Privacy policy

Southampton City Council Privacy Notice

As a Local Authority, Southampton City Council (SCC) must meet its contractual, statutory, and administrative obligations. We are committed to ensuring that the personal data of our residents and service users is handled in accordance with the data protection principles. 

This privacy notice tells you what to expect when SCC collects personal information about you. It applies to all service users. However the information we will process about you will vary depending on your specific involvement with SCC. 

If we are requesting your personal data, it is because it is necessary and relevant to the service or function being performed. As such, if you withhold information, it is likely that we will not be able to perform the service or function, or there will be a delay in doing so. 

SCC is the controller for this information unless this notice specifically states otherwise, and its Data Protection Officer can be contacted at dataprotection@southampton.gov.uk 

This notice should be read in conjunction with our service-specific notices listed below, and when appropriate we will provide a “just in time” notice to cover any additional processing activities not mentioned in this document. 

We keep this privacy notice under regular review and it may be amended from time to time. 


COVID-19

As part of the council’s response to the COVID-19 virus, we will need to share information with other organisations in order to:

  • Verify the identity of individuals as a resident in our area
  • Contact individuals to provide advice or direct care
  • Provide targeted care for clinically extremely vulnerable people outside of shielding
  • Monitor the wellbeing of known people as clinically extremely vulnerable to COVID-19, for a period of time after National Shielding ends
  • Continue to provide ongoing direct care needs to clinically vulnerable persons as a result of the virus
  • Provide Shielding support again immediately in event of local, regional and/or national COVID-19 outbreaks
  • Understand the local resident population identified as clinically extremely vulnerable to COVID-19, to rapidly make direct care offers

The data shared may be obtained from the NHS, Social Care records, Housing Records, Council Tax Records and the Electoral Register, and may include:

  • Names
  • Dates of birth
  • NHS number
  • Addresses and post codes
  • Mobile and landline telephone numbers
  • Email addresses
  • Indication that individuals have a pre-existing medical condition which makes them extremely vulnerable to COVID-19, but no specific information on medical conditions will be shared

NHS Test and Trace

In order to assist the NHS’s Test and Trace service, the Council is maintaining a temporary record of our visitors. This information will be shared with the NHS if needed, in order to help contain clusters and outbreaks during the coronavirus pandemic.

The information we will collect about you is as follows:

  • Your name 
  • A contact telephone number 
  • The date of your visit, arrival time, and departure time 
  • Any staff member that you’ve interacted with

If we do not have this data already on our systems, you will be asked to provide it.

This data will be held for 21 days, at which point it will be securely disposed of and deleted. If you prefer that we didn’t share this data with the NHS, you can opt-out. If you wish to do so, please notify a member of staff during your visit, or contact the Council's Data Protection Officer using the details below.

Please note that whilst providing your information is voluntary, we may refuse entry to buildings and services and carry them out remotely instead if necessary, in order to comply with government guidelines on test and trace and entry to public places and buildings. 

The council relies on the following lawful bases for processing the Shared Personal Data:

  • The processing is necessary for the performance of a legal obligation under Article 6(1)(c) of GDPR
  • The processing is necessary for the performance of a task carried out in the public interest under Article 6(1)(e) of GDPR
  • The processing is necessary for reasons of substantial public interest performance of a task carried out in the public interest under Article 9(2)(g) of GDPR
  • The processing is necessary for reasons of public interest in the area of public health under Article 9(2)(i) of GDPR
  • The processing is necessary under paragraph 6 of Schedule 1 of the Data Protection Act 2018

Service specific privacy notices

In this notice

How do we get your information

We get information about you from the following sources:

  • Directly from you.
  • From third party organisations, such as the NHS, government departments, or the Police
  • CCTV images from our own CCTV systems

What personal data we process and why

The information we process about you will vary depending on the service being provided, but will fall within the following categories:

  • Education and training details
  • Employment details
  • Family, lifestyle and social circumstances
  • Financial details
  • Goods or services provided and related information
  • Personal details issued as an identifier (e.g. NHS Number)
  • Personal details, including any information that identifies the data subject and their personal characteristics

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

Information relating to your health and wellbeing and other special category data

In order to meet our statutory and legal obligations in respect of certain services, we may also need to process sensitive, or “special category” personal data about you, which could include data related to:

  • Physical or mental health
  • Religious or philosophical beliefs
  • Trade union membership
  • Sexual orientation
  • Racial or ethnic origin
  • Political opinions
  • Biometric or Genetic data
  • Gender status
  • Criminal record and criminal proceedings

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

Lawful basis for processing your personal data

Depending on the service, we rely on the following lawful basis for processing your personal data under the GDPR:

  • Article 6(1)(a) where we have your consent
  • Article 6(1)(b) which relates to processing necessary for the performance of a contract.
  • Article 6(1)(c) so we can comply with our legal obligations
  • Article 6(1)(d) in order to protect your vital interests or those of another person.
  • Article 6(1)(e) for the performance of our public task.
  • Article 6(1)(f) for the purposes of our legitimate interest

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

Special category data

Where the information we process is special category data, for example your health data, the additional bases for processing that we rely on are:

  • Article 9(2)(a) where we have your explicit consent
  • Article 9(2)(b) which relates to carrying out our obligations and exercising our rights in employment and the safeguarding of your fundamental rights.
  • Article 9(2)(c) to protect your vital interests or those of another person where you are incapable of giving your consent.
  • Article 9(2)(h) for the purposes of preventative or occupational medicine and assessing your working capacity as an employee.
  • Article 9(2)(f) for the establishment, exercise or defence of legal claims.
  • Article 9(2)(g) for reasons of substantial public interest
  • Article 9(2)(h) for the provision of health or social care treatment, or the management of health or social care systems and services
  • Article 9(2)(i) for reasons of public interest in the area of public health
  • Article 9(2)(j) for archiving purposes in the public interest

In addition we rely on processing conditions at Schedule 1 parts 1 and 2 of the Data Protection Act 2018 (DPA2018). These relate to the processing of special category data for:

  • Employment purposes
  • Health or social care purposes
  • Public health
  • Reasons of substantial public interest

Our Policy on Processing Special Category Data provides further information about this processing, and for more detailed information about a particular service, review the relevant service-specific notice from the list above.

Criminal convictions and offences

We process information about staff criminal convictions and offences. The lawful basis we rely to process this data are:

  • Article 6(1)(e) for the performance of our public task. In addition we rely on the processing condition at Schedule 1 part 2 paragraph 6(2)(a) of the DPA2018.

Our Policy on Processing Special Category Data provides further information about this processing.

How long we keep your personal data

For information about how long we hold your personal data, see our Retention Schedule.

Data may be retained by certain services in an anonymised form for statistical and reporting purposes.

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

Data Sharing

In performing the service or function, it may be necessary for us to share some of your personal data with external organisations or internal departments. Depending on the service or function, we may share information with the following types of organisations:

  • Business partners
  • Central Government Departments
  • Commissioned Providers
  • Corporate Suppliers
  • Debt Collection and Tracing Agencies
  • Education Providers
  • Financial Organisations
  • Fire Services
  • Healthcare Providers
  • Housing Associations and Landlords
  • Ombudsmen and Regulatory Authorities
  • Other Local Authorities
  • Police
  • Trade Unions
  • Voluntary and Charitable Organisations

In some circumstances, such as under a court order, we are legally obliged to share information, and we may also share information with the Police and other enforcement agencies for the purposes of the prevention, investigation, detection, or prosecution of criminal offences.

We may also share information internally, in order to verify or confirm your personal details, to ensure our records are accurate and up-to-date. Data held by services will only be used by other internal departments or services when we are satisfied there is a lawful basis for doing so, and that is it fair.

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

Do we use any data processors?

Data processors are third parties who provide certain parts of our services for us. We have contracts in place with them and they cannot do anything with your personal information unless we have instructed them to do so. Our current data processors for our main services are listed below

Data Processor Purpose Notice
Capita One Revenues and Benefits (supplier Capita )  The system used to administer Council Tax and Business Rates, and to manage Education Services https://www.capita-one.co.uk/privacy 
Business World (supplier Unit4) The system used to manage HR and payroll  https://info.unit4.com/rs/900-SZD-631/images/Unit4-Privacy-Policy-June-2018-English.pdf 
Paris Health & Care (supplier Civica) The system used to manage Social Care services https://www.civica.com/en-gb/policies-and-statements/privacy-notice/
UNI-form  (supplier IDOX) The system used to manage:
• Planning and Building Control services
• Environmental Health
• Trading Standards
• Licensing
• Community Safety services
https://www.idoxgroup.com/wp-content/uploads/2020/09/Privacy-Statement.pdf
Bartec Collective (supplier Bartec Municipal Technologies) The system used to manage Waste Collection and Recycling services https://www.bartecmunicipal.com/privacy-policy/
Northgate The system used to manage Housing services https://www.northgateps.com/privacy-notice
Balfour Beatty Living Places We have a contract with BBLP to maintain our Highways https://www.balfourbeatty.com/services/privacy/
Microsoft Internal communications, general correspondence and document production. Includes email, instant messaging, and video conferencing https://privacy.microsoft.com/en-gb/privacystatement

For more detailed information about a particular service, review the relevant service-specific notice from the list above.

Your rights in relation to this processing

As an individual you have certain rights regarding our processing of your personal data, including a right to lodge a complaint with the Information Commissioner’s Office as the relevant supervisory authority. 

For more information on your rights, please see our page on Data Protection

Transfers of personal data

We don’t routinely transfer staff personal data overseas but when this is necessary we ensure that we have appropriate safeguards in place. 

Further Information

CCTV

We operate CCTV inside our premises to monitor access to certain areas. Further information is available in our CCTV policy.

Additionally, you may be filmed by CCTV which is owned and operated by the landlords or owners of the buildings in which our offices are situated. SCC is not the data controller for this information.

Webchat

Webchat is available for a number of services on the Southampton City Council website. It allows you to speak to our customer advisors in real time using 'web chat' functionality to provide online support to citizens.

If you engage with our webchat, we may collect:

  • Your name and email address
  • Chat transcripts
  • Completed surveys
  • Automatic information, such as IP address, operating system and type of browser and the geographical location

Data from each 'chat' will be held for six months and may be used when looking into your enquiry and for quality purposes. You may be asked to complete a short survey on completion of your web chat. All answers for the survey are anonymised and will be used for service improvement.

We use a third party service provider, Click4Assistance, to assist us in hosting the webchat platform. You can read their privacy policy on the Click4Assistance website

Chatbot

Our chatbot is available on pages across the Southampton City Council website to provide online support to our customers. It allows you to ask us questions relating to council services and receive a response in real time. Please do not enter any personal data in your conversations with the chatbot.

We use a third party service provider, ICS AI, to assist us in hosting the Chatbot platform. By using our Chatbot, ICS AI will automatically collect the following information from you: IP address, operating system, browser type and geographical location. You can read how ICS AI will use this information in their privacy policy on the ICS.AI website.

The Council will hold the data from each conversation for six months. On completion of your conversation you may be asked to complete a short survey. All answers for the survey are anonymised. Conversations and survey results may be used for quality monitoring and service improvement purposes.

Emails and communications with the Council

If you send us an email, its contents will be checked before it is released it to the person to whom it was sent. Software will automatically detect unacceptable content, including obscenities and profanities, certain attachment types, viruses, spam (junk emails). If an email that contains unacceptable content is detected, it will not be delivered.

Communications with the Council (including online transactions) may be subject to monitoring and recording only for purposes permitted by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.