Privacy Notice for Leeds City Council

Leeds City Council is a registered data controller with the Information Commissioner's Office under the Data Protection Act.

Under the UK General Data Protection Regulation (UK GDPR), Leeds City Council collects and processes your information in order to provide various public sector services to you under the powers given to Local Authorities (councils). Some of these services are statutory such as Council Tax and benefits whereas others are optional. In these cases, we require explicit consent from you. Information may be collected on paper or online forms, by phone, email or by council staff.

Leeds City Council has to process information in order to deliver and improve services to our citizens.

The Data Protection Act 2018 says that any personal data we collect and hold about you has to be:

  • processed lawfully, fairly and in a transparent manner
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which  it is processed
  • accurate and, where necessary, kept up to date
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
  • processed in a manner that ensures the appropriate level of security for the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

The controller shall be responsible for, and be able to demonstrate compliance with the above principles.

Things you can do to help us:

  • tell us when any of your details change; and
  • tell us if any of the information we hold on you is wrong

What is personal data and the data we collect

Personal data is information about a living person that means we can work out who they are such as name, address, telephone number, date of birth and bank details. This can include written letters, emails, photographs, audio recordings and video recordings.

We collect your information when you make contact with us. We may also gather the following data including but not limited to:

  • name
  • address
  • telephone number
  • date of birth
  • family information
  • lifestyle and social circumstances
  • images, personal appearance and behaviour
  • school records
  • information held in paper files

Some data is called 'special category data', which is more sensitive, and we must look after it more carefully. This includes details of ethnic origin, religious beliefs, sexual orientation, trade union membership, health data, biometric (such as fingerprints, facial recognition) and genetic (for example, DNA) data.

Extra protection is also given to criminal offence data – this is personal data relating to criminal convictions and offences or related security measures and covers information about offenders or suspected offenders in the context of criminal activity, as well as, allegations, investigations and proceedings.

Some of the information we receive comes from third parties, such as government agencies, contractors acting on our behalf, your agents and representatives and other sources.

At the point that we collect your information for a specific use (for example, in an online form), we'll explain how we'll use it and how long we'll keep your information in the relevant service specific privacy notice

Why we use your personal data

The reason we collect and use your data will depend upon the service you have requested. In most instances, a service specific privacy notice should be referred to.

Some examples of why we use your data are to:

  • provide council services and anything we must do by law
  • carry out our regulatory, licensing and enforcement roles which we have to do by law
  • make payments, grants and benefits
  • listen to your ideas about council services and carrying out surveys to enable us to improve services based on your feedback
  • tell you about council services
  • enable us to get in touch
  • analyse statistical data so we can plan how we provide services
  • create anonymised data, including health related data, to help improve the health of the population we serve and the services we provide. We publish some of the data on the Data Mill North and on Leeds Observatory under an Open Government licence

Any anonymised data will not contain any personal information which means that individuals cannot be identified.

You can find out about how various council services use your data from privacy notices relating to specific services.

Lawful basis for using your personal data

Under Data Protection legislation, the council must have a lawful basis for any personal data it processes. These are:

  • with your express consent
  • where processing is necessary for the performance of a contract to which you are party, or in order to take steps at your request prior to entering into a contract
  • where processing is necessary for compliance with a legal obligation which we are subject to
  • where processing is necessary in order to protect the vital interests of you or another person
  • where it is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the controller
  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests

Most commonly, we will use your personal data if it is necessary for the compliance with a legal obligation which we are subject to or because it is necessary to perform a task carried out in the public interest.

Other reasons may apply from time to time; indeed, it is possible that one or more reasons may apply when we are processing your information.

We are allowed to use your personal data under many different laws. The main ones for the council are the Local Government Acts and the Localism Act 2011, but there are many others. More information on statutory duties of local authorities could be found on GOV.UK.

Some of these laws may have been updated since then, and new ones added. You can view more details for each service area in the service specific privacy notice.

In many cases there is a law that says either that we must, or we can process your data, and we can do so without your consent or permission.

Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting the relevant service. Where consent is the correct lawful basis for processing you can find details to withdraw your consent via the service specific privacy notice

For some services we process your data under a contract, for example, your leisure centre membership or concert ticket sales. Where we ask other companies and/or organisations to provide services on our behalf, we may need to pass your personal data to them to enable them to deliver these services to you. These providers are under contract and must keep your details safe and secure, using them only to provide the service. You can find our list of contracts that shows the companies we deal with on YORtender – the procurement portal for the Yorkshire and Humber region, and on our Leeds City Council publication scheme page.

There may be some limited circumstances when we process your personal data as it is in our legitimate interests to do so. When this occurs, our legitimate interests are provided in the relevant service area's privacy notice with an explanation for using this lawful basis.

Any personal data including special category data that we process about individuals is done so in accordance with Article 6 and 9 of the UK GDPR, and Schedule 1 of the Data Protection Act 2018 (DPA 2018) and will be set out in the relevant Service Privacy Notice.

Where we process personal data relating to criminal offences, this is processed under Article 10 of the UK GDPR that covers processing in relation to criminal offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences, or proceedings for an offence committed or alleged to have been committed, including sentencing.

Some of the Part 2 Schedule 1 conditions for processing special category and criminal offence data require an Appropriate Policy Document (APD) to be in place. This sets out and explains the procedures for ensuring compliance with the principles in Article 5 and policies around the retention and erasure of personal data. This document explains this processing and satisfies the requirements of Part 2 Schedule 1, Part 4 of the DPA 2018 and supplements this privacy notice.

For further information into the detail of any relevant legislation which allows us to use your data, find the appropriate service specific privacy notice.

Detection and prevention of fraud or crime

Leeds City Council is required by law to protect the public funds it administers. We may use any of the information you provide to us for the prevention and detection of fraud or may share with the Police if it is suspected that a crime may have been committed. We may also share this information with other bodies that are responsible for auditing or administering public funds including the council's external auditor, the Department for Work and Pensions, other local authorities, HM Revenue and Customs, and the Police, for example.

In addition to undertaking our own data matching to identify errors and potential frauds we are required to take part in national data matching exercises undertaken by the Cabinet Office. The use of data by the Cabinet Office in a data matching exercise is carried out under its powers in Part 6, Schedule 9 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned.

Our use of automated decision making and profiling

In most cases your data will not be used for any automated decision making, including profiling. However, when we use automated means for data analysis the process will be verified by human intervention. Please refer to the relevant service specific privacy notice for more information.

How we share your data

We share your data between services within the council so we can keep our information on you as up-to-date as possible and improve our services to you. For example, if you tell the housing team you have moved, they will pass this information on to other parts of the council such as the Council Tax team. Staff can only view your data if they need it to do their job.

We share your data with many organisations and partners who help us to deliver services to you. In some instances, we are required to share your data by law. For example, we may be required to share your data for the purposes of security and prevention of fraud and other criminal activity; and where such disclosure is necessary for legal claims or court proceedings.  Where this is necessary, we are required to comply with all aspects of the UK Data Protection legislation. For more information, please visit the ICO website.

Some of the types of organisations we share your data with are shown below:

  • courts and tribunals
  • prisons
  • central government
  • credit reference agencies
  • current past and prospective employers and examining bodies
  • customers
  • customs and excise
  • data processors
  • debt collection and tracing agencies
  • educators and examining bodies
  • relatives, guardians, associates or representatives of the person whose personal data we are processing
  • financial organisations
  • healthcare professionals
  • healthcare, social and welfare organisations
  • housing associations and landlords
  • international law enforcement agencies and bodies
  • law enforcement and prosecuting authorities
  • legal representatives, defence solicitors
  • licensing authorities
  • local government
  • ombudsman and regulatory authorities
  • partner agencies and approved organisations
  • police complaints authority
  • police forces and non-home office police forces
  • political organisations
  • press and the media
  • private investigators
  • professional advisers and consultants
  • professional bodies
  • providers of goods and services
  • regulatory bodies
  • religious organisations
  • security companies
  • service providers
  • schools
  • students and pupils including their relatives, guardians, carers or representatives
  • survey and research organisations the disclosure and barring service
  • trade unions
  • voluntary and charitable organisations

How we protect your information

Our aim is not to be intrusive, and we won't ask irrelevant or unnecessary questions. The information you provide will be subject to rigorous measures and procedures to make sure it cannot be seen, accessed or disclosed to anyone who shouldn't view it.

How long we keep your personal information

We will only keep your personal data for as long as it is needed for the purpose it was collected for, or for as long as is required by law. There are different retention periods for different types of information. The service specific privacy notices will tell you how long each service area may keep your information for.

Please be aware that some of these retention periods may need to be extended due to public inquiries (such as the independent inquiry into child sexual abuse) or other external legal requirements.

Your rights

The UK data protection regime is set out in the Data Protection Act 2018 (DPA 2018), alongside the UK General Data Protection Regulation (GDPR).

Data protection is about making sure you can trust others to use your data fairly and responsibly.

You have the right to:

  • be informed about how and why your data is used
  • access personal data held about you, known as the 'right of subject access'
  • have your data corrected if it's inaccurate or incomplete
  • have your data deleted, known as the 'right to be forgotten'
  • have your data restricted
  • ask us to stop processing your personal information, known as the 'right to object'
  • ask us to put the personal information you have given us into a portable electronic machine readable format so it is capable of being transmitted to someone else 
  • not be subject to decisions based solely on automated processing

These rights are not absolute and are dependent on conditions and exemptions. In some cases, the rights described above only apply if the processing activity is undertaken on specific legal grounds and/or in defined circumstances. Therefore, all these rights are unlikely to be engaged in all cases.

To exercise your rights, the best way to do this is by emailing DPFOI@leeds.gov.uk. For more information in relation to your rights and alternatives ways to exercise those rights, please refer to the your rights and how to exercise them page.

For further information about which rights apply for specific processing, please refer to the relevant service specific privacy notice.

Transfer of your personal data outside the UK

The majority of personal information is stored on systems in the UK but there are some occasions where your information may leave the UK either in order to get to another organisation or if it is stored in a system outside of the UK.

We have additional protections on your information if it leaves the UK ranging from secure ways of transferring data, to ensuring we have a robust contract in place with that third party.

We'll take all practical steps to make sure your personal information is not sent to a country that is not seen as 'safe' either by the UK or EU Governments.

If we need to send your information to an 'unsafe' location, we'll always seek advice from the Information Commissioner first.

For further information about data transfer, please refer to the relevant service specific privacy notice.

Data Protection Officer

The Data Protection Officer is entrusted to monitor the council's compliance with the data protection legislation and all relevant council policies and procedures in relation to the handling and protection of personal data.

Leeds City Council has appointed the following person at its Data Protection Officer:

Aaron Linden

Head of Information Management and Governance - Data Protection Officer
Leeds City Council
Merrion House
110 Merrion Way
Leeds
LS2 8BB
DPO@leeds.gov.uk

Should you be dissatisfied with how your information is managed you can raise a data protection complaint. Additionally you have the right to contact the Information Commissioner's Office, who can be contacted through their website.

Use of cookies on our websites

We sometimes store small files called cookies on your computer or other devices to help improve your experience on our website.

We collect web statistics automatically about your visit to our site based on your IP address.

This information is used to help us to improve your experience on our website.

Contact details

Leeds City Council
Civic Hall
Calverley Street
Leeds
LS1 1UR

Phone: 0113 222 4444

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 7 November 2024.



Use this form to give us your comments. Do not use it to give us personal information - please contact us if you need to get in touch.