Data Protection Policy
These pages describe how Glasgow City Council and its associated Arms' Length External Organisations will process personal information under the new data protection laws that came into force on 25 May 2018.
This page was last updated on 2 April 2020.
Who are we?
Glasgow City Council is a local authority established under the Local Government etc. (Scotland) Act 1994. Our head office is located at City Chambers, George Square, Glasgow G2 1DU, United Kingdom.
Glasgow City Council is registered with the Information Commissioner's Office under registration number Z4871657.
We have also established a number of Arms Length External Organisations - called ALEOs. Most of these ALEOs carry out functions on behalf of the council which were previously carried out in-house by our departments. Most ALEOs are wholly-owned by us; a small number are owned jointly with other public bodies, and some of them have charitable status. A number of our ALEOs are comprised of more than one legal entity such as trading subsidiaries.
You can find a full list of all our current ALEOs on our website. The council and our ALEOs are collectively referred to in this privacy statement as 'the council family'.
The council's Data Protection Officer is also the Data Protection Officer for each of our ALEOs.
Why do we need your personal information and what do we do with it?
We need you to give us your personal information in order to allow us to provide services to you as the local authority for the city of Glasgow, This can be either directly or through the activities of our ALEOs. We also use your information to verify your identity where required, contact you by post, email or telephone and to maintain our records. Also, in the event of an emergency or civil incident, it may be necessary to collect your personal information to assist you, or protect you or others from harm.
For a number of areas of activity, we also receive information from third parties. In the main this is from other public authorities, such as the police and court service, HM Revenues and Customs and the Department for Work and Pensions. However, it could also be from other local authorities and from members of the public. Details of how this information is passed between us all is given in the specific privacy statements relating to functions where we routinely receive personal information from third parties.
Where possible, new IT systems and the development of existing IT systems will make use of system generated or anonymised data in test environments. However, there may be circumstances in which test environments, their users and their developers appointed by Glasgow City Council, such as CGI, may be required to utilise your personal data in a test environment. In such circumstances, Glasgow City Council require that development and test activity comply with data protection legislation, taking reasonable steps to protect your personal data.
What is our legal basis for using your information?
We provide these services to you as part of our statutory function as your local authority. You can find more details of our role and the many statutory functions we are responsible for by clicking on here.
The precise legal basis for us using your personal information will vary depending on which service we are providing to you. However, in most cases this will be because it is necessary for us to use your personal information to perform a task carried out in the public interest by us. If we are using your personal information on a different basis to this, this will be explained in the specific privacy statements relating to those functions.
If we are using your information because:
- it is required for us to have a contract with you
- or you have consented to give it
then if you do not provide us with the information we have asked for, we will not be able to provide that service to you.
For some activities, we also need to process more sensitive personal information about you for reasons of substantial public interest as set out in the Data Protection Act 2018. It is necessary for us to process this more sensitive information for a number of reasons, these include:
- to carry out key functions as set out in law
- in order to meet our legal obligations in relation to employment, social security and social protection law
- in order to protect your vital interests or the vital interests of others in circumstances where we will not be able to seek your consent
- where this is necessary for the establishment, exercise or defence of legal claims
- for purposes of the provision of social care and the management of health and social care systems and services where this is necessary in the public interest in the area of public health
- for archiving, research and statistical purposes.
Who do we share your information with?
We are legally obliged to safeguard public funds so we are required to verify and check your details internally and across the council family to prevent fraud - and we may share this information with other public bodies for the same purpose. In the event of an emergency or civil incident we may share your information with other organisations in order to provide services to you.
We are also legally obliged to share certain data with other public bodies, such as HMRC and will do so where the law requires this. In general, we will also comply with requests for specific information from other regulatory and law enforcement bodies where this is necessary and appropriate.
We will not sell your personal data to any third parties.
In order to provide services to you, we may need to appoint other organisations to carry out some activities on our behalf. These may include, for example, payment processing organisations, delivery organisations, mailing houses and contractors or consultants providing services to the council family (or directly to service users) where we need to provide them with personal information to allow them to provide these services. We select these organisations carefully and put measures in place to make sure that they are not allowed to do anything with your personal information which the council and our ALEOs could not do themselves.
Information is also shared across the council family.
Almost all council data is held within the UK. Any overseas data transfers require additional internal approvals and we only send data overseas where we have been able to put in place measures to make sure that your personal information is as safe and respected in the overseas country, or countries in question, as it is in the UK. If we need to transfer your personal information overseas in relation to a particular activity, this will be explained in the specific privacy statements relating to that function along with a description of the protective measures we have put in place to keep it secure.
How long do we keep your information for?
We only keep your personal information for the minimum amount of time necessary. Sometimes this time period is set out in the law, but in most cases it is based on our business need. We maintain a records retention and disposal schedule which sets out how long we hold different types of information for.
You can view this on our website or you can request a hard copy from the contact address stated above.
What are your rights under data protection law?
Access to your information
You have the right to request a copy of the personal information that we hold about you.
Correcting your information
We want to make sure that your personal information is accurate, complete and up to date. Therefore you may ask us to correct any personal information about you that you believe does not meet these standards.
Deleting your information
You have the right to ask us to delete personal information about you where:
- you think that we no longer need to hold the information for the purposes for which it was originally obtained
- we are using that information with your consent and you have withdrawn your consent - see the 'withdrawing consent to using your information' section below. Please note that in general we do not rely on consent as the legal basis for processing your personal information
- you have a genuine objection to our use of your personal information - see 'objecting to how we may use your information' below
- our use of your personal information is contrary to law or our other legal obligations.
Objecting to how we may use your information
You have the right at any time to tell us to stop using your personal information for direct marketing purposes.
Restricting how we may use your information
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information that we hold about you or we are assessing the objection you have made to our use of your information.
This right might also apply if we no longer have a basis for using your personal information - but you don't want us to delete the data. Where this right is realistically applied will mean that we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Withdrawing consent to use your information
Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.
Please contact us as stated above if you wish to carry out any of these rights.
What information do we hold about other people?
Most of the personal information we hold relates to people we are providing services to. However, we also hold information about other people as well, where this is necessary for us to carry out particular functions.
In some cases we will contact these other people directly to inform them:
- that we have been provided with information about them
- to also tell them about their rights under data protection law
- to advise them about the terms of this privacy statement.
However, in many cases this is impractical.
The details of what we do with this sort of information and why we hold it is provided in the specific privacy statements relating to functions where we routinely hold information about people who are not our service users.
What are our profiling or automated decision-making processes?
We make some use of automated decision-making processes but very little use of profiling. Where these techniques are used, this will be explained in the specific privacy statements relating to those functions, together with a description of the reason involved in any automated decision-making.
Emergency Response Management
In the event of an emergency or civil incident we may use data matching to help the Council identify people who need additional support, or if an incident affects Glasgow City Council, we may also need to share information with partner organisations in order to respond to it.
What do you do if you have a complaint?
We aim to directly resolve all complaints about how we handle personal information. If your complaint is about how we have handled your personal information, you can contact the Council's Data Protection Officer by Email or by phone on 0141 287 1055.
However, you also have the right to lodge a complaint about data protection matters with the Information Commissioner's Office, who can be contacted by post at:
Information Commissioner's Office
Cheshire SK9 5AF
By phone on 0303 123 1113 (local rate) or 01625 545 745 or visit their: website
Please note if your complaint is not about a data protection matter or concerns the handling of personal information please contact us using the complaints procedures in place.
More information and area-specific privacy statements
For more details on how we process your personal information please click on any of the links below.
- Equalities Monitoring Privacy Statement
- Managing Employment Relationship between GCC and an Employee Privacy Statement
- Research Privacy Statement
- Information sharing across the council family
- Policy Statement: How we safeguard sensitive 'special category' personal data
- Glasgow City Council statement on GDPR compliance