Privacy statement
This is an overview of how Kent County Council makes sure you understand how we use your personal information. The law requires us to provide information about who we are, how to contact us, the purpose for which your personal data is used and who we share it with.
To understand how your own personal information is processed refer to any personal communications you have received, check the privacy notices for the service or contact the service directly to ask about your personal circumstances.
The council provides a range of statutory and other services to local people and businesses and collects personal data for many purposes, so this general statement explains how we make sure you have the information you need at the point it is collected. Each service that collects personal data therefore provides a separate Privacy Notice to explain the purpose and legal basis for that service.
For information on how we will use your personal information during and in response to the COVID-19 (coronavirus) pandemic, please refer to the supplemental privacy information.
See privacy notices for Kent County Council's services
Who we are
Kent County Council is registered as a data controller with the Information Commissioner’s Office (ICO) and we are regulated under the United Kingdom General Data Protection Regulation and the Data Protection Act 2018.
Our ICO registration number is Z5297748: View our entry on the ICO data protection register.
Our Data Protection Officer is Benjamin Watts.
The personal information we collect and use
Information collected by us
Our services either collect personal information directly from you or receive it from third-parties. We only receive your personal data from outside agencies or third- parties where there is a sound legal basis and purpose for doing so.
When gathering and using personal information, we will comply with the data protection principles, as set out in the KCC data protection policy. Depending on the needs of the service and the purpose of processing, we may collect some or all of the following types of information:
- Identity (name, date of birth, gender, passport, national insurance number, family details)
- Contact (address, email address, telephone numbers)
- Technical (IP address)
- Social data (lifestyle, housing needs)
- Education (student and pupil records)
- Commercial Services data (services used)
- Financial (bank account, payment card, transaction data, salary, benefits)
- Staff records (pensions, appraisals, nationality)
- Visual images, personal appearance and behaviour
- Business activities (employment, licences and permits held)
- Case file information.
Under certain circumstances we may need to collect and process the following special categories of personal data:
- medical (physical or mental health details)
- racial or ethnic origin
- trade union membership
- political affiliation
- political opinions
- criminal offences (including alleged offences)
- religious or other beliefs of a similar nature
- genetic data or biometric data
- sexual orientation.
We recognise that personal information concerning criminal convictions and offences is not special category personal data but is a very sensitive type of personal information which can only be shared in narrow circumstances.
Reasons we collect and use your personal information
We may need to use some information about you to:
- deliver and manage the services and support we provide to you;
- respond to enquiries or complaints
- train and manage employees or volunteers who deliver those services;
- control spending on services;
- monitor the quality of our services; and
- research and plan new services.
For the Council to be able to process your personal information we need to demonstrate that we have a lawful basis for doing so. Each service is responsible for setting out the purpose and legal basis of their processing of your personal data.
The table below provides examples of some of our purposes for processing data and their lawful bases. This is by no means comprehensive. Please refer to the specific service privacy notice for more detailed information.
Purpose/Activity | Type of Data | Lawful basis for processing including the basis of any legitimate interest grounds |
---|---|---|
To register you as a customer/complainant | a. Identity b. Contact | For a customer:
For a complainant: Necessary for the performance of a public task in the public interest |
To manage payment, fees and charges To collect money owed to us | a. Identity b. Contact c. Financial | Performance of a contract with you Necessary for the performance of a task in the public interest Necessary to comply with a legal obligation |
To administer and protect our website and IT systems (including data analysis, testing, system maintenance, support) | a. Identity b. Contact c. Technical | Necessary for our legitimate interests (provision of administration and IT services, network security, to prevent fraud) Consent (in relation to non-essential cookies) |
Provision of education and education support services | a. Identity b. Contact c. Social Educational records d. Special category e.case files | Necessary to comply with a legal obligation Necessary for the performance of a task in the public interest For special category: Necessary for carrying out the obligations and rights of the individual or the data controller in the social protection law field |
Data matching under local and national fraud initiatives | a. Identity b. Contact c. Financial d. Business Activities | Necessary to comply with a legal obligation |
Licensing and regulatory activities | a. Identity b. Contact c. Business activities | Necessary to comply with a legal obligation |
Provision of social services | a. Identity b. Contact c. Social d. Education e. Financial f. Special category g. Criminal h. Case files | Necessary to comply with a legal obligation Necessary for the performance of a public task in the public interest For special category: Necessary for the establishment, exercise or defence of legal claims whenever Courts are acting in their judicial capacity Necessary for the delivery of health and social care services Processing is necessary for the purposes of social protection law Necessary for reasons of substantial public interest (safeguarding of children and individuals at risk) |
Provision of Early Help Services (including family support, youth justice, inclusion and attendance) | a. Identity b. Contact c. Social d. Education e. Financial f. Special category g. Criminal h. Case files | Necessary to comply with a legal obligation (youth justice and attendance enforcement) Necessary for the performance of a public task in the public interest (family support) For special category: Processing is necessary for the purposes of social protection law Necessary for reasons of substantial public interest (safeguarding of children and individuals at risk) |
Crime prevention and prosecution offenders including the use of CCTV (including law enforcement processing under Part 3 of the Data Protection Act 2018 where we are acting as a ‘competent authority’ in section 30(1)) | a. Identity b. Contact c. Business activities d. Visual images, personal appearance and behaviour e. Special categories f. Criminal | Necessary for the performance of a task carried out in the public interest for the purposes of the prevention, investigation, detection or prosecution of criminal offences (law enforcement processing under Part 3: it is necessary for the performance of a task carried out for that purpose by a competent authority). For special category: Necessary for the establishment, exercise or defence of legal claims whenever Courts are acting in their judicial capacity (law enforcement processing under Part 3: it is strictly necessary for the law enforcement purpose and meets a condition in Schedule 8 of the Data Protection Act 2018 e.g. section 6: legal claims or section 7: judicial acts). |
Promoting the services we provide | a. Identity b. Contact c. Technical | Consent of the data subject Necessary for the performance of a public task in the public interest |
Marketing our local tourism and events | a. Identity b. Contact c. Technical | Consent of the data subject Necessary for the performance of a public task in the public interest |
Carrying out health and public awareness campaigns | a. Identity b. Contact c. Technical | Necessary for the performance of a public task in the public interest Necessary to comply with a legal obligation |
Managing our property | a. Identity b. Contact c. Business activities d. Financial | Necessary for the performance of a public task in the public interest Necessary to comply with a legal obligation Necessary for the performance of a contract |
Providing leisure and cultural services | a. Identity b. Contact c. Special category | Consent of the data subject Necessary for the performance of a public task in the public interest For special category: Explicit consent of the data subject to process their special category data |
Undertaking surveys, focus groups and/or depth interviews. We do this to help us to understand the needs of our service users and how they feel about the services that we provide. Where the research relates to Adult Social Care and Health, you will not be contacted if you have opted out under the national data opt-out policy, unless you have specifically given your consent for us to contact you about research. | a. Identity b. Contact c. Technical d. Special category e. Education f. Commercial services g. Staff records h. Business activities | Necessary for the performance of a public task in the public interest For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment) Necessary for statistical purposes |
Consultations | a. Contact b. Technical c. Special category | Necessary for the performance of a public task in the public interest Necessary to comply with a legal obligation For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment) |
Equality Monitoring | a. Contact b. Technical c. Special category | Necessary for the performance of a public task in the public interest Necessary to comply with a legal obligation For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment) |
Statistical research/ analysis | a. Identity b. Contact c. Special category d. Education e. Commercial services f. Staff records | Necessary for the performance of a public task in the public interest Necessary for reasons of legitimate interest (to evaluate our commercial operations) For special category: Necessary for reasons of substantial public interest (necessary for statutory and government purposes and/or to enable equality of opportunity or treatment) Necessary for archiving purposes, scientific or historical research purposes or statistical purposes |
To contact you to ask you to participate in a research survey and/or qualitative research carried out by universities, e.g. as part of a government funded evaluation of the impact of national policies on the quality of public services. Where the research relates to Adult Social Care and Health, you will not be contacted if you have opted out under the national data opt-out policy, unless you have specifically given your consent for us to contact you about research. | a. Identity b. Contact c. Special category d. Commercial services | Necessary for third party legitimate interests for the purpose of facilitating university research Necessary for the performance of a task carried out in the public interest For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment); or necessary for historical /statistical purposes. |
Automated processing - profiling | a. Identity b. Contact c. Special category | Necessary for the performance of a public task in the public interest For special category: Necessary for reasons of substantial public interest (equality of opportunity or treatment); or necessary for statistical purposes. |
The provision of all commercial services both for staff and public access | a. Identity b. Contact c. Special category d. Financial e. Commercial services data | Necessary for our legitimate interests to ensure the public receive an efficient and effective service Necessary for the performance of a contract For special category: the data subject has given explicit consent. Necessary for carrying out the obligations and rights of the individual or the data controller in the employment field Substantial public interest (preventing or detecting unlawful acts, protecting the public against dishonesty, equality of opportunity, preventing fraud) Necessary for occupational health assessment purposes |
CCTV | a. visual images, personal appearance and behaviour | Necessary for the legitimate interests of us or a third party Necessary for the performance of a public task in the public interest |
Managing archived records for historical and research reasons | a. Identity b. Contact c. Special category | Necessary for the performance of a public task in the public interest For special category: Necessary for archiving purposes, scientific or historical research purposes or statistical purposes |
Administering the assessment and provision of grants | a. Identity b. Contact c. Financial d. Business activity | Necessary for the performance of a public task in the public interest Performance of a contract with you |
County Councillor enquiries | a. Identity b. Contact c. Technical d. Special category e. Education f. Commercial services g. Staff records i. Business activities | Necessary for the performance of a public task in the public interest For special category: Substantial public interest (elected representative responding to requests) |
We may use your personal information where necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
Occasionally it may be necessary to provide certain information to us e.g. for us to provide a service to you or to comply with one of our legal duties. We will let you know if this is the case and the possible consequences of not giving us the information we ask for.
How long your personal data will be kept
We will only hold your personal information for as long as necessary. To work out how long we need to keep your information for we use our retention schedule. You will be informed in the service specific privacy notice of how long your data will need to be kept prior to secure disposal.
Who we share your personal information with
Your personal information may be shared with internal departments or with external partners and agencies involved in delivering services on our behalf. However, we will only share information with organisations who will also comply with appropriate data protection laws. You will be informed in the service specific privacy notice of who your data may be shared with, if at all.
Sharing of information is crucial to the successful delivery of local services. The UK GDPR specifically recognises that “data protection” should not be an excuse to prevent proper sharing of personal data. The Kent and Medway Information Sharing Agreement (KMISA) provides a framework to enable a number of organisations and public bodies across Kent and Medway to share personal information. The Agreement reflects the requirements of the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
The following are examples of third parties who we may need to share your information with if appropriate:
- family, associates or representatives of the person whose personal data we are processing
- current past and prospective employers
- healthcare, social and welfare organisations
- educators and examining bodies
- financial organisations
- debt collection and tracing agencies
- private investigators
- good and service providers
- local and central government
- ombudsman and regulatory authorities
- press and the media
- professional advisers and consultants
- courts and tribunals
- trade unions
- political organisations
- credit reference agencies
- professional bodies
- survey and research organisations
- police forces including non-home office police forces
- housing associations and landlords
- voluntary and charitable organisations
- religious organisations
- students and pupils including their relatives, guardians, carers or representatives
- data processors
- customs and excise
- international law enforcement agencies and bodies
- security companies
- partner agencies, approved organisations and individuals working with the police,
- licensing authorities
- healthcare professionals
- law enforcement and prosecuting authorities
- legal representatives, defence solicitors
- police complaints authority
- the disclosure and barring service
- university students undertaking research as part of their coursework, dissertation or thesis.
KCC does not pass personal data to third parties for marketing, sales or any other commercial purposes without your prior explicit consent.
We only share your information where we have a legal basis to do so, for example where
- we take an individual into care; or
- the court orders us to do so.
National Data Opt-Out – Health and Adult Social Care Services
We have processes in place for considering requests for data disclosure for purposes beyond direct care which is consistent with national data opt-out policy. Our organisation is compliant with the national data opt-out policy.
Transfer outside of the United Kingdom or to an international organisation
We may transfer your information outside of the United Kingdom (UK). You will be informed in the service specific privacy notice if your information is to be transferred outside of the UK in this way.
Other countries do not necessarily have the same data protection laws as the United Kingdom. If we do transfer information outside of the European Economic Area (EEA), we will make sure that it is protected in the same way as if it was being used in the UK. We’ll use one of these safeguards:
- Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA, which is supported by an ‘adequacy decision’ by the European Commission. Learn more on the European Commission website.
- Put in place a contract/ appropriate safeguards with the recipient that means they must protect it to the same standards as the UK.
You can find out more about data protection on the Information Commissioner's website.
In July 2020, the European Court of Justice ruled that the EU-US Privacy Shield (a framework which sets privacy standards for data sent between EU countries and the US) was invalid. As a result, we are reviewing our data processes to ensure that where data is transferred to the US, there are appropriate safeguards in place.
KCC uses Microsoft 365 and stores its data on servers based in the UK and in the Netherlands.
As we transfer your data to the Netherlands (in the EU) we rely on UK GDPR Article 45 which states that this transfer may take place where there are ‘adequacy regulations’ determining that data is adequately protected by the laws in that country. A copy of this decision can be found in section 102 of Schedule 2 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (2019/419).
As Microsoft is an international organisation based in the United States, where necessary, KCC relies on Article 46 of the UK GDPR and appropriate safeguards being put in place, including standard contractual clauses in its data processing agreement with Microsoft. Read Microsoft’s data protection addendum.
If you would like further information, please contact us (see our ‘how to contact us’ section below).
How we use your information to make automated decisions
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. (e.g. monitoring your online activities or events which trigger actions such as sickness triggering a capability policy and profiling). This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know. These automated decisions can affect the services we may offer you now or in the future.
We are allowed to use automated decision-making in the following circumstances:
- Where we have notified you of the decision and given you 21 days to request a reconsideration.
- Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
- In limited circumstances, with your explicit consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision based on any particularly sensitive personal information we must have either your explicit written consent or it must be justified in the public interest, and we must put in place appropriate measures to safeguard your rights.
Tailoring services
We make decisions about how and where services are delivered by looking at the needs of our services users as a whole, and by understanding as much about them as possible in terms of their demographics (e.g. age, gender, disabilities etc) and lifestyle.
One of the ways that we do this is to create profiles using software that uses your address details to place you in one of a number of groups that describe the social characteristics and lifestyles of the UK population as a whole. These segments have been created by external companies that provide the software that we use. We analyse the profiles of our service users as a whole and compare it to the profile for the Kent population. Carrying out this type of analysis helps us to manage the planning and delivery of our services more effectively.
No decisions about an individual’s access to a service are made using these tools, as each service uses its own tailored assessment processes where these are required. We do not share the profiles of individual service users with any other organisation or business other than those acting as data processors on our behalf.
Market and social research surveys and qualitative research
To help us to understand the needs of our service users, we will from time to time carry out market research surveys and qualitative research (such as Focus Groups and Depth Interviews) amongst our service users, their families, and/or the adults who are responsible for them. Carrying out market research helps us to make better decisions about what services to deliver and where they are needed, by understanding the needs of our service users. You will be informed in the service specific privacy notice if this applies to your personal information.
We may contact you to ask you whether you are willing to participate in a market research survey and/or qualitative research. Your decision about whether or not to participate in the research will not affect the services that you receive from Kent County Council. We may ask a market research agency and/or independent qualitative researcher to undertake the research on our behalf. Any third party that we use (including online survey tools such as Snap Surveys) will adhere to the data protection legislation. Your details will not be used for direct marketing purposes.
We are sometimes contacted by University students wanting to carry out research amongst our service users and/or staff, as part of their coursework, dissertation or thesis. All such applications are subject to our Research Governance Approval process, which includes approval from the relevant ethics committees (such as the Health Research Authority) where appropriate.
Our website
We collect and use certain information or data about you when you use our website. Cookies are small text files that may be placed on your computer when you visit a website. They are widely used to make websites work and to make them more efficient. We use cookies to help understand how you use the website so we can make it better.
We use Google Analytics, Microsoft Clarity and GovMetric CX to understand how people use our website and for gathering feedback, so we can improve it. These technologies use a unique identifier in order to work and process data about the type of device and browser you use to access our website. GovMetric may also capture personal data that you supply (name and email address) in order to raise a query with us about our website.
We use YouTube and Vimeo (“embedded video players”) to show video content on our website. They also use a unique identifier to provide us with data about how many people watch our videos. Vimeo may also use data they collect for advertising purposes.
For more information on cookies and related technologies used on this site, and how to disable them read our cookie policy.
The data we collect on this site can be viewed by authorised people in Kent County Council as well as suppliers, to:
- provide analytics and video player services
- improve the site by monitoring how you use it
- gather feedback to improve our services
- respond to any feedback you send us, if you’ve asked us to
- allow you to access council services and make transactions
- provide you with information about local services if you want it.
We only use non-essential cookies with your consent (the legal basis for processing). We have a Cookie Consent Mechanism which allows you to accept or reject our use of non-essential cookies. When you visit www.kent.gov.uk you will be asked to accept our use of cookies, or you can choose to set your cookie preferences. If you do not wish to accept our use of cookies then make sure the sliders for the types cookie you do not want us to use is set to the “off” position.
Storing your website data
Sending information over the internet is generally not completely secure, and we can’t guarantee the security of your data while it’s in transit. Any data you send is at your own risk. We have procedures and security features in place to keep your data secure once we receive it. Data collected by Google Analytics, YouTube, Vimeo and Microsoft Clarity is transferred out of the UK and EEA to a country (USA) that may not have equivalent privacy regulations. However, data processed by Google Analytics and YouTube is done so in accordance with the Google Data Protection Addendum and data transferred to Vimeo is done so in accordance with their Data Transfer Agreement. Vimeo becomes a data controller of the unique identifier their cookies set. You can read Google’s overview of privacy and safeguarding data or Vimeo's Privacy Policy for more information. Data processing by Microsoft complies with the EU-U.S., UK Extension to the EU-U.S., and Swiss-U.S. Data Privacy Frameworks. You can read more on where Microsoft stores and processes personal data on their website and visit the U.S. Department of Commerce’s Data Privacy Framework website.
Links to other websites
Kent.gov.uk contains links to other websites. This privacy statement only applies to www.kent.gov.uk and doesn’t cover other services and websites that we link to. These services will have their own terms and conditions and privacy policies. If you go to another website from this one, read the privacy policy on that website to find out what it does with your information.
Online forms (also known as “e-forms”)
In order to provide certain services or activities, we need to be able to collect information from individuals and organisations. We use software provided by Granicus, Snap, Microsoft and GovMetric to create these online forms. These companies are acting as data processors for Kent County Council and only process personal information in line with our instructions. Each individual form will have its own privacy notice.
Our contact centre
To help deal with incoming telephone contact efficiently, KCC has a contact centre. All calls are recorded for training and monitoring purposes and to help us deal with customer feedback. Recordings are stored securely for a maximum of 6 months and then are permanently deleted.
The information we need to take from you when you call us will depend on the reason for your call and what you are trying to get done. The range of information we may need to collect from you is set out in the 'Personal information we collect and use' section above. You should also read the privacy notice relating to the service that you are calling us about.
All our contact centre advisors are employees of Agilisys, which operates the Contact Centre on our behalf. They are based at County Hall in Maidstone. Agilisys also run our Out of Hours Emergency Contact Service (evening, weekends and public holidays) and this is provided through their centre in Rochdale.
Only authorised members of staff have access to the call recordings. Call recordings may also be shared with a limited number of authorised members of KCC staff, as part of our quality monitoring processes and complaints handling procedures.
Emails to central mailboxes
KCC’s central email address (county.hall@kent.gov.uk) is monitored and managed on KCC’s behalf by Agilisys, based at County Hall. Only authorised members of staff (Agilisys and KCC) have access to the emails. All emails are managed from with KCC’s secure ICT Network.
The information you provide in any email you send us will depend on the reason for your enquiry and what you are trying to get done. You should read the privacy notice relating to the service that you are emailing us about.
Reliance on exemptions from UK GDPR
KCC may process information in reliance on the exemptions under the Data Protection Act where allowed (for example where the personal data is processed and a claim to legal professional privilege would apply; in relation to the provision of confidential references; or where personal data is processed for the purposes of management forecasting (to the extent that such activity would be prejudiced by advance notification).
Your rights
Under the UK GDPR you have rights which you can exercise free of charge that allow you to:
- know what we are doing with your information and why we are doing it
- ask to see what information we hold about you (known as a Subject Access Request)
- ask us to correct any mistakes in the information we hold about you
- object to direct marketing
- make a complaint to the Information Commissioner's Office
- where we process information based on your consent, you have the right to withdraw your consent at any time.
Depending on our reason for using your information you may also be entitled to:
- ask us to delete information we hold about you
- have your information transferred electronically to yourself or to another organisation
- object to automated decisions being made that significantly affect you
- object to how we are using your information
- stop us using your information in certain ways.
We will always seek to comply with your request, however, we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.
You may not, however, have the right to object to the Council using your personal data for statistical purposes where it is necessary for the performance of a public task carried out for reasons in the public interest.
For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) under UK GDPR.
If you would like to exercise a right, please contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
Emails that we send to you or you send to us may be retained as a record of contact and your email address stored for future use in accordance with our record retention schedule. If KCC needs to email sensitive or confidential information to you, we will perform checks to verify the correct email address and may take additional security measures. If sending us such information we recommend using our secure online forms where provided, or the postal service.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Contact
Please contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk to exercise any of these rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.
You can contact our Data Protection Officer, Benjamin Watts, at dpo@kent.gov.uk or by writing to Data Protection Officer, Sessions House, County Hall, Maidstone, Kent ME14 1XQ
You also have the right to lodge a complaint with the Information Commissioner.