Privacy Policy

GDPR Privacy Statement

Public Space CCTV Birmingham City Council’s CCTV control centre (Birmingham Control Centre) provides an open and transparent approach to public space CCTV across Birmingham. This is endorsed by the certification that the control centre holds with the Surveillance Camera Commissioners office as a ‘relevant authority’ on which we are audited every year. Additionally, the control centre also holds accreditation under BS7958:2015 for the ‘Operation and Management of CCTV’.

We are also registered with the Information Commissioners Office, registration number Z4594350, to use CCTV images for crime prevention and prosecution of offenders.

We hold personal data from the CCTV system for a period of 31 days after which time the system automatically overwrites it. Where incidents are brought to our attention then personal data may be held for a longer period, in particular where offences have been reported and are under investigation. This privacy policy will be reviewed as part of the requirements of ISO 9001:2015

CCTV images are shared with law enforcement agencies and other recognised bodies e.g. solicitors and insurance claims handlers who legally have a right of access to the images. Members of the public can also make a ‘subject access request’ to obtain footage of themselves providing that it does not relate to a criminal offence or any other incident e.g. a road traffic collision. This is dealt with under a completely different process in line with article 15 of the GDPR. It should be noted that where applications are considered excessive then access to CCTV data can be refused.

Privacy Overview

As a local authority Birmingham City Council (the Council) collects, holds and processes a considerable amount of information, including personal data about you, the citizens of Birmingham and other website visitors.  This allows us to provide our services more effectively.

We understand that your personal data is important to you, and we have a responsibility to you regarding the information we hold about you, to ensure that the information we collect and use is done so proportionately, correctly and safely. Being transparent with you and providing accessible information about how we use your information demonstrates our commitment to the General Data Protection Regulations, hereafter referred to as ‘GDPR’. (Regulation (EU) 2016/679).

We are committed to safeguarding your privacy and in this policy we explain how we will handle your personal data.

Our details

The Council is registered as a ‘data controller’ with the Information Commissioner’s Office (ICO). Our registration details are:

Birmingham City Council
Council House
Victoria Square
Birmingham
B1 1BB

Registration No: Z4594350.

The Councils Data Protection Officer can be contacted as follows:

Corporate Information Management Team
PO Box 16366 Birmingham
infogovernance@birmingham.gov.uk

Purpose of processing

We collect, hold and use personal data received by you to enable us to provide services to you.  These services include, but not limited to child and adult care, safeguarding, social services, schools, planning, claims, trading standards, youth offending, council tax, waste management, libraries and leisure services. The amount and type of information we hold on you depends on the services we are providing to you.

If you use different council services then we will provide you separate privacy notices for each of those services, detailing how we use your personal data to provide that service in line with the data protection principles below. We will not ask you for any information which is not necessary for the particular service we are providing to you.

You will be able to view the privacy notice for each service area on the relevant service area website homepage.  You can also request a hard copy using the contact details above.

Personal data

“Personal data” means any information relating to a person who can be identified, directly or indirectly, from that information.  This could include your name, your identification number, location data, online identifier (such as IP address) or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that person.

Some of the services we provide may require us to process your ‘special categories of personal data’. These special categories of personal data might include births, deaths or health data in relation to public health functions, or financial data in relation to social services. The definition sensitive’ or ‘special categories’ of personal data has been extended to now include biometrics data (such as facial images) and genetic data (such as the analysis of a biological sample).

Conditions of processing

When we process your personal data we will do so in accordance with the data protection principles.

These principles are designed to protect you, and ensure that we:

  • process your information lawfully, fairly and in a transparent manner
  • use your information for a specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with that purpose
  • only obtain adequate, relevant and limited information to allow us to carry-out the purpose for which it was obtained
  • ensure the information we hold about you is accurate and, where necessary, kept up to date
  • keep any information for no longer than necessary for the purposes for which it was collected and
  • process your information in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Lawfulness of processing

Processing of personal data shall be undertaken ‘lawfully’. To show the processing is being undertaking lawfully one of the following conditions should apply (unless an exemption applies):

  • You have given consent to the processing of your personal data for one or more specific purposes; (for example a university retaining personal data for alumni purposes)
  • Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. (For example if you purchase goods from an online shop to be delivered then the shop will need to process your personal details to allow them to perform the contract and deliver the goods to you)
  • Processing is necessary for compliance with a legal obligation to which the Council is subject. (For example processing staff personal data to comply with our legal obligation to disclose employee salary details to HMRC)
  • Processing is necessary to protect your vital interests or the vital interests of another natural person.  (For example if an individual is admitted to A & E following a road accident, then the disclosure to the hospital of the individuals medical history may be necessary in order to protect his/her vital interests)
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Council (this includes most of the Councils functions which comes from various pieces of legislation); and
  • Processing is necessary for the purposes of the legitimate interests. Public authorities, such as the Council can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.

Processing ‘special categories’ of personal data

All personal data is not the same, and some information is more sensitive than others. As such special rules apply when processing these ‘special categories’ of personal data.  Special categories’ of personal data include:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious and philosophical beliefs;
  • Trade union membership;
  • Genetic data;
  • Biometric data for the purpose of uniquely identifying a natural person; and
  • Sex life/sexual orientation.

Processing of these types of personal data is prohibited unless one of the conditions below applies (in addition to a condition from paragraph 6):

  • The citizen has given explicit consent to the processing
  • It is necessary for the purposes of carrying out the obligations and exercising specific rights of the Council or of the citizen in the field of employment and social security and social protection law.  (For example employee equal opportunities data)
  • Processing is necessary to protect the vital interests of the citizen or of another natural person, where the citizen is physically or legally incapable of giving consent. (For example a life or death situation)
  • Processing is carried out by a not-for-profit entity with a political, philosophical, and religious or trade union aim in the course of its legitimate activities
  • Processing relates to personal data which is manifestly made public by the citizen. (The personal data is already in the public domain)
  • Processing is necessary for the establishment, exercise or defence of legal claims
  • Processing is permitted where it is necessary for reasons of substantial public interest.  (For example a natural disaster)
  • Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment. (Medical treatment)
  • Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health (such as foot and mouth disease); and
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Consent

Consent for personal data
The Council also provide limited services which will require your consent to process your personal data.  This could include for example leisure centre or library membership or other recreational groups, and in these situations the legal basis for processing your personal data will be Section 6a) above.

In circumstances as described above – your consent to process your personal data must be ‘specific, informed, active and affirmative, meaning it must be clear and freely given by you after we explain what further processing we would like to do with your data. You can therefore make an informed decision about whether you consent to the processing or not. You are in control and you can withdraw your consent at any stage by contacting the Data Protection Officer at the above address.  (Please note however that any processing that has taken place up to the time that you withdraw consent will however be considered lawful).

Consent for special category personal data
In respect of sensitive or ‘special categories of personal data’ we will require your ‘explicit consent’ to further process this type of personal data under Section 7a) above. This means your consent must be very clear and specific, and again you can withdraw your consent at any stage by contacting the Council.

Where the Council seeks to disclose sensitive personal data, such as medical details, to third parties, we will do so only with your prior explicit consent.

There may be occasions where we may have to disclosure your personal data if it is required or permitted by law, for example in relation to crime prevention/detection. In these cases we do not require your specific consent or explicit consent for the disclosure of your personal data.

Recording or managing consent
Once a citizens’ consent is obtained we will keep a record of when the citizen consented, the information they were provided with prior to consent and how they consented. Consent is part of your ongoing relationship with our citizens and will therefore be managed appropriately. The consent will be reviewed periodically to ensure it remains appropriate, and, as previously stated, citizens have the right to withdraw their consent at any stage.

Retention

We will only retain your personal data for as long as necessary and in accordance with our retention schedule.  When your personal data is no longer needed it will be securely deleted, except where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person.

Security

The Council will strive to ensure that any personal data in its care will be kept safe and secure.  In order to prevent unauthorised access, loss, destruction or theft, we have put in place appropriate technical, physical and managerial procedures to safeguard the information that we collect from you; this includes encryption of our computer systems.  Our security measures are frequently reviewed in light of new risks or guidance from the ICO.

International transfers of your personal data

We may provide personal data to agents/subcontractors outside the European Economic Area (EEA).  The EEA includes all European Union countries and the following three non-European Union countries Iceland, Liechtenstein and Norway.

The European Commission has made an “adequacy decision” in respect of a number of other countries outside of the EEA.  An adequacy decision is a decision which confirms whether or not another country (outside of the EEA) provides an adequate level of protection of an individual’s personal data. If we intend to provide personal data to agents/subcontractors outside of the EEA then this will be outlined in the relevant service privacy policy which you can access from the relevant service area homepage.

Staff administration

The Council will process personal information relating to its current and former staff and individuals, (who have applied for permanent or temporary jobs at the Council), Councillors and other elected officials, and volunteers, for the purposes of managing their contract of employment, the work of the Council, pay and/or pensions, discipline and other personnel matters.

Data matching, mining and analysis

To help us to do this, we may share and process the information provided to us in different ways. This information includes that held in respect of:

  • Council Services
  • Provision of Council funded services
  • Information provided to the Council to assist the Council in its legal obligations
  • Other Local Authority records held by Birmingham City Council
  • Information provided by external organisations; credit reference agencies, social housing providers (including Registered Social Landlords), West Midlands Police and West Midlands Fire Service.

Each of the above mentioned categories contain a number of sub categories. If you would prefer a full detailed breakdown of what data matching we may undertake then please contact the Information Governance Team.

Birmingham Audit

Information Sharing

To ensure that we can provide you with the best possible service we may have to share your personal data between our internal teams or external partners. Our external partners include the Cabinet Office, West Midlands Police, West Midlands Fire Service, National Health Service, The Department for Work and Pensions, HM Revenues and Customs, Public Health other local authorities, district councils, credit reference agencies, service providers/contractors and partner bodies.

We may also share your information with third parties, other than those who either process information on our behalf or because of a legal requirement/entitlement, and it will only do so if necessary or where permitted under data protection legislation.

As well as public bodies we may also share information with utility companies, credit reference agencies and service providers/contractors where the disclosure of such information is required to protect the public purse or is otherwise necessary to comply with any other legal obligation.

Statistical Data/Research

We may also process your personal data (including special categories of personal data) for the purpose of research or compiling statistical data about the population of the city at large to assist us in complying with our legal obligations, and to assist the council in the effective planning and provision of future services.

Statistical data
Statistical data or statistical analysis will not allow the identification of any specific individual nor will it have any impact on any individual’s entitlement to council services and facilities.

We may use your personal information to administer our site and internal operations including data analysis, statistical and survey purposes (see also cookies). If we require your specific or explicit consent to do this then we shall seek your consent in advance and only after outlining to you the purpose of the proposed processing.  You will have the option to withdraw your consent at any stage.

Research
The Council undertakes research both internally and with our partners such as Public Health or NHS partners. An example of the research is the National Impact Study, a major piece of national research comparing the progress of families with complex needs and requiring additional services with those who do not have the additional services.  This allows the Government to determine the effectiveness of the programme.  We may also conduct research for service development and planning purposes.

All research undertaken will be essential to establishing the best way of working with families and improve outcomes for them and the wider community, and save public money. All research is anonymised, meaning you cannot be identified from the personal data used in the research.

Your rights

You have certain rights in relation to the personal information we hold about you. In particular, you may have a right to:

  • Right to be informed – you have a right to be told how the Council use your personal data. The Council communicate the right to be informed via this privacy policy.
  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to erasure (right to be forgotten) – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restrict processing – where certain conditions apply to have a right to restrict the processing.
  • Right of data portability – you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing, the performance of a legal task and scientific or historical research.
  • Right to object to automated processing, including profiling.
  • The right to withdraw consent – If the legal basis for our processing of your personal information is consent then you have the right to withdraw that consent at any time.

Some of the rights are complex, and there are circumstances where your rights will not apply, for example the right to erasure will not apply if your personal data is required for legal proceedings. It is recommended that you read the relevant guidance notes on the Council website, or on the ICO’s website for further information.

How to exercise your rights

You may exercise any of your rights in relation to your personal data by writing to us at the address above. To avoid delay in dealing with your request please ensure that you confirm in your letter which right you wish to exercise along with the reasons why.

The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.

We will respond to your request within 30 days, by either providing you with the information requested, requesting further information from you, or requesting further time to complete your request, if for example the request is substantial or we need to obtain information from various departments within the Council.

The Council can also refuse your request.  In the event that the Council refuses your request we will provide you with reasons why, as well as provide you with details of how you can challenge or appeal our decision.  You will also be informed of your right to legally challenge our decision with the ICO.

Cookies

Cookies are small text files that are placed on your computer, smartphone, tablet or smart TV’s when you access a website. They are widely used in order to make websites work, or work more efficiently, by allowing the website to recognise your device and store information about past actions or preferences.  An example could be internet banking, where your device may recognise and populate certain previously entered login details previously entered.

The Council website uses cookies in order to provide a better service and experience to the citizens of Birmingham and other website users.

There are two kinds of cookies

  • session cookies which are short-term and auto-delete after a few minutes or when you close your browser; and
  • persistent cookies set by the website and stored for a longer period of time, usually used to store commonly entered information on forms (such as your name, address, and telephone number).  They also store information about your browsing habits across multiple sites, usually used to allow advertisers and social network site operators to target advertising at you.

The Council uses Google Analytics to analyse the use of our website and help us create a more useful and easy to use site. The data collected is completely anonymous and does not store any personal details. The information is used to analyse how visitors make use of our website and allows us to gather statistical information such as website activity, visitor numbers, popular pages and customer journey through the website.

If you do not wish to allow use of cookies for our website, you can block them using your browser preferences (for example by amending your cookie settings on google settings).

Find out more about cookies

Cookies currently being set

On www.birmingham.gov.uk

  • __utma, __utmb, __utmz. Used by Google Analytics as part of our statistical information gathering
  • 5ybiiJ37HUoeNLdw. Used to maintain the front end user’s session, facilitating accessibility settings, form progress, etc
  • TestCookie Used to test whether the browser can accept cookies
  • Session cookie. This used to store the session id of a user. This is required to determine whether a user is logged in to the web site. Session data is also stored when a user is filling in a form however the data is stored on the server and not in the cookie.These cookies are set to expire as soon as a user quits their browser.

On online.birmingham.gov.uk

  • __utma, __utmb, __utmz. Used by Google Analytics as part of our statistical information gathering
  • customerfirst.birmingham.gov.uk. Used as part of the operation of the online customer account
  • CWS Used as part of the operation of the online customer account

On eplanning.birmingham.gov.uk

  • __utma, __utmb, __utmz. Used by Google Analytics as part of our statistical information gathering
  • MVMSession. Used to store your search progress on the planning portal

Links to other websites

The Council website may contain links to other websites run by other organisations. This privacy policy applies only to the Council website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

Amendments

We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law. When such changes occur, we will revise the “last updated” date at the top of this notice. If there are substantial changes to this statement or in the Council uses your personal data, we will advertise the updated notice both on the front page of the Council web site and in Council offices.

The Council encourages you to periodically visit the Council’s web site to review this notice and to be informed of how the Council is protecting your information.

If you would like to know more or have any concerns about how your information is being processed please contact our Corporate Information Governance Team.

If you require general information about the Data Protection Act or General Data Protection Regulations (Regulation (EU) 2016/679), information is available on the Information Commissioner’s website.

Complaints

If you wish to make a complaint about how the Council are processing your personal data, then in the first instance please contact the data protection officer in the ‘Our details’ section.

If you are still dissatisfied with how the Council have handled your complaint then you have the right to complain to the Information Commissioners Office (ICO).

The ICO can be contacted as follows:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone:      08456 30 60 60
Website:          www.ico.gov.uk

Webchat

What does Webchat do?
Webchat provides online support for citizens who need support when they can’t find what they are looking for on the council’s website, through chat.

What information do we collect?
If you engage with our webchat, we may collect:

  • Name and email address
  • Chat transcripts
  • Completed surveys
  • Automatic information, such as IP address, operating system and type of browser and the geographical location

How do we use the information the council collects?

  • use of email when we need to contact you about the chat
  • survey responses to improve our services

Service provider

  • we use a third part service provider to assist us in hosting the webchat platform.

How do we keep your information secure?
We encrypt all personal data and this is hosted within the service providers infrastructure.  All personal details are stored within Europe.

Access and changes to personal data
You have the right to request information from the council, relating to your webchat.  You can also request removal or amendments to your personal data.

Request removal or amendments to your personal data