Tim Prater's Councillor and Other Privacy Notice
I am a Councillor who has been elected as as a:
- Liberal Democrat Councillor to Sandgate and West Folkestone Ward on Folkestone & Hythe District Council;
- Liberal Democrat Councillor to Folkestone Harvey West ward on Folkestone Town Council;
- Liberal Demcorat Councillor for Hythe East ward on Hythe Town Council;
- Independent Councillor for Sandgate Village and Chairman on Sandgate Parish Council.
I'm also a fully rounded (far too rounded) human being, Lib Dem activist, a charity trustee, member of various groups and committees and more.
This statement is about how I look after data you give me (like contact information, emails you send etc) in my various capacities. If you are contacting me regarding my day job as Managing Director of Prater Raines, similar but different rules apply, which are on the Prater Raines website.
Still with me? Lets begin.
As a Councillor I may work in several very different capacities in respect of data protection:
As a representative of my ward, assisting constituents. When I work in this way, I am myself a 'data controller'. This means I am responsible for any personal data you entrust to me and must ensure it is processed appropriately and securely.
This notice sets out briefly how I meet responsibilities in relation to the protection of the personal data I may be entrusted with during my term of office as a councillor.
Essentially however, I keep data in a secure way, and maintain a "wall" between information given to me / requests made of me as a Councillor and any other activities. I will not share data given to me as a Councillor with the Liberal Democrats or any other group I represent without your permission to do so in advance. I'll delete any data about you from my records on your request. I am registered with the Information Commissioner's Office (ICO) as a Data Controller, number Z2541083.
What is Personal Data and what is Sensitive Personal Data?
In broad terms Personal Data is information which can be used to directly or indirectly identify a living person. This could include information such as a name, an email address or a reference number that could be used to look up your details in a database.
'Special Category' personal data relates to sensitive information about certain protected characteristics. These include things such as racial or ethnic origin, political, religious or philosophical beliefs, trade union membership, data related to health, genetics or biometrics, or a person's sexual orientation.
What does processing personal data mean?
Processing personal data refers to how data is kept and used including such things as storing, using and sharing data.
In my world, almost everything I do is stored on computer. I retain very few letters / bits of paper, and on receipt generally take an electronic copy of them then shred the original securely. I also have handwriting so bad, its almost secure in itself, but I don't retain any handwritten notes. Electronic copies of letters etc are held in secure online storage with 2FA that only I can access, and kept only as long as required to deal with the contact itself. Most of the rest of my communication is by email, and the security and retention of that email is discussed below. Casework correspondence and contact details given in relation to it are not entered into in casework management systems or any other databases.
How your data is obtained and how it is used:
As a ward councillor I will have to process your personal data when you contact me to request assistance with a particular matter. This personal data will only be used as far as is needed in order to resolve your complaint or enquiry.
If your personal data is provided to me by a third party, I will seek your consent before processing the data further, unless in the circumstances:
- you are unable to provide consent,
- there is no reasonable way to obtain your consent,
- obtaining consent would prejudice the action to be taken,
- processing is necessary in the interests of another individual, and your consent has been unreasonably withheld.
I may have to share your information with Council officers, other ward Councillors, or other agencies in order to bring your matter to a successful conclusion.
I may need to retain some or all of your personal data for a reasonable period in order to allow me to more effectively assist you on the relevant matter. As soon as your matter is fully resolved I will take steps to minimise the personal data I hold about you, unless there is an agreement with you to continue to hold your data.
The types of data collected will usually include your name, address, contact details and any other details that are specific to your request and its resolution.
The legal basis for processing your data:
In order to process your personal data, I must have a valid 'legal basis' that allows me to do so. When working as your ward representative there are several different legal conditions that may be relied upon as appropriate
Consent: if you have approached me to ask me to resolve a problem on your behalf and you have given me your data, it is understood that you are consenting to me having and processing your data for that specific purpose. If in order to resolve your enquiry I must process sensitive personal data (as described above), I must notify you to request your explicit consent where appropriate.
Legitimate interests: this broadly allows me to process your personal data in line with your reasonable expectations. This is what allows me to take a wide range of actions in resolving queries or complaints in your interest without having to ask for your permission at each individual step.
Public task: while Councillors are not public authorities under data protection law, we may still rely on this condition when we are processing your data in the public interest for a task that is specified in law. This could include situations where safeguarding is a concern, or an issue has been identified that could impact the wider public. This could include circumstances where it is felt a matter needs to be reported to the Police.
Who your data will be shared with:
In order to properly deal with your enquiry or complaint, it may be necessary to share some or all of the personal data you have provided me with. Any organisation your data is shared with is also bound by data protection law and must also process and secure it appropriately.
When dealing with constituent queries, I may make use of a secured email address provided by the Council (this can clearly be identified by the @folkestone-hythe.gov.uk or @hythe-tc.gov.uk or @folkestone-tc.gov.uk domain name - Sandgate Parish Council does not currently provide addresses for these purposes).
Emails sent to and from this address will be retained by the Council's archive for security reasons and held in accordance with their retention policy.
I also use my personal email address email@example.com for such correspondence. This is a secure email account, used and accessible only by me, and only accessed on password / fingerprint protected and encrypted devices. This means that even if I lose that device (please, no) then all data on it should remain inaccessible.
When dealing with your complaints or enquiries, I may need to disclose details of your personal data to Council officers or their agents, or other external public agencies, i.e. KCC, the NHS, the police, etc. Where I need to do so, I'll ordinarily ask you for your permission before doing so.
I may need to share some of your personal data with other Councillors in order to seek assistance with the resolution of your complaint. This could include situations such as briefing other ward councillors about a local issue. If I'm shariing personally identifiable information, I'll ask you for your permission before doing so.
How long your data will be retained for:
I will hold your data until your enquiry or matter is resolved. I also hold archive emails and backups for up to a year in order to be able to refer back to a contact to assist if a similar issue comes up in future.
However, if you do not wish me to further pursue any matter you have raised with me you can withdraw your consent for me to hold your data at any point by sending me a written or email request. I would also delete any copies of emails to and from you from my email archive.
I will notify any third parties your data may have been shared with to inform them the consent to process that data has been withdrawn. However in some cases the various 3rd parties may still have a different legal basis for holding that data (for example data that may have been shared with the police where a crime may be involved).
Your data protection rights:
You have a number of rights that can be used to manage how, by who and why your personal data can be processed. The most relevant of these rights include:
- You can ask for copies of some or all the information I may hold about you;
- You can ask me to rectify any information you think is inaccurate or incomplete;
- You can ask me to delete information I may hold about you under certain circumstances;
- You can ask me to stop processing or using your information.
You can make these requests verbally or in writing but the easiest way to do this is to send me an email to firstname.lastname@example.org setting out your request.
Where can I get more information?
Lots of guidance is available about data protection law, and the notice I have set out above is an indication of what you can expect from me in terms of managing your data.
You can get more information about data protection and your rights from the Information Commissioner's website at www.ico.org.uk
Complaints about your personal data:
Should you be unhappy with the way I have processed your personal data, you may contact me directly to issue a grievance. I will then attempt to resolve the issue and correct any outstanding issues.
If you feel the matter you are unhappy about violates the Councillor's Code of Conduct and would like for the matter to be reviewed locally by an independent person, you may contact Folkestone & Hythe District Council's monitoring officer:
If there is an unauthorised disclosure of the data I control (a data breach), and I feel this represents a risk to your rights or freedoms, I will self-report this incident to the Information Commissioner's Office within 72 hours of becoming aware of the incident.
If I am unable to resolve your complaint to your satisfaction, you may also make a complaint directly to the Information Commissioner's Office, the supervisory authority for data protection in the UK: