Why do we collect and use this information?
Hampshire County Council (‘County Council’) is the Data Controller for the purpose of collecting and using information from you as a provider of Holiday Activities with Food (HAF) to fulfil Department for Education requirements for the HAF Programme. We collect information about you and/or your scheme (including personal data) to assess your tender and your call off bid. We will collect the personal data from you that we need to make this assessment and provide this service to you.
We also hold this personal data securely and use it to ensure compliance with our obligations under the accuracy principle of the General Data Protection Regulation (Article (5)(1)(d)), making sure our records about you and your scheme are up to date.
The data processor
In-Tend is a data processor for this information for the purpose of delivering a contract to the County Council around the hosting and supporting of the tender system. The County Council uses In-Tend to collect information provided to us, as identified under this privacy notice. In-Tend will not disclose our data to anyone else, unless they are required to do so by law.
The following sections provide further detail around the information we process setting out what allows us to do this (lawful basis), who we may share it with, how long we keep it for, alongside identifying any rights you may have and who to contact if you think we’re not handling your information in the right way.
The categories of information that we collect, hold and share
We collect different types of Personal Data and Special Category Data depending on the activity being undertaken.
We collect different types of Personal Data and Special Category Data depending on the activity being undertaken. For assessing tenders and mini-competitions, we process:
- the provider’s name
- the provider’s Ofsted Unique Reference Number (URN) where applicable
- the name of the person completing the application
- operational business sensitive information about the provider
- email address(es) for communicating
The lawful basis on which we use this information
We collect and use the information ensuring that we comply with the UK General Data Protection Regulation (UKGDPR) requirements for processing through:
- Article 6(1)(a) Consent - the individual has given clear consent for you to process their personal data for a specific purpose
- Article 9(2)(a) – Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
Storing and securing data
Any personal information you provide as part of a tender submission will be maintained as a record in the system for the duration of the tendering process and then as required as per the Council’s retention policy to support record of the tender process. Your details may also be maintained if a contract is subsequently awarded to your organisation in order to support contract award, implementation and contract management as appropriate. These will be maintained in accordance with the Council’s Retention Policy for contractual documents.
Correspondence and communications received (such as emails from the HAF scheme owner or manager) will be stored within the County Council’s Document Management System (DMS). No paper files are held. The information held within the County Council’s DMS will be kept in line with our retention schedule and then deleted as appropriate. The County Council’s DMS is hosted by the County Council in secure UK based data centres, which are on site.
The County Council takes its data security responsibilities seriously and has policies and procedures in place to ensure the personal data held is:
- prevented from being accidentally or deliberately compromised
- accessed, altered, disclosed or deleted only by those authorised to do so
- accurate and complete in relation to why we are processing it
- continually accessible and usable with daily backups; and
- protected by levels of security ‘appropriate’ to the risks presented by our processing
The County Council also ensures its IT Department is certified to the internationally recognised standard for information security management, ISO27001.
Who do we share information with?
We do not share information with anyone unless there is a lawful basis that allows us to do so. The information then shared under a lawful basis will be necessary, relevant and proportional to the task being undertaken.
Requesting access to your personal data and your rights
Under data protection legislation, individuals have the right to request access to information about them that we hold. To make a request for your personal information, or your child(ren)’s, please contact the Children’s Services Department’s Subject Access Request (SAR) Team.
You also have the right to:
- prevent processing for the purpose of direct marketing
- object to decisions being taken by solely automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed and
- claim compensation for damages caused by a breach of the Data Protection regulations
Please note that under the GDPR, there is also a right to erasure but the right to erasure does not provide an absolute ‘right to be forgotten’. Where the data being processed is for the purpose of ‘complying with a legal obligation for the performance of a public interest task or exercise of official authority’ (Article 6(1)(e))’, this right does not apply.
You have some legal rights in respect of the personal information we collect from you. See our Data Protection page for further details.
You can contact the County Council’s Data Protection Officer by email firstname.lastname@example.org.
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office.