As a local authority Birmingham City Council (the council) collects, holds and processes a considerable amount of information, including personal data about you, the citizens of Birmingham and other website visitors. This allows us to provide our services more effectively.
We understand that your personal data is important to you, and we have a responsibility to you regarding the information we hold about you, to ensure that the information we collect and use is done so proportionately, correctly and safely.
Being transparent with you and providing accessible information about how we use your information demonstrates our commitment to the General Data Protection Regulations, hereafter referred to as ‘GDPR’. (Regulation (EU) 2016/679).
We are committed to safeguarding your privacy and in this policy we explain how we will handle your personal data.
The council is registered as a ‘data controller’ with the Information Commissioner’s Office (ICO). Our registration details are:
The ICO's offices are closed
The ICO's offices will be closed for the foreseeable future. We are therefore unable to receive correspondence via post.
If you reference the ICO's postal address on your website or in your privacy notices, we would appreciate it if you could instead link to our contact page on the main Birmingham City Council website.
The council's Data Protection Officer can be contacted as follows:
Corporate Information Management Team
PO Box 16366 Birmingham
Purpose of processing
We collect, hold and use personal data received by you to enable us to provide services to you. These services include, but not limited to child and adult care, safeguarding, social services, schools, planning, claims, trading standards, youth offending, council tax, waste management, libraries and leisure services. The amount and type of information we hold on you depends on the services we are providing to you.
If you use different council services then we will provide you separate privacy notices for each of those services, detailing how we use your personal data to provide that service in line with the data protection principles below. We will not ask you for any information which is not necessary for the particular service we are providing to you.
“Personal data” means any information relating to a person who can be identified, directly or indirectly, from that information. This could include your name, your identification number, location data, online identifier (such as IP address) or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that person.
Some of the services we provide may require us to process your 'special categories of personal data'. These special categories of personal data might include births, deaths or health data in relation to public health functions, or financial data in relation to social services. The definition ‘sensitive’ or ‘special categories’ of personal data has been extended to now include biometrics data (such as facial images) and genetic data (such as the analysis of a biological sample).
Conditions of processing
When we process your personal data we will do so in accordance with the data protection principles.
These principles are designed to protect you, and ensure that we:
process your information lawfully, fairly and in a transparent manner
use your information for a specified, explicit and legitimate purpose and not further processed in a manner that is incompatible with that purpose
only obtain adequate, relevant and limited information to allow us to carry-out the purpose for which it was obtained
ensure the information we hold about you is accurate and, where necessary, kept up to date
keep any information for no longer than necessary for the purposes for which it was collected and
process your information in a manner that ensures appropriate security of your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Consent for personal data
The council also provide limited services which will require your consent to process your personal data. This could include for example leisure centre or library membership or other recreational groups, and in these situations the legal basis for processing your personal data will be Section 6a) above.
In circumstances as described above - your consent to process your personal data must be ‘ specific, informed, active and affirmative, meaning it must be clear and freely given by you after we explain what further processing we would like to do with your data. You can therefore make an informed decision about whether you consent to the processing or not. You are in control and you can withdraw your consent at any stage by contacting the Data Protection Officer at the above address. (Please note however that any processing that has taken place up to the time that you withdraw consent will however be considered lawful).
Consent for special category personal data
In respect of sensitive or ‘special categories of personal data’ we will require your 'explicit consent'to further process this type of personal data under Section 7a) above. This means your consent must be very clear and specific, and again you can withdraw your consent at any stage by contacting the council.
Recording or managing consent
Once a citizens’ consent is obtained we will keep a record of when the citizen consented, the information they were provided with prior to consent and how they consented.
Consent is part of your ongoing relationship with our citizens and will therefore be managed appropriately. The consent will be reviewed periodically to ensure it remains appropriate, and, as previously stated, citizens have the right to withdraw their consent at any stage.
We will only retain your personal data for as long as necessary and in accordance with our retention schedule. When your personal data is no longer needed it will be securely deleted, except where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another person.
The council will strive to ensure that any personal data in its care will be kept safe and secure. In order to prevent unauthorised access, loss, destruction or theft, we have put in place appropriate technical, physical and managerial procedures to safeguard the information that we collect from you; this includes encryption of our computer systems. Our security measures are frequently reviewed in light of new risks or guidance from the ICO.
You have certain rights in relation to the personal information we hold about you. In particular, you may have a right to:
Right of access – you have the right to request a copy of the information that we hold about you.
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
Right to erasure (right to be forgotten) – in certain circumstances you can ask for the data we hold about you to be erased from our records.
Right to restrict processing – where certain conditions apply to have a right to restrict the processing.
Right of data portability – you have the right to have the data we hold about you transferred to another organisation.
Right to object – you have the right to object to certain types of processing such as direct marketing, the performance of a legal task and scientific or historical research.
Right to object to automated processing, including profiling.
The right to withdraw consent - If the legal basis for our processing of your personal information is consent then you have the right to withdraw that consent at any time.
Some of the rights are complex, and there are circumstances where your rights will not apply, for example the right to erasure will not apply if your personal data is required for legal proceedings. It is recommended that you read the relevant guidance notes on the council website, or on the ICO’s website for further information.
How to exercise your rights
You may exercise any of your rights in relation to your personal data by. To avoid delay in dealing with your request please ensure that you confirm in your letter which right you wish to exercise along with the reasons why.
The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
We will respond to your request within 30 days, by either providing you with the information requested, requesting further information from you, or requesting further time to complete your request, if for example the request is substantial or we need to obtain information from various departments within the council.
The council can also refuse your request. In the event that the council refuses your request we will provide you with reasons why, as well as provide you with details of how you can challenge or appeal our decision. You will also be informed of your right to legally challenge our decision with the ICO.