Record of Processing Activities
Record of Processing Activities – under Article 30 (1) of the GDPR and Clause 61 of the Data Protection Act 2018
Full address: - Arun District Council, Civic Centre, Maltravers Road, Littlehampton, West Sussex, BN17 5LF
Telephone: - 01903 737500
Data Protection Officer:- Daniel Bainbridge, Group Head of Law and Governance, Arun District Council, Civic Centre, Maltravers Road, Littlehampton, West Sussex, BN17 5LF data.protection@arun.gov.uk
As a local authority we process a wide range of personal information to enable us to provide a range of local government and statutory services to local people and businesses within the Arun District. A requirement of the above data protection legislation is that we can account for all our processing of personal data and that members of the public that use our services are clear about what happens to their personal data that we process. The Record of Processing Activities below provides information about the areas in which we process personal data and provides links to where Privacy Notices are published to show exactly what happens with personal data in these areas.
Purpose of processing
We process personal information to enable us to provide a range of local government and statutory services to local people and businesses which include:
- maintaining our own accounts and records
- supporting and managing our employees
- promoting the services we provide
- marketing our local tourism
- carrying out health and public awareness campaigns
- managing our property
- provision of leisure and cultural services
- carrying out surveys
- administering the assessment and collection of taxes and other revenue including benefits and grants
- licensing and regulatory activities
- local fraud initiatives
- crime prevention and prosecutions including use of CCTV
- corporate administration and all activities required to carry out as data controller and public authority
- research
- provision of commercial services including the administration and enforcement of parking regulations and restrictions
- provision of non-commercial activities including refuse collections from residential properties
- internal financial support and corporate functions
- managing archived records for historical and research purposes
- data matching under local and national fraud initiatives
- debt administration and factoring
- use of CCTV systems for public safety and property management as well as crime deterrent
- protection of life and property
- management of Information Technology systems
- public health
- prevention and control of disease within the community
- occupational health and welfare
- produce and distribute e-communications and printed material
- management of public relations, journalism, advertising, and media
- any duty or responsibility of the Local Authority arising from common or statute law
We process personal information about
- customers and service users
- suppliers
- staff (including volunteers, agents, temporary and casual staff)
- elected members or supporters
- claimants
- complainants, enquirers, or their representatives
- professional advisors and consultants
- carers or representatives
- landlords
- benefit recipients
- witnesses
- offenders and suspected offenders
- licence and permit holders
- traders and others subject to inspection
- individuals captured by CCTV images
- representatives of other organisations
We process information relevant to the above reasons/purposes which may include
- personal details
- family details
- lifestyle and social circumstances
- goods and services
- financial details
- employment and education details
- housing needs
- visual images, personal appearance, and behaviour
- licences and permits held
- business activities
- case file information
- death records
We also process sensitive classes of information (“special category data”) that may include
- physical or mental health details
- racial or ethnic origin
- trade Union membership
- political affiliation
- political opinions
- offences (including allegations)
- religious beliefs (or other beliefs of a similar nature)
- criminal proceedings, outcomes, and sentences
- biometric data
- genetic data
- where allowed by law, necessary or required by law we may share information with
- customers and service users
Where allowed by law, necessary, or required by law we may share information with
- customers and service users
- family, associates, or representatives of the person whose personal data we are processing
- current past and prospective employers
- healthcare, social and welfare organisations
- providers of goods and services
- financial organisations
- debt collection and tracing agencies
- private investigators
- service providers
- local and central government
- ombudsmen and regulatory authorities
- press and the media
- professional advisors and consultant
- courts and tribunals
- trade unions
- political organisations
- professional advisors
- credit reference agencies
- professional bodies
- survey and research organisations
- police
- housing associations and landlords
- voluntary and charitable organisations
- religious organisations
- data processors
- regulatory bodies
- court and Prison services
- customs and excise
- local and central government
- international law enforcement agencies and bodies
- security companies
- partner agencies, approved organisations and individuals working with the police
- licensing authorities
- service providers
- healthcare professionals
- current, past, and prospective employers and examining bodies
- law enforcement and prosecuting authorities
- legal representatives, defence solicitors
- Police Complaints Authority
- the Disclosure and Barring Service
The transfer of personal data will take place when technical and organisational security measures have been put in place via a contract; data sharing agreement; with the consent of the data subject; or where required by law.
Sharing of personal data
In undertaking its services, Arun District Council shares personal data with an receives personal data from several third parties including Members of Parliament, local Councillors, partner organisations and other outside bodies. This is undertaken in accordance with the Data Protection Act 2018 and GDPR, the necessary data protection impact assessments (DPIA) for high-risk data sharing, privacy notices setting out the lawful basis for such sharing and appropriately worded contracts and agreements in place to regulate the process.
Arun District Council regularly undertakes a review of all initiatives that involve working in partnership where data sharing is taking place.
Lawful basis for the processing
Please refer to the relevant privacy notice for information on the purpose, lawful basis and retention periods.
The council takes organisational security seriously and includes measures such as the following, but not limited to:
- staff training
- organisational policies
- technical controls
- user access controls
- security at rest and transit
- pseudonymisation
- anonymisation
- business continuity and resilience planning including backups
- robust security updates including timely patching and anti-virus software
- physical security eg restricted room access, etc
- independent vulnerability testing
- data Protection Impact Assessments
- contractual controls
- data minimisation
- retention management
- supplier accreditation checks
In accordance with Article 30(2) of the GDPR, Arun District Council will require data processors to keep a record of the above when it is processing data on behalf of Arun District Council unless it is exempt from doing so, such as:
- it is an enterprise or an organisation employing fewer than 250 people; and;
- it is not processing data that is likely to result in a risk to the rights and freedoms of data subjects
- the processing is occasional; or
- the processing does not include special categories of data or personal data relating to criminal convictions and offences
Internal processing activities
Arun District Council has undertaken a full review of all systems that process personal data to ensure that all processing has been accounted for. These will include both manual and electronic systems which will comply with the council’s requirements in terms of security, risks assessed via the undertaking of a DPIA and will be referred to as required in the relevant privacy notices.