Privacy policy

Southampton City Council Privacy Notice

As a Local Authority, Southampton City Council (SCC) must meet its contractual, statutory, and administrative obligations. We are committed to ensuring that the personal data of our residents and service users is handled in accordance with the data protection principles. 

This privacy notice tells you what to expect when SCC collects personal information about you. It applies to all service users. However the information we will process about you will vary depending on your specific involvement with SCC. 

If we are requesting your personal data, it is because it is necessary and relevant to the service or function being performed. As such, if you withhold information, it is likely that we will not be able to perform the service or function, or there will be a delay in doing so. 

SCC is the controller for this information unless this notice specifically states otherwise, and its Data Protection Officer can be contacted at

This notice should be read in conjunction with our service-specific notices listed below, and when appropriate we will provide a “just in time” notice to cover any additional processing activities not mentioned in this document. 

We keep this privacy notice under regular review and it may be amended from time to time. 


As part of the council’s role supporting the response to emergency situations and outbreaks of infectious disease, we may receive patient information from the UKHA in order to:

  • Recognise trends in such diseases and risks
  • Control and prevent the spread of such disease and risks
  • Monitor and manage outbreaks of communicable disease
  • Monitor and manage incident and exposure of communicable disease

The information provided to the council varies but may include:

  • Age
  • Sex
  • Ethnicity
  • Home postcode
  • Test results
  • Details of any symptoms, start date and nature

If you are a care home resident, we will also receive information in relation to this. The council uses this data only when necessary in an aggregated and anonymous form to make operational decisions with our partner agencies.

Service specific privacy notices

In this notice

How do we get your information

We get information about you from the following sources:

  • Directly from you.
  • From third party organisations, such as the NHS, government departments, or the Police
  • CCTV images from our own CCTV systems

What personal data we process and why

The information we process about you will vary depending on the service being provided, but will fall within the following categories:

  • Education and training details
  • Employment details
  • Family, lifestyle and social circumstances
  • Financial details
  • Goods or services provided and related information
  • Personal details issued as an identifier (e.g. NHS Number)
  • Personal details, including any information that identifies the data subject and their personal characteristics

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

In addition to processing your personal data to provide our services and perform our functions, we may also use your personal data:

  • For research purposes, and to help inform our policies and strategies
  • To identify individuals that might be eligible for services, schemes, and support, and contacting those individuals if it is considered fair to do so

Information relating to your health and wellbeing and other special category data

In order to meet our statutory and legal obligations in respect of certain services, we may also need to process sensitive, or “special category” personal data about you, which could include data related to:

  • Physical or mental health
  • Religious or philosophical beliefs
  • Trade union membership
  • Sexual orientation
  • Racial or ethnic origin
  • Political opinions
  • Biometric or Genetic data
  • Gender status
  • Criminal record and criminal proceedings

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

Lawful basis for processing your personal data

Depending on the service, we rely on the following lawful basis for processing your personal data under the GDPR:

  • Article 6(1)(a) where we have your consent
  • Article 6(1)(b) which relates to processing necessary for the performance of a contract.
  • Article 6(1)(c) so we can comply with our legal obligations
  • Article 6(1)(d) in order to protect your vital interests or those of another person.
  • Article 6(1)(e) for the performance of our public task.
  • Article 6(1)(f) for the purposes of our legitimate interest

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

Special category data

Where the information we process is special category data, for example your health data, the additional bases for processing that we rely on are:

  • Article 9(2)(a) where we have your explicit consent
  • Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights.
  • Article 9(2)(c) to protect your vital interests or those of another person where you are incapable of giving your consent.
  • Article 9(2)(h) for the purposes of preventative or occupational medicine and assessing your working capacity as an employee.
  • Article 9(2)(f) for the establishment, exercise or defence of legal claims.
  • Article 9(2)(g) for reasons of substantial public interest
  • Article 9(2)(h) for the provision of health or social care treatment, or the management of health or social care systems and services
  • Article 9(2)(i) for reasons of public interest in the area of public health
  • Article 9(2)(j) for archiving purposes in the public interest

In addition we rely on processing conditions at Schedule 1 parts 1 and 2 of the Data Protection Act 2018 (DPA2018). These relate to the processing of special category data for:

  • Employment purposes
  • Health or social care purposes
  • Public health
  • Reasons of substantial public interest

Our Policy on Processing Special Category Data provides further information about this processing, and for more detailed information about a particular service, review the relevant service-specific notice from the list above.

Criminal convictions and offences

We process information about staff criminal convictions and offences. The lawful basis we rely to process this data are:

  • Article 6(1)(e) for the performance of our public task. In addition we rely on the processing condition at Schedule 1 part 2 paragraph 6(2)(a) of the DPA2018.

Our Policy on Processing Special Category Data provides further information about this processing.

How long we keep your personal data

For information about how long we hold your personal data, see our Retention Schedule.

Data may be retained by certain services in an anonymised form for statistical and reporting purposes.

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

Data Sharing

In performing the service or function, or for reporting, evaluation, or monitoring purposes, it may be necessary for us to share some of your personal or pseudonymised data with external organisations or internal departments. Depending on the service or function, we may share information with the following types of organisations:

  • Business partners
  • Central Government Departments
  • Commissioned Providers
  • Corporate Suppliers
  • Debt Collection and Tracing Agencies
  • Education Providers
  • Financial Organisations
  • Fire Services
  • Healthcare Providers
  • Housing Associations and Landlords
  • Ombudsmen and Regulatory Authorities
  • Other Local Authorities
  • Police
  • Trade Unions
  • Voluntary and Charitable Organisations

In some circumstances, such as under a court order, we are legally obliged to share information, and we may also share information with the Police and other enforcement agencies for the purposes of the prevention, investigation, detection, or prosecution of criminal offences.

We may also share information internally, in order to verify or confirm your personal details, to ensure our records are accurate and up-to-date. Data held by services will only be used by other internal departments or services when we are satisfied there is a lawful basis for doing so, and that is it fair.

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

Do we use any data processors?

Data processors are third parties who provide certain parts of our services for us. We have contracts in place with them and they cannot do anything with your personal information unless we have instructed them to do so. Our current data processors for our main services are listed below

Data Processor Purpose Notice
Capita One Revenues and Benefits (supplier Capita) The system used to administer Council Tax and Business Rates, and to manage Education Services
Business World (supplier Unit4) The system used to manage HR and payroll 
Care Director (supplier One Advanced) The system used to manage Social Care services
UNI-form  (supplier IDOX) The system used to manage:
• Planning and Building Control services
• Environmental Health
• Trading Standards
• Licensing
• Community Safety services
Bartec Collective (supplier Bartec Municipal Technologies) The system used to manage Waste Collection and Recycling services
NEC Software Solutions The system used to manage Housing services
Balfour Beatty Living Places We have a contract with BBLP to maintain our Highways
Microsoft Internal communications, general correspondence and document production. Includes email, instant messaging, and video conferencing

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

Your rights in relation to this processing

As an individual you have certain rights regarding our processing of your personal data, including a right to lodge a complaint with the Information Commissioner’s Office as the relevant supervisory authority. 

For more information on your rights, please see our page on Data Protection

Transfers of personal data

We don’t routinely transfer staff personal data overseas but when this is necessary we ensure that we have appropriate safeguards in place. 

Further Information


We operate CCTV inside our premises to monitor access to certain areas. Further information is available in our CCTV policy.

Additionally, you may be filmed by CCTV which is owned and operated by the landlords or owners of the buildings in which our offices are situated. SCC is not the data controller for this information.


Webchat is available for a number of services on the Southampton City Council website. It allows you to speak to our customer advisors in real time using 'web chat' functionality to provide online support to citizens.

If you engage with our webchat, we may collect:

  • Your name and email address
  • Chat transcripts
  • Completed surveys
  • Automatic information, such as IP address, operating system and type of browser and the geographical location

Data from each 'chat' will be held for six months and may be used when looking into your enquiry and for quality purposes. You may be asked to complete a short survey on completion of your web chat. All answers for the survey are anonymised and will be used for service improvement.

We use a third party service provider, Click4Assistance, to assist us in hosting the webchat platform. You can read their privacy policy on the Click4Assistance website

Emails and communications with the Council

If you send us an email, its contents will be checked before it is released it to the person to whom it was sent. Software will automatically detect unacceptable content, including obscenities and profanities, certain attachment types, viruses, spam (junk emails). If an email that contains unacceptable content is detected, it will not be delivered.

Communications with the Council (including online transactions) may be subject to monitoring and recording only for purposes permitted by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.