Data protection and privacy

How the council protects your personal information when you use our services.

UK General Data Protection Regulation

The UK General Data Protection Regulation (UK GDPR) is legislation that sets out how we should manage and protect your personal information and it also provides you with various rights in relation to this information.  This should be read alongside the Data Protection Act 2018.

Information is classed as personal if it could identify you as an individual either directly or by adding information together.

North Lincolnshire Council is committed to protecting your privacy when you use our services and our Council Privacy Notice explains how we do this and how we use your information.

In addition, we have created Privacy Notices for the different teams who use personal data. These provide more information about why we are collecting your personal information and how we use it.

We have also created a Data Protection & Confidentiality Policy [PDF, 369Kb] to explain how we will comply with the UK GDPR.

Data Protection Officer

We have a Data Protection Officer who helps us to look after your personal information and who will answer your questions about how we look after this information. Our Data Protection Officer is Phillipa Thornley. She can be contacted at informationgovernanceteam@northlincs.gov.uk or by calling 01724 296224 and asking for your query to be directed to her.

Further information

We must ensure we abide by the seven principles of the UK GDPR to ensure personal information is:

  • Used in a lawfulness, fair and transparent way
  • Collected for specified, explicit and legitimate purposes and not used in an incompatible way
  • Adequate, relevant and limited to what is necessary
  • Accurate and where necessary kept up to date
  • Kept so that only identifies someone for no longer than is necessary
  • Used in a manner that ensures appropriate security
  • We are also responsible for, and must be able to demonstrate, compliance with these principles.

Demonstrating compliance includes:

  • Adopting and implementing Data Protection policies
  • Taking a ‘Data Protection by Design and Default’ approach
  • Putting written contracts in place with organisations that process personal data on our behalf
  • Maintaining documentation of our processing activities
  • Implementing appropriate security measures
  • Recording and, where necessary, reporting personal data breaches
  • Carrying out Data Protection Impact Assessments for uses of personal data that are likely to result in high risk to individuals’ interests
  • Appointing a Data Protection Officer and
  • Adhering to relevant codes of conduct and signing up to certification schemes.

The UK GDPR provides everyone with a series of rights as shown below. The first rights means we must keep you informed about how we are processing your personal information.  We are doing this by publishing a series of Team Privacy Notices.

An important part of these Privacy Notices is identifying the legal basis for the processing of your personal information.  The legal basis will be one of the conditions set out in Articles 6 of the GDPR and also a condition from Article 9 where special categories of personal data are being processed, as follows:

Article 6

  • Performance of a contract
  • Performance of a task or provision of a service in the public interest
  • To comply with a legal obligation
  • Protection of vital interests
  • Consent
  • Legitimate interests

Article 9

  • Reasons of substantial public interest
  • Preventative or occupational medicine
  • Employment and Social Security
  • Public interest in area of Public Health
  • To establish, exercise or defend legal claims / courts acting in judicial capacity
  • Personal data made public by the Data Subject
  • Protection of vital interests
  • Consent
  • Archiving purposes, scientific or historical research or statistical purposes
  • Legitimate activities in relation to not for profit organisations with a political, philosophical, religious or trade union aim

Adults and Health

Children and Families

Economy and Growth

Human Resources

Legal and Democracy

Waste and Public Protection

Learning, Skills and Culture

Governance, Partnerships and other cross council privacy notices

Public Health

Transport and Streets

Personal data

Personal information – is any information relating to a natural person who can be identified, directly or indirectly, such as by name, an identification number, location data, an online identifier or genetic information.

Special categories of personal data – relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.


Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data controller and data processor

Data controller – means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.

Data processor – means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

In addition to the right to request access to your personal information by making a Subject Access Request the UK General Data Protection Regulation provides you with a number of other rights, as follows:

You can ask us to change information you think is inaccurate

If you disagree with something written on your file please let us know. We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree.

You can ask us to erase information (right to be forgotten)

In some circumstances you can ask for your personal information to be erased (deleted), such as where:

  • your personal information is no longer needed for the reason it was collected
  • you have withdrawn your consent for us to use your information
  • there is no legal reason for the use of your information
  • deleting your information is a legal requirement

Sometimes we will not be able to delete your information, such as where we are required by law to keep it. If your personal information has been shared with others we will do what we can to make sure they also comply with your request for erasure.

You can ask us to restrict what we use your personal information for

You can ask us to restrict using your personal information in some circumstances, such as where:

  • you have told us you think information about you is inaccurate whilst we verify this
  • we have no legal reason to use that information but you have asked us to restrict what we use it for rather than erase it
  • you have objected to us using your personal information, whilst we verify this

Whilst we are restricted from using your information we will not do anything with it other than to store it unless:

  • We have your consent
  • To establish, exercise or defend a legal claim
  • To protect the rights of another person
  • It is for reasons of important public interest.

You have the right to ask us to stop using your personal information for any council service, but if this request is approved this may cause delays or prevent us delivering a service to you.

If your personal information has been shared with others we will do what we can to make sure they are also aware of your request for restriction.

Where restriction of use has been granted, we’ll inform you before we carry on using your personal information. Sometimes we will refuse to comply with your request for restriction, such as where we are required by law to use your information.

You can ask us about data portability

You have the right to ask us for your personal information to be given back to you in a structured, commonly used machine readable format so that you can take it to another organisation. This applies only to information you have given us, that we using in an automated way (excluding paper format) and where we are using it either on the basis of consent or for the performance of a contract.

In some cases we do not have to comply with a request for Data Portability, such as where we are using your data for a legal reason.

You can object to us using your personal information

In some circumstances you can object to us using your personal information and you have the absolute right to object to the processing of their personal data if it is for direct marketing purposes.

You can also object if the processing is for:

  • A task carried out in the public interest
  • The exercise of official authority vested in you; or
  • Your legitimate interests (or those of a third party)

Rights in relation to automated decision making and profiling

You also have rights where we are processing you personal information in an automated way without human involvement or where we are carrying out profiling. We identify on our Team Privacy Notices where this type of processing is taking place.

For further information please contact us.

The council’s information is an important and valuable asset. We must take care of this information to ensure we can, for example, provide services to individuals and so that we comply with the law.

Information exists in many forms, including:

  • Hardcopy documents
  • Electronic information
  • Verbal information

We have and Information Security Policy that details how we protect information.

Although every care is taken to protect information, our Information Security Incident and Data Breach Policy explains what we would do if we were to have a breach of security.

For further information please contact us.


If you require assistance with any aspect of Data Protection or the UK General Data Protection Regulation (UK GDPR) please call our Information Governance Team on 01724 296224 or contact one of our Information, Advice and Guidance Centres, where your query will either be answered or passed on to the Data Protection Officer.  Alternatively you can email the Data Protection Officer via informationgovernanceteam@northlincs.gov.uk.

What to do if you are not happy

We aim to comply with the UK GDPR by meeting our organisational responsibilities and by responding to requests promptly and correctly.  However, if you have an issue or would like to make a complaint, please see our Information Complaints page.

When we have investigated if you are still dissatisfied, your route of Appeal is to the Information Commissioner’s Office (ICO) by completing the web contact form, by telephoning on 0303 123 1113 or by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.



01724 296224

Information Governance Advisor
North Lincolnshire Council
Church Square House
30 – 40 High Street
DN15 6NL