Data Controller: The London Borough of Sutton
Data Protection Officer: dpo@sutton.gov.uk
Purposes of the processing
Including but not limited to:
- Maintaining our own accounts and records
- HR functions
- Promoting services we provide
- Administration of services we provide
- Managing our property
- Providing leisure and cultural services
- Provision of adult education
- Carrying out surveys and consultations
- Collection of taxes and other revenue including benefits and grants
- Licensing and regulatory activities
- Local fraud initiatives
- The provision of adult social services
- Crime prevention and prosecution offenders including the use of CCTV
- Use of CCTV for public safety and traffic management
- Corporate administration
- Administration and enforcement of parking regulations and restrictions
- Internal financial support and corporate functions
- Managing archived records
- Debt administration
- Management of information technology systems
- Information administration
- Public health
- Management of public relations, journalism, advertising and media
- Sending promotional communications about the services we provide
- Buy, sell, promote and advertise our products and services
- Duty or responsibility of the local authority arising from common or statute law.
Description of the categories of data subjects
Including but not limited to:
- Customers
- Suppliers
- Staff and contractors
- Benefit claimants
- Benefit recipients
- Complainants/enquirers
- Professional advisers and consultants
- Students and pupils
- Carers or representatives
- Landlords
- Licence and permit holders
- Traders and others subject to inspection
- People captured by CCTV images
- Representatives of other organisations
Categories of personal data processed
Including but not limited to:
- Personal details
- Family details
- Lifestyle and social circumstances
- Goods and services
- Financial details
- Employment and education details
- Housing needs
- Visual images, personal appearance and behaviour
- Licenses or permits held
- Student and pupil records
- Business activities
- Case file information
- Charitable interests
Special category data:
- Physical or mental health details
- Racial or ethnic origin
- Trade union membership
- Political affiliation
- Political opinions
- Offences (including alleged offences)
- Religious or other beliefs of a similar nature
- Criminal proceedings, outcomes and sentences
- Biometric data
- Genetic data
Categories of recipients to whom personal data have been or will be disclosed
Where allowed by law, necessary, or required by law we may share information with:
- Customers/service users
- Family, associates or representatives of the person whose personal data we are processing
- Current, past and prospective employers
- Healthcare, social and welfare organisations
- Educators and examining bodies
- Providers of goods and services
- Financial organisations
- Debt collection and tracing agencies
- Private investigators
- Service providers
- Local and central government
- Ombudsman and regulatory authorities
- Press and the media
- Professional advisers and consultants
- Courts and tribunals
- Trade unions
- Political organisations
- Professional advisers
- Credit reference agencies
- Professional bodies
- Survey and research organisations
- Police forces
- Housing associations and landlords
- Voluntary and charitable organisations
- Religious organisations
- Students and pupils including their relatives, guardians, carers or representatives
- Data processors
- Other police forces, non-home office police forces
- Regulatory bodies
- Courts, prisons
- Customs and excise
- International law enforcement agencies and bodies
- Security companies
- Partner agencies, approved organisations and individuals working with the police,
- Licensing authorities
- Healthcare professionals
- Law enforcement and prosecuting authorities
- Legal representatives, defence solicitors
- Police complaints authority
- The disclosure and barring service
- Charities and not for profit partners
Transfers of personal data to a third country and safeguards
Transfers may take place when:
- Technical and organisational security measures have been put in place via a contract; or
- With the consent of the data subject; or
- Where required by law
Time limits for erasure
In accordance with the Council's Retention Schedule
Technical and organisational security measures
Including but not limited to:
- Encryption
- Pseudonymisation
- Anonymisation
- Resilience planning including backups
- Robust security updates including timely patching and anti-virus software
- User access controls
- Physical security such as clear desk policy, locking of rooms/cabinets
- Penetration Testing
- Risk assessment
- Data Protection Impact Assessments
- Staff training
- Data sharing agreements with processors
Lawful basis for processing
Under Article 6 of the GDPR:
- Consent
- Contract
- Legal obligation
- Performance of a task
- Vital interests
Conditions for processing special category data
Under Article 9 of the GDPR:
- Explicit consent
- Employment/social security
- Vital interest
- Legal claims
- Substantial public interest
- Provision of health or social care
- Archiving
Data Subject Rights available
Under GDPR:
- Access
- Portability
- Erasure
- Rectification
- Restriction
- Object
- Not subject to automated decision making or profiling