Privacy Our use of personal data

As a unitary local authority, the vast majority of personal data we process is required to enable us to meet our statutory obligations and perform our ‘public task’ activities.

Find out more about the legal bases for the council processing personal data.

Register of processing activities under Article 30(1) of the GDPR and clause 61 of the Data Protection Act 2018

Name and contact details of the controller

Shropshire Council
Abbey Foregate

Telephone: 0345 678 9000

Contact details of the data protection officer

Purposes of the processing

We process personal information to enable us to provide a range of government services to local people and businesses which include:

  • Maintaining our own accounts and records
  • Supporting and managing our employees
  • Promoting the services we provide
  • Marketing our local tourism
  • Carrying out health and public awareness campaigns
  • Managing our property
  • Providing leisure and cultural services
  • Provision of education
  • Carrying out surveys
  • Administering the assessment and collection of taxes and other revenue including benefits and grants
  • Licensing and regulatory activities
  • Local fraud initiatives
  • The provision of social services
  • Crime prevention and prosecution offenders including the use of CCTV
  • Corporate administration and all activities we are required to carry out as a data controller and public authority
  • Undertaking research
  • The provision of all commercial services including the administration and enforcement of parking regulations and restrictions
  • The provision of all non-commercial activities including refuse collections from residential properties,
  • Internal financial support and corporate functions
  • Managing archived records for historical and research reasons
  • Data matching under local and national fraud initiatives
  • Debt administration and factoring
  • Management of voluntary and statutory offending management programmes for young people
  • The use of CCTV systems for public safety, protection of life and property and traffic management
  • Protection of life and property
  • Management of information technology systems
  • Information and databank administration
  • Public health
  • Prevention and control of disease within the community
  • Occupational health and welfare
  • Produce and distribute printed material
  • Management of public relations, journalism, advertising and media
  • Sending promotional communications about the services we provide
  • Enable us to buy, sell, promote and advertise our products and services
  • Any duty or responsibility of the local authority arising from common or statute law.

Description of the categories of data subjects

We process personal information about:

  • Customers and service users
  • Suppliers
  • Staff (inc volunteers, agents, temp and casual)
  • Elected members or supporters
  • Claimants
  • Complainants, enquirers or their representatives
  • Professional advisers and consultants
  • Students and pupils
  • Carers or representatives
  • Landlords
  • Recipients of benefits
  • Witnesses
  • Offenders and suspected offenders
  • Licence and permit holders
  • Traders and others subject to inspection
  • People captured by CCTV images
  • Representatives of other organisations

Categories of personal data

We process information relevant to the above reasons/purposes which may include:

  • Personal details
  • Family details
  • Lifestyle and social circumstances
  • Goods and services
  • Financial details
  • Employment and education details
  • Housing needs
  • Visual images, personal appearance and behaviour
  • Licenses or permits held
  • Student and pupil records
  • Business activities
  • Case file information
  • Births and deaths data

We also process sensitive classes of information that may include:

  • Physical or mental health details
  • Racial or ethnic origin
  • Trade union membership
  • Political affiliation
  • Political opinions
  • Offences (including alleged offences)
  • Religious or other beliefs of a similar nature
  • Criminal proceedings, outcomes and sentences
  • Biometric data
  • Genetic data

Categories of recipients to whom personal data have been or will be disclosed

Where allowed by law, necessary, or required by law we may share information with:

  • Customers / service users
  • Family, associates or representatives of the person whose personal data we are processing
  • Current past and prospective employers
  • Healthcare, social and welfare organisations
  • Educators and examining bodies
  • Providers of goods and services
  • Financial organisations
  • Debt collection and tracing agencies
  • Private investigators
  • Service providers
  • Local and central government
  • Ombudsman and regulatory authorities
  • Press and the media
  • Professional advisers and consultants
  • Courts and tribunals
  • Trade unions
  • Political organisations
  • Professional advisers
  • Credit reference agencies
  • Professional bodies
  • Survey and research organisations
  • Police forces
  • Housing associations and landlords
  • Voluntary and charitable organisations
  • Religious organisations
  • Students and pupils including their relatives, guardians, carers or representatives
  • Data processors
  • Other police forces, non-home office police forces
  • Regulatory bodies
  • Courts, prisons
  • Customs and excise
  • Local and central government
  • International law enforcement agencies and bodies
  • Security companies
  • Partner agencies, approved organisations and individuals working with the police,
  • Licensing authorities
  • Service providers
  • Press and the media
  • Healthcare professionals
  • Current past and prospective employers and examining bodies
  • Law enforcement and prosecuting authorities
  • Legal representatives, defence solicitors
  • Police complaints authority
  • The disclosure and barring service

Transfers of personal data to a third country and safeguards

Transfer will take place when:

  • Technical and organisational security measures have been put in place via a contract; or
  • With the consent of the data subject; or
  • Where required by law

Time limits for erasure

Please refer to the our record retention schedule.

Technical and organisational security measures

We take organisational security seriously and include, but are not limited to, measures such as the following:

  • Staff training
  • Organisational policies
  • Technical controls
  • User access controls
  • Security at rest
  • Security in transit
  • Pseudonymisation
  • Anonymisation
  • Business continuity and resilience planning including backups
  • Robust security updates including timely patching and anti-virus software
  • Physical security, eg restricted room access, etc
  • Independent vulnerability testing
  • Data protection impact assessments
  • Contractual controls
  • Data minimisation
  • Retention management
  • Supplier accreditation checks

In accordance with Article 30(2) of the GDPR, Shropshire Council contracts will require data processors to keep a record of the above when processing data on behalf of Shropshire Council unless they're exempt from doing so, such as:

  • Enterprises or organisations employing fewer than 250 people
  • Enterprises not processing data that it's likely to result in a risk to the rights and freedoms of data subjects
  • The processing is occasional
  • The processing doesn't include special categories of data or personal data relating to criminal convictions and offences