Why do we collect and use this information?
Hampshire County Council is the organisation responsible for processing your information (the Data Controller). Our Children’s Services Department’s Data Protection Team (DPT) collect and use information from you, members of the public, Hampshire County Council employees and other professionals and agencies to carry out our statutory responsibility under the UK General Data Protection Regulation (GDPR) to ensure individuals have the right to raise concerns when they believed their information has been handled incorrectly potentially resulting in a data incident occurring and a possible breach of data protection legislation.
We collect information about you, your children as well as information about other individuals whose personal information may be used as part of an investigation into a Potential Data Incident (PDI). We hold this personal data securely and use it to:
- process your concern including validating information provided (e.g. we ask for supporting documents in order to verify the accuracy of an allegation) and communicating the outcome in writing to you
- undertake searches of County Council systems to locate evidence to support the investigation
- contact appropriate individuals who can assist with the investigation into the PDI
- manage enquiries around the PDI
- undertake wider County Council statutory duties in support of individual’s education and welfare
- ensure compliance with our obligations under the accuracy principle of the UK General Data Protection Regulation (Article (5)(1)(d)), making sure our records about you and your family are up to date
The following sections provide further detail around the information we process setting out what allows us to do this (lawful basis), who we may share it with, how long we keep it for (the retention period), alongside identifying any rights you may have and who to contact if you think we’re not handling your information in the right way.
The categories of information that we collect, hold and share
The following personal and special category information is processed:
- your personal information (such as name, date of birth, address, telephone number, email, relationships to other individuals involved)
- other individuals personal information who may be involved or can assist with the PDI being investigated (such as their name, address, role)
- supporting evidence provided relevant to the PDI (such as copies of documents, photographs, explanations of situations, court orders)
- contextual information around the PDI (such as times, dates, locations)
The lawful basis on which we use this information
We collect and use the information ensuring that we comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA2018) requirements for processing through:
- Article 6(1)(e) – the processing is necessary to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law
- Article 9(2)(g) – Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures
- Sch.1, Pt.2, 1 – Substantial public interest conditions, for processing under the DPA2018
These articles under the UK GDPR and the DPA2018 are supported by the following specific legislation:
- The GDPR Articles 33, 34, 58, 83 and Recitals 75, 85-88
Under this lawful basis we do not require your consent to process this information but we are required, through this privacy notice, to ensure you are fully informed of why we are collecting this information and what we will do with it.
Please note that no automated decision making (decisions taken without a person involved) occurs for any parts of these activities controlled by the County Council. The County Council does not use profiling as part of the PDI process.
Storing and securing data
A record of the PDI will be held within the County Council’s Children’s Services PDI Log. The information held within the PDI Log will be held in line with our retention schedule, which at the end of this period will see the information disposed of as appropriate. The PDI Log is hosted by the County Council in secure data centres based in the UK.
Any paper based documents, including any supporting evidence you provide, will be scanned to create an electronic record and stored within the County Council’s Document Management System (DMS), with the paper version being destroyed within one month. The file will be linked to the record created in the PDI Log by the use of a reference identifier. The information held within the County Council’s DMS will be kept in line with retention schedules and then disposed of as appropriate. The County Council’s DMS is hosted by the County Council in secure UK based data centres, which are on site.
The County Council takes its data security responsibilities seriously and has policies and procedures in place to ensure the personal data held is:
- prevented from being accidentally or deliberately compromised
- accessed, altered, disclosed or deleted only by those authorised to do so
- accurate and complete in relation to why we are processing it
- continually accessible and usable with daily backups
- protected by levels of security ‘appropriate’ to the risks presented by our processing
The County Council also ensures its IT Department is certified to the internationally recognised standard for information security management, ISO27001.
Who do we share information with?
We do not share information with anyone unless there is a lawful basis that allows us to do so.
Depending on the individual circumstances of each situation, we may also have to share this information with other teams within the County Council to fulfil other statutory duties and powers to support our work. These might include teams such as our Children Missing Education (for ensuring the provision of full time education); Information Compliance Team (for concerns escalated to the County Council’s Data Protection Officer); Virtual School (for support of children currently and previously looked after); and/or Social Care teams (supporting welfare, safeguarding and corporate parent functions). We may also share information through the County Council’s role in the Hampshire Safeguarding Children Partnership (HSCP) to comply with their statutory duties. Any information shared will be necessary, relevant and proportional to the activity being undertaken.
Requesting access to your personal data and your rights
Under data protection legislation, individuals have the right to request access to information about them that we hold. To make a request for your personal information, or someone you have responsibility for, please contact the Children’s Services Department’s Subject Access Request (SAR) Team.
You also have the right to:
- prevent processing for the purpose of direct marketing
- object to decisions being taken by solely automated means
- in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed
- claim compensation for damages caused by a breach of the Data Protection regulations
Please note that under the UK GDPR, there is also a right to erasure but the right to erasure does not provide an absolute ‘right to be forgotten’. Where the data being processed is for the purpose of ‘performing a task in the public interest or for our official functions, and the task or function has a clear basis in law’ (Article 6(1)(e))’, this right does not automatically apply.
If you would like more information about these services please email [email protected]
The above information is the specific privacy notice for this service. For more information about your rights in relation to your personal data, see the County Council’s general privacy notice.
You have some legal rights in respect of the personal information we collect from you. See our Data Protection page for further details.
You can contact the County Council’s Data Protection Officer by email [email protected].
If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office.