Using Your Personal Data – Our Obligations and Your Rights
We, Comhairle nan Eilean Siar, are registered as a data controller with the Information Commissioner’s Office (registration number Z7313689).
We collect and use personal data relating to individuals for a variety of purposes. That personal data may be held on paper or electronically, and may be in written form or in the form of images, video or audio recordings. As the controller of that personal data, we are committed to:
- being transparent about how we handle personal data
- protecting the privacy and security of personal data
- meeting our obligations under data protection law
The law requires that any personal data which we hold must be:
- processed lawfully, fairly and in a transparent manner
- collected only for legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes
- adequate, relevant and limited to what is necessary in relation to those purposes
- accurate and, where necessary, kept up to date
- kept in a form which permits your identification for no longer than is necessary for those purposes
- processed in a way that ensures appropriate security of the data
We are responsible for, and must be able to demonstrate compliance with, these principles. This notice informs you of how and why we use your personal data, and what your rights are.
Why We Use Your Personal Data
We generally use personal data so that we can provide public services and carry out our functions as a public authority. We therefore use your personal data because it is necessary for one or more of the following lawful reasons:
- to perform a contract which you have entered into, or intend to enter into, with us or with another organisation
- to comply with our general legal obligations (this includes an obligation to safeguard public funds, so we may use your personal data to help to ensure that all money which is owed to us is paid on time, and we may check your personal data for accuracy in order to detect and prevent fraud)
- to protect your vital interests, or someone else’s vital interests
- to perform a task carried out in the public interest or under our official authority as a local council
The categories of personal data which we hold are:
- Contact details (for contacting you in relation to services which we provide)
- Financial details (for example for administering payment of tax and benefits)
- Educational and training records
- Social care records
- Social work and criminal justice records
- Enquiries and applications (for example for transport, planning or grant-funding)
- Recruitment and employment records
- Trading standards and environmental health records
- Licensing applications
- Consultation responses
The law provides additional safeguards for personal data which relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health, or sex life or sexual orientation. We will only use such personal data (for example for the purposes of occupational health) if you have given your consent or the law otherwise allows us to do so.
We may only use personal data relating to criminal convictions in limited situations where the law specifically allows us to.
How We Obtain and Share Your Personal Data
Often we will obtain personal data directly from you, for example when you ask us to provide a service to you, or if you are a service-provider and wish to enter into a contract with us. In that situation, it is a contractual requirement for you to provide personal data to enable us to provide the service or enter into the contract. You are therefore obliged to provide the personal data, and if you do not then we may not be able to provide the service or enter into the contract. Alternatively, it might be a statutory requirement for you to provide us with personal data (for example in relation to tax or licensing). If you fail to do so, you may lose the benefit of any services which we might otherwise provide to you. It may also result in legal action being taken against you.
It is your responsibility to inform us of any changes to the personal data which you have provided to us so that we can keep it up to date.
We will also frequently obtain personal data from other people and organisations, but will not do so unless we have the right or obligation to do so. Depending on the circumstances, we may obtain personal data about you from people or organisations in the following categories:
- Health and social care, such as the Western Isles Integration Joint Board and NHS Western Isles
- Criminal investigation and law enforcement agencies such as Police Scotland
- Administrative and judicial bodies such as the Scottish Courts and Tribunals Service
- External regulators and licensing authorities such as the Care Inspectorate, Scottish Public Services Ombudsman and the Driver & Vehicle Standards Agency
- Government departments such as the Department for Work and Pensions and Her Majesty’s Revenue and Customs
- The Scottish Government
- Registered social landlords
- Partner organisations involved in the provision of education and related services
- People or organisations acting on your behalf such as advisory services, lawyers and other representatives
- Other people or organisations which hold your personal data such as banks and insurance companies
- General contractors and service-providers
We may share your personal data with people or organisations in any of these categories but will only do so to the extent that it is necessary and for a lawful reason.
We may also share your personal data with other public bodies if we consider that they have a legitimate interest in having it, such as to detect or prevent crime. We will not share your personal data in this way if your interests or your fundamental rights and freedoms prevent it.
We do not usually need to transfer personal data outside the European Economic Area, but if we do, we will ensure that the recipient has appropriate and suitable safeguards in place to protect the personal data.
If we are using your personal data because you have consented to it, you have the right to change your mind and withdraw your consent at any time.
We keep non-personal information such as IP addresses (the location of the computer on the internet), pages accessed and files downloaded. This helps us to determine how many people use our website, how many people visit on a regular basis, and how popular its pages are. This information does not tell us anything about who you are or where you live. It simply allows us to monitor and improve our service.
We will retain your personal data only for as long as is we need it in accordance with our Records Management Plan. This will usually be for 5 years from our last use of the data, but may be for a shorter or longer period depending on the circumstances.
We will not engage in any automated decision-making or profiling in relation to your personal data.
You have the following rights in relation to our use of your personal data:
- To be informed about how we use your personal data and about your rights; this notice provides that information
- To have access to your personal data upon request
- To ask us to rectify any inaccurate or incomplete personal data which we hold about you
- To ask us to erase (delete) any personal data which we hold about you
- To ask us to restrict our use of your personal data if the data which we hold is inaccurate or there is an issue with our use of your personal data
- To object to our use of your personal data in some circumstances
- To receive your personal data in a portable, standard and machine-readable format in some circumstances
- To lodge a complaint with the supervisory authority, the Information Commissioner’s Office, about how we use your personal data or how we deal with any of the matters set out in this notice. Please visit the ICO (Opens in a new window or downloads a file) website for contact details
You also have the right to complain to us using our internal Complaints Process. You do not have to use our internal complaints procedure before complaining to the ICO.
If you wish to exercise any of your rights in relation to us, or have any queries or concerns about our use of your personal data, please contact our Data Protection Officer:
Isle of Lewis HS1 2BW
Any suspected or confirmed security issues should be reported in the first instance to firstname.lastname@example.org. Reported issues will be investigated, tracked, and administratively reviewed to ensure the Comhairle's information assets and/or infrastructure are protected.