This privacy statement covers the following topics:
Belfast City Council (we) deliver a wide range of services to the residents of Belfast and those people who visit the city. To do this in an effective way, we are required to collect and use personal data.
The General Data Protection Regulation (GDPR) regulates the processing of personal data and replaces the Data Protection Act 1998. It became law on 25 May 2018 and places legal obligations on us to comply with a number of data protection principles.
These principles are there to protect your personal data and make sure that we:
- Process all personal information lawfully, fairly and in a transparent manner.
- Collect personal information for a specified, explicit and legitimate purpose only.
- Ensure the personal information processed is adequate, relevant and limited to the purposes for which it was collected.
- Ensure the personal information obtained is accurate and up to date.
- Retain personal data for no longer than is necessary for the purpose it was processed.
- Keep your personal information safe and secure and protect its integrity and confidentiality.
The following information will explain how we collect and manage personal data about you.
Rights for individuals
The GDPR gives you rights relating to the processing of your personal information, which are:
- Right to be informed – obligation to provide ‘fair processing information’ through privacy notices. There must be transparency at the point of collection on how the information will be used and there is an emphasis on providing you with clear and concise notices.
- Right of access – individuals must be able to access their data to ensure that it is being processed lawfully. This is commonly referred to as a 'subject access request'. If you wish access to your personal data you must submit a request in writing and we will respond within 28 days. We may seek clarification as to your identity and there is no fee for this service.
- Right to be forgotten (is not absolute and only applies in certain circumstances) erasure or rectification of personal data – this right arises in the event of inaccurate or incomplete data and has been expanded to cover more circumstances than those set out in the Data Protection Act 1998.
- Right to data portability – this is a new right enabling individuals to reuse and transfer their personal data (held in electronic form) for their personal use to another data controller without affecting its usability.
- Right to object – where the processing of personal data is subject to consent, individuals can object to certain types of processing such as direct marketing or processing for research or statistical purposes.
- Right not to be subject to a decision based solely on automated processing, including profiling that significantly affect the individual.
We are the ‘data controller’ for the personal data that it gathers from members of the public, internal staff, external contractors and other individuals who interact with us.
You can contact us by telephone on 028 9032 0202 or email firstname.lastname@example.org
We have a dedicated Data Protection Officer who you can contact by email at email@example.com or write to at:
Data Protection Officer,
Belfast City Council,
City Hall Belfast,
Legal basis for processing personal data
We process personal data for specific purposes and these purposes will determine the legal basis for the processing. This is addressed under Article 6 of GDPR. The legal basis for processing by us as a public authority will be one or more of the following:
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation to which we are subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
- Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.
There may be occasions when consent is the only legal basis we have to process your personal data. When this occurs, we will endeavour to seek your consent at the time we gather your personal data. You will normally be asked to provide a signature or indicate consent by ticking a box but this will only be carried out after a full explanation has been provided and you are clear as to what you are consenting to.
Consent is a core principle of data protection law and GDPR sets a high standard for this. It must be a freely given, specific, informed and unambiguous indication of the data subject's wishes, by a statement or by a clear affirmative action, which signifies agreement to the processing of personal data relating to the individual.
Type of personal data we collect
We collect the following type of personal data (this list is not exhaustive but provides a general guide):
- first name
- family name or surname
- telephone numbers
- date of birth
- health data
- training records
- financial information
- licensing information
- enforcement action
- complaint information.
Special category personal data
Special category data is personal data, which GDPR considers sensitive and deserving of extra attention:
- racial or ethnic origin
- religious or other philosophical beliefs
- political opinions
- trade union membership
- physical or mental health or condition
- sex life or sexual orientation.
- offences (including alleged offences)
- processing of genetic data
- processing biometric data for the purposes of identifying a natural person.
Therefore, we will apply additional security and access measures to this type of personal data.
Why we need your information
- to provide you with a public service in compliance with its legal responsibilities
- contact you by post, email or telephone
- update your records
- establish your needs and subsequently provide you with the assistance that you require
- prevent and detect fraud and corruption in the use of public money
- obtain your opinion about our services
- inform you of other relevant council services and benefits
- ensure we meet our legal obligations including those related to diversity and equality
- to protect citizens from harm or injury
- for law enforcement functions, for example, licensing, planning enforcement, trading standards and food safety where we are legally obliged to undertake such processing
- where the processing is necessary to comply with legal obligations, for example, the prevention and/or detection of crime
- to assist us in responding to emergencies or major accidents. This allows us, in conjunction with the emergency services, to identify individuals who may need additional help and support.
How we collect your personal data
The following are examples of how we collect your personal data:
- when you apply for a job with us
- when you attend our premises for a specific purpose and provide your details
- through the submission of questionnaires online or via mail
- submitting planning and building control applications
- registering births and marriages
- submitting complaints
- working in partnership with us
- emergency planning
- CCTV covering our property and land
- via enforcement action
- face to face contact with BCC officers who you interact with.
The personal data may be held in paper and electronic format, but will always be managed in a safe and secure manner.
Some areas of our website require you to actively submit personal data in order for you to benefit from specific features, such as our range of online services, for example, email, online forms or online payments. You will be informed at each of these personal data collection points what data is required and what data is optional.
Some of this personal data may uniquely identify you, such as your name, address, email address, phone number, but we will only collect the personal data we need.
Personal data may be gathered without you actively providing it, through the use of various technologies and methods such as Internet Protocol (IP) addresses and cookies. An IP address is a number assigned to your computer by your Internet Service Provider (ISP), so you can access the internet. We collect IP addresses for the purposes of system administration and to audit the use of our site. Each time you log onto our site and each time you request one of our pages, our server logs your IP address.
Although we log your session, it will not normally link your IP address to anything that can enable us to identify you. However, we can and will use IP addresses to identify a user when we feel it is necessary to enforce compliance with our rules or terms of service or to protect our service, site, users or others.
How we use your personal data
All the personal data processed by us is held within the UK or on computer servers within the European Economic Area. No outside organisation is allowed access to your personal data unless the law permits this to happen.
We will use the personal data we collect to ensure you receive a proper service and to improve your interaction with us on a wide range of matters.
The data is used to manage your specific needs and inform you about changes to services, initiatives and events, dealing with complaints, employing contractors and dealing with enforcement action.
We will endeavour to inform you at the time your data is gathered why it is required and what it will be used for, both of which will be explained to you.
We will ensure that there are effective safeguards and systems in place to make sure personal information is kept safely and securely and provides awareness training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don’t look after personal information properly.
What we ask from you
- That you provide us with accurate and up to date personal data.
- That you do not abuse staff when providing or seeking personal data.
- That you inform us of any changes to your personal data.
- That you inform us if you find any error or inaccuracies.
Disclosure of personal data
We will not disclose your personal data to any external organisation or person unless we are satisfied that we have a legal basis to do so and proper measures are in place to protect the data from unlawful and unauthorised access.
However, we may be required to share your personal data with other internal council departments to ensure we can manage your issues or requirements appropriately.
We also work closely with Central and Local Government departments throughout Northern Ireland and Great Britain and may share personal data with these departments, including statutory and non-statutory organisations for various projects and initiatives. We may also share information with the Police Service of Northern Ireland, Her Majesty’s Revenue and Customs and other law enforcement agencies for lawful purposes including the prevention and detection of crime and animal welfare.
We may also use external organisations to carry out services on our behalf and this requires providing them with access to your personal data. These organisations will act as Data Processors for us and they are legally obliged to keep your personal data secure and only process it under the specific direct instructions issued by us and in line with the GDPR.
We will not supply your information to any other organisation for marketing purposes without your prior consent.
How long we retain personal data
We are required to keep personal data for specified time periods to meet our statutory obligations and business needs and to comply with GDPR. We have developed a retention and disposal schedule that has been approved by the Public Record Office Northern Ireland (PRONI) and the Northern Ireland Assembly. Personal data is held for different time periods due the specific purpose it was gathered for or because the law compels we do so in this manner.
We may also retain personal data solely on the basis that you have provided your consent for this to happen. If you wish to withdraw your consent, you can to do so and request we delete and destroy your data, by writing to the relevant department (if known) or directly to our Data Protection Officer asking for this to happen. Your personal data will be reviewed to establish if the law permits its destruction and deletion.
Your personal data will only be held as long as necessary and permitted by law and will be disposed of in a secure manner when no longer needed.
We are required by law to protect the public funds we administer. We may share information provided for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
The NI Audit Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see if they match. This is usually personal data.
Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency, which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the National Fraud Initiative to assist in the prevention and detection of fraud. We are required to provide personal data to the Comptroller and Auditor General or his agent for data matching under legislative powers included in the Audit and Accountability (NI) Order 2003, articles 4A to 4H.
The use of data in a data matching exercise does not require the consent of the individuals concerned under Data Protection legislation.
Data Protection Notification
As a Data Controller, we must notify the Information Commissioner's Office. You may view our Data Protection Notification by searching for our registration number ZA104779 on the Information Commissioner's website.
Monitoring of email
We may monitor your email and other online communications we receive (including members of staff). Any such monitoring will take place in accordance with the law.
Information Commissioner's Office
The Information Commissioner's Office (ICO) regulates compliance with GDPR within the UK. If you consider us to have breached any of the requirements of the GDPR, you may contact the ICO who may carry out an assessment, audit or investigation to establish whether we are compliant with the GDPR.
The ICO can be contacted at:
Information Commissioner’s Office,
14 Cromac Place,
Telephone: 0303 123 1114
Notification of changes to our privacy statement
We will post details of any changes to our privacy statement on this website to help make sure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties.
This privacy statement was updated in May 2018.
To find out more information about the use of your data or to make a subject access request for copies of your personal data held by us, please get in touch with the relevant department directly. You can also call our Information Governance Unit on 028 9032 0202 or email firstname.lastname@example.org