Skip to main content
Privacy notices

Information Governance

What we do

The Information Governance Team forms part of the council’s corporate governance function. We’re responsible for ensuring that the council complies with data protection legislation, including the:

  • UK General Data Protection Regulation
  • Data Protection Act 2018
  • Data (Use and Access) Act 2025
Why we need your information and how we use it

We collect and use personal information to enable us to carry out our statutory and corporate responsibilities. This includes:

  • processing and responding to data protection requests, such as a subject access request
  • investigating complaints about how personal data has been handled
  • managing and investigating reported data breaches
  • providing advice and guidance in relation to data protection matters
  • maintaining records to demonstrate compliance with legal obligations

We’ll only use your personal information for the purposes it’s collected, or for a compatible purpose in line with data protection legislation.

What is our power to obtain and use personal data?

To comply with statutory duties, we process personal data in accordance with the:

  • UK General Data Protection Regulation
  • Data Protection Act 2018
  • Data (Use and Access) Act 2025
What type of information we collect

The type of personal information we collect will depend on the nature of your interaction with us. This may include:

  • name, address, email address, and contact details
  • details needed to verify your identity
  • information included within your request or complaint
  • correspondence between you and the council
  • records of our investigation or response

In some circumstances, this may include:

  • sensitive (special category) data where it is necessary for resolving your request or complaint
  • information relating to third parties where relevant and lawful

We’ll only collect information that is necessary, relevant and proportionate.

Who we may share your information with

We may share your personal information where necessary and lawful to do so.

Internally:

  • relevant council departments and services involved in responding to your request or complaint
  • Legal Services, Internal Audit or other corporate functions where appropriate

Externally:

  • the Information Commissioner and judicial organisations, where required
  • other public authorities or partner organisations where they hold relevant information
  • law enforcement or regulatory bodies where there is a legal requirement
  • external contractors or service providers acting on behalf of the council (under data processing agreements)

We will ensure that any sharing is lawful, proportionate and secure.

How long we keep your information

In line with our Data Retention Policy, your personal data will be held for 6 years from either the date of response or the ICO’s final decision.

We’ll only keep your personal data for as long as necessary to fulfil the purposes for which it was collected, and to meet legal and regulatory requirements.