Privacy policy

We have an obligation to explain how we collect and use your personal information. This is known as 'processing'.

This page provides a general explanation of what we do with your data, together with details about how we collect and use data that we are legally obliged to publish.

You can also view more specific information about how certain council services use your data:

Tier 1: What we do with your personal data

Data we process when you use council services

When you use a council service, for example, completing an online permit application or using a library, we will use the information you provide (data) to handle your interactions with the council and to provide the service to you and also to manage that service.

As part of service provision, we will use customer (account) information to contact residents to provide updates about those services and accounts.

We might also analyse the data you provide to ensure that we are delivering the right and best services for you. For example, we might look at the number of people phoning the council to determine how we run and support our customer contact centre.

Why we process it

Generally, we will use the data we collect about you to:

  • deliver services you currently use but also might use in the future (delivery)
  • help our teams to understand how people use our services to make sure they are the best possible services (planning)
  • ensure targets around performance and activity are met (performance)
  • meet legal requirements around the way that services might be delivered (statutory – non-safeguarding)
  • ensure that our residents remain safe and protected from harm (statutory – safeguarding)
  • keep in contact with you about what we do for you (communications)

Data analysis

We will only ever analyse data for the reasons above, except when specific services might use your data in other ways. These services are Children and Young People, Adult Social Care and Human Resources.

When we process your data we might also use different techniques to analyse it. We might combine it with other information you have provided to us or even data about you we have received from other organisations. This will be done under the strictest protections to ensure it is done in a fair, lawful and transparent way and is compatible with the reason we collected it originally. For example, we would not use information collected for public health to market a commercial product to you but we might combine it with social care information to enable us to ensure we are delivering the right services to you.

Tier 2: How we collect and use data

The law requires us to publish a ‘Record of Processing Activity’ along with information that makes sure that the council is clear about what it is doing with the data it holds.

This is a live document and we will update it from time to time if we change the way we collect or use your data.

1 The name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer

Data Controller
Buckinghamshire Council
The Gateway
Gatehouse Road
HP19 8FF

Maria Damigos
Data Protection Officer
Buckinghamshire Council
Walton Street
HP20 1UA

Email: [email protected]

2 Lawful basis and purposes of the processing

The primary lawful basis and purposes for processing personal data is to enable the council to deliver council services. We need to process personal data in the exercise of our public functions and powers (public task), and to perform tasks in the public interest, that are set out in law.

We also have legal obligations and powers to process personal data under the statute. These are listed in our Information Asset Register.

We also need to process your personal information to fulfil our contractual obligations to you.

We can also process your personal data with your express consent.

In exceptional cases, we might also need to process your personal data to protect your own or some else’s vital interests.

3 A description of the categories of data subjects and of the categories of personal data

Generally, the information we hold will be both personal data and special category data. Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. Special category data is information about your race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation.

So, for example, we may need this sort of information in connection with health and social care services that we provide. The council will also hold information relating to ethnicity, disability and religion to comply with Equalities and Health and Safety legislation.

Finally, the council may also hold criminal offence data for safeguarding reasons and law enforcement purposes strictly in compliance with data protection legislation.

4 The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations

We will sometimes need to share information outside of council departments with organisations such as our partners, third-party contractors, government bodies, the police, health and social care organisations, and educational establishments.

We will only share information with these organisations where it is appropriate and legal to do so. We may also share information, for example, if there is a risk of serious harm or threat to life, for the prevention and detection of fraud or crime, assessment of any tax or duty or if we are required to do so by any court or law. Where this is necessary, we are required to comply with all aspects of the Data Protection Legislation.

The council will typically not disclose information to third countries and where an organisation is international in nature, we will have completed a risk assessment of the use of this data. Where possible we will require data being stored with third parties to at least be stored at sites within the EU and always with adequate protections. Where information is disclosed to a third Country, there will be a defined legal basis for this transfer which will be recorded and made available on request.

5 Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards

See section 4.

6 Where possible, the envisaged time limits for erasure of the different categories of data

The council has a list of how long it keeps data for, called a 'retention schedule'. You can request to view this list.

7 Where possible, a general description of the technical and organisational security measures referred to in Article 32(1)

We cannot publish some specific details of the technical security measures we use, as this might provide a means for people to access information maliciously. Generally, we use these technical and organisational protections for the data we hold:

  • encrypted servers
  • firewalls
  • remote backup
  • cloud-based computing including virtual servers
  • password protection
  • annual individual mandatory training
  • policies and procedures around data protection
  • confidentiality statement linked to contractual terms

8 The purposes of the processing for which the personal data are intended as well as the legal basis for the processing

This information is recorded in our Information Asset Register. For further information contact [email protected].

9 Where the processing is based on legitimate interests pursued by us or by a third party

Where we rely upon the legitimate interest’s condition for processing, it will be set out in our Information Asset Register and the associated Data Protection Impact Assessment

  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data

Where the council relies upon a legal obligation for processing personal data or to form a contract with you, this will be set out in our information asset register.

Data rights

Data Protection legislation gives specific data rights to individuals. If you want to enact any one of these rights, you should email the Data Protection Officer.

Data protection rights for individuals
Name of right What this means


You have the right to be informed of the period of time that we will hold your data


You have the right to be informed of the information we hold about you and be informed about how this data is being used


You have the right to notify us of factually incorrect information and where requested, we will attempt to correct this information


You have the right to ask us to delete information about you when we do not have a legal reason to hold this information


You have the right to ask us to restrict what we hold about or to not use that data unless we have a legal basis to do so


Where applicable you have the right to information collected by an online form to be transferred to another organisation

Withdraw Consent

Where you have been asked for consent for using your personal data, you retain the right to withdraw your consent for this


You have the right to complain to the Information Commissioner about how we have handled your personal data

Use of IP addresses and cookies

Cookies enhance your experience using our website. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work more efficiently, as well as to provide information to the owners of the site.

We use cookies to audit the use of our website and help us to customise the website for your visit. We do not store or transmit any personally identifiable data on these cookies. You can change your cookie setting at any time in the security settings in the browser you use to access the internet. However, rejecting all cookies may impact your enjoyment or use of this website.

An IP address is a unique string of numbers that identifies each computer. We collect IP addresses only for the purposes of system administration and to audit the use of our site. We do not link IP addresses to anything personally identifiable, which means that while your user session will be logged you will remain anonymous to us.

Previous privacy notices from Buckinghamshire district councils