred to as ‘RCTCBC’, ‘Council’, ‘Local Authority’, ‘we’) will use (or ‘process’) personal data about individuals for the purpose of Emergency Planning.
This notice should be read in conjunction with;
The Data Controller
The Council is the data controller for the personal data processed for the purposes of Emergency Planning.
The Council is registered with the Information Commissioner’s Office (ICO) as a controller under reference Z4870100.
Queries relating to this privacy notice
If you have any questions or queries relating to this privacy notice please contact the Emergency Planning department:
By email : Emergency.Planning@rctcbc.gov.uk
By telephone : 01443 562200
In writing : RCTCBC, Emergency Planning, TY Elai, Dinas Isaf East, Williamstown, CF40 1NY
Who we are what we do
The Emergency Planning department are responsible for the co-ordination and preparation of contingency plans to deal with the challenges of major incidents or emergencies that occur in Rhondda Cynon Taf affecting residents, business and the surrounding areas for example, flooding.
The Event Safety Advisory Group (ESAG) completes pre event planning to ensure appropriate plans are in place to effectively manage, risk assess and co-ordinate events.
When processing the personal data, we process only the minimum amount necessary in relation to the purpose.
Whose personal data we process
We may process personal data relating to the following individuals for Emergency Planning purposes;
We hold information about the following types of people;
- Individuals affected by Incidents or Emergencies, such as Victims and/or Survivors (and their family and friends)
- Dialysis Patients
- Volunteers, Staff (Council and Partner Agencies), Responder Personnel
- Event Organisers
The categories of personal data we process
We may process the following categories of personal data for Emergency Planning purposes;
- Name
- Address
- D.O.B
- Telephone Number
- Email address
- Next of Kin
- Health Information (including any vulnerabilities or needs).
Why we process the personal data
We process the personal data for Emergency Planning purposes. This may include but is not limited to the following activities;
- Prepare for, respond to and recover from incidents, including any major incidents/interruption to supply or public health emergencies as advised by Welsh Government.
- Risk assess and co-ordinate Events.
- From time to time we will share your personal information with third parties including; our contractors, response partners, statutory bodies such as the Coroner and Welsh Government.
Our lawful basis for processing the personal data
Under the General Data Protection Regulation (GDPR), our lawful basis for processing the personal data to provide the emergency planning service is;
- Legal Obligation (c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
- Public Task - Article 6 (e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The primary legislation, regulations and guidance that supports this includes, but is not limited to;
- In fulfilment of the statutory obligations placed on us, primarily under the Civil Contingencies Act 2004
- The Control of Major Accident (COMAH) Regulations 2015
- The Pipeline Safety Regulation 1996
- CONTEST – The United Kingdom’s Strategy for Countering Terrorism.
Who or where we get the personal data from
We will get this information from a variety of people/organisations depending on the incident, or from yourself when you are responsible for holding an event
When you, friends, neighbours or family complete a registration form or incident log at a rest centre
For Category 1 and Category 2 Responders, we will receive information via resilience Direct
Other Council Departments, such as Environmental Health. Events etc
Emergency Services, such as the Fire Service, Police etc
Welsh Government
Volunteers and Employees.
Event Organisers
Who we share personal data with
We may share the personal data with the following key organisations to fullfill our statutory function of Emergency Planning.
When sharing the personal data, we only share the minimum amount necessary in relation to the purpose.
|
Who
|
Purpose
|
|
Emergency Services such as;
- Police
- Fire Service
- Health
- Maritime and Coastguard
- Military Forces
|
- For a co-ordinated response to ensure an efficient and effective response.
- To prevent members of the public having multiple agencies contact them.
|
|
Other Local Authorities
|
- For a co-ordinated response in cross boarder incidents.
|
|
Utility/Telecommunication Companies
|
- To ensure vulnerable properties are attended to when needed in incidents
|
|
Welsh/Central Government
|
- For a co-ordinated approach to ensure Ministers know what properties are affected in incidents.
|
|
Health & Safety Executive
|
- For a co-ordinated approach
- For incident reporting
|
|
Coal Authority
Mines Rescue (MRS)
|
- For co-ordinated approach
- For incident reporting
|
|
Elected Members
|
- Focused community data sharing to ensure community leaders are aware of properties/ areas affected.
|
|
Contractors working on behalf of the council.
|
- Opperrating to carry out works when needed.
|
Data Processors
A data processor is a company or organisation that processes personal data on our behalf. Our data processors act only upon our instruction. They cannot do anything with the personal data unless we instruct them to do so. They will not share the personal data with any organisation apart from us or use it for their own purposes. They will hold it securely and retain it for the period we instruct.
The category of data processors the services uses is;
- IT system suppliers/ Service suppliers
How long we retain the personal data
We retain the personal data contained within Emergency Planning records as follows:
|
Record
|
Basic Record Description
|
Statutory Provision
|
Retention period
|
|
Contacts
|
Key/ critical Staff,
Partner agencies & restricted numbers
|
|
Kept up to date (annual / statutory review period);
|
|
Incident logs / reports
|
Record of details and decisions in incidents.
|
|
Current year + 12 years (longer for major incidents);
|
|
Training records
|
Staff training recorded for competency checked. Current training etc.
|
Civil Contigencies Act 2004
|
Current year + 3 years;
|
|
Emergency Plans
|
Plans to be acted on in Emergency situatuions – names and addresses of affected properties may be included in specific plans.
|
|
Current plan + 1 Previous plan;
|
|
COMAH / Pipeline Safety Plans
|
Site specific plans i.e. addresses, owners and numbers etc.
|
COMAH Regulations
Pipeline Regulations
|
Review period not exceeding 3 years;
|
|
Minutes
|
Data recorded is dependant on meeting – event/ incident meetings.
|
|
Current year + 3 years (may be extended for major incidents)
|
|
Registration forms
|
Part of evacuation plans i.e. people evacuated, personal details, including medication/ health needs.
|
|
Current Year +12 (may be extended for major incidents)
|
|
Staff contact details
|
SLT/ Key Officers addresses/ Telephone numbers etc.
For specific incidents i.e Borough wide power outage.
|
|
Current year + 1 (annual review)
|
|
Event Plans
|
Bigger/ complex events, management of events including organisers and suppliers details.
|
|
Current year +3 (may be extended for major incidents)
|
In keeping with the General Data Protection Regulation storage limitation principle, records are periodically reviewed. Not all personal data is retained. Only personal data that is relevant to the record is retained for the entire retention period (e.g. documents that contain assessments, decisions, outcomes etc.). Information that has no long term or evidential value is routinely destroyed in the normal course of business.
Your data protection rights
The General Data Protection Regulation (GDPR) gives individuals important rights, including the right of access to the personal data that the Council holds about you.
Click Here for further information on your information rights and how to exercise them.
Your right to make a data protection complaint to the Council
You have the right to complain to the Council if you believe we have not handled your personal data responsibly and in line with good practice.
You can do this by contacting Emergency Planning directly via one of the following communication methods. Most concerns can be resolved relatively quickly through a simple phone call or email;
Alternatively, you can raise a formal complaint via the Council’s Customer Feedback Scheme using the following link (Make a comment, compliment or complaint online) or you can contact the Council’s Data Protection Officer at Information.management@rctcbc.gov.uk.
Your right to make a data protection complaint to the ICO
You also have the right to complain to the ICO if you are unhappy with how we have used your data. However, we encourage you to contact us first and provide us with an opportunity to look into your concern and put things right.
The ICO can be contacted:
- Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Helpline number: 0303 123 1113
- Website: https://www.ico.org.uk