Register of Processing Activities under Article 30(1) of the GDPR and clause 61 of the Data Protection Act 2018

As a local authority we process a wide range of personal information to enable us to provide a range of local government and statutory services to local people and businesses within Bury Council. A requirement of the Data Protection Legislation is that we can account for all our processing of personal data and that members of the public that use our services are clear about what happens to their personal data that we process. The Records of Processing Activities Register below provides information about the areas in which we process personal data and provides a link though to another web page where privacy notices are published to show exactly what is happening with your personal data in these areas.

Bury Council's Register of Processing Activities under Article 30(1) of the GDPR and clause 61 of the Data Protection Act 2018

Full address: Bury Council, Town Hall, Knowsley Street, Bury, BL9 0SW.

Telephone: 0161 253 5000

Data Protection Officer details: Janet Witkowski, Bury Legal Services, Town Hall, Knowsley Street, Bury, BL9 0SW.

Purpose for the processing

We process personal information to enable us to provide a range of local government and statutory services to local people and businesses which include:

  • Maintaining our own accounts and records
  • Supporting and managing our employees
  • Promoting the services we provide
  • Marketing our local tourism
  • Carrying out health and public awareness campaigns
  • Managing our property
  • Providing leisure and cultural services
  • Provision of education
  • Carrying out surveys
  • Administering the assessment and collection of taxes and other revenue including benefits and grants
  • Licensing and regulatory activities
  • Local fraud initiatives
  • The provision of social services
  • Crime prevention and prosecution offenders including the use of CCTV
  • Corporate administration and all activities we are required to carry out as a data controller and public authority
  • Undertaking research
  • The provision of all commercial services including the administration and enforcement of parking regulations and restrictions
  • The provision of all non-commercial activities including refuse collections from residential properties,
  • Internal financial support and corporate functions
  • Managing archived records for historical and research reasons
  • Data matching under local and national fraud initiatives
  • Debt administration and factoring
  • Management of voluntary and statutory offending management programmes for young people
  • The use of CCTV systems for public safety, protection of life and property and traffic management
  • Protection of life and property
  • Management of information technology systems
  • Public health
  • Prevention and control of disease within the community
  • Occupational health and welfare
  • Produce and distribute printed material
  • Management of public relations, journalism, advertising and media
  • Sending promotional communications about the services we provide
  • Enable us to buy, sell, promote and advertise our products and services
  • Any duty or responsibility of the local authority arising from common or statute law.

We process personal information about:

  • Customers and service users
  • Suppliers
  • Staff (inc volunteers, agents, temp and casual)
  • Elected members or supporters
  • Claimants
  • Complainants, enquirers or their representatives
  • Professional advisers and consultants
  • Students and pupils
  • Carers or representatives
  • Landlords
  • Recipients of benefits
  • Witnesses
  • Offenders and suspected offenders
  • Licence and permit holders
  • Traders and others subject to inspection
  • People captured by CCTV images
  • Representatives of other organisations

We process information relevant to the above reasons/purposes which may include:

  • Personal details
  • Family details
  • Lifestyle and social circumstances
  • Goods and services
  • Financial details
  • Employment and education details
  • Housing needs
  • Visual images, personal appearance and behaviour
  • Licenses or permits held
  • Student and pupil records
  • Business activities
  • Case file information
  • Births and deaths data

We also process sensitive classes of information "Special Category Data" that may include:

  • Physical or mental health details
  • Racial or ethnic origin
  • Trade union membership
  • Political affiliation
  • Political opinions
  • Offences (including alleged offences)
  • Religious or other beliefs of a similar nature
  • Criminal proceedings, outcomes and sentences
  • Biometric data
  • Genetic data

Where allowed by law, necessary, or required by law we may share information with:

  • Customers / service users
  • Family, associates or representatives of the person whose personal data we are processing
  • Current past and prospective employers
  • Healthcare, social and welfare organisations
  • Educators and examining bodies
  • Providers of goods and services
  • Financial organisations
  • Debt collection and tracing agencies
  • Private investigators
  • Service providers
  • Local and central government
  • Ombudsman and regulatory authorities
  • Press and the media
  • Professional advisers and consultants
  • Courts and tribunals
  • Trade unions
  • Political organisations
  • Professional advisers
  • Credit reference agencies
  • Professional bodies
  • Survey and research organisations
  • Police forces
  • Housing associations and landlords
  • Voluntary and charitable organisations
  • Religious organisations
  • Students and pupils including their relatives, guardians, carers or representatives
  • Data processors
  • Other police forces, non-home office police forces
  • Regulatory bodies
  • Courts, prisons
  • Customs and excise
  • Local and central government
  • International law enforcement agencies and bodies
  • Security companies
  • Partner agencies, approved organisations and individuals working with the police,
  • Licensing authorities
  • Service providers
  • Press and the media
  • Healthcare professionals
  • Current past and prospective employers and examining bodies
  • Law enforcement and prosecuting authorities
  • Legal representatives, defence solicitors
  • Police complaints authority
  • The disclosure and barring service

The transfer of personal data will take place when technical and organisational security measures have been put in place via a contract; or with the consent of the data subject; or where required by law.

Sharing of personal data

In undertaking its services, Bury Council shares personal data with and receives personal from a number of third parties including Members of Parliament, local Councillors, partner organisation and other outside bodies. This is undertaken in accordance with the Data Protection Act 2018 and GDPR, with the necessary data protection impact assessments (DPIA) for high risk data sharing, privacy notices setting out the lawful basis for such sharing and appropriately worded contracts and agreements in place to regulate the process.

Bury Council has undertaken and regularly undertakes a  review of all initiatives that involve working in partnership where data sharing is taking place.  .

Lawful basis for the processing

Please refer to the relevant privacy notice for information relating to the lawful basis, further information on the purpose, lawful basis and retention periods. These can be found at: Bury Council corporate privacy notice or Service specific privacy notices.

The Council takes organisational security seriously and includes measures such as the following, but not limited to:

  • Staff training
  • Organisational Policies
  • Technical Controls
  • User access controls
  • Security at rest
  • Security in transit
  • Pseudonymisation
  • Anonymisation
  • Business Continuity and resilience planning including backups
  • Robust security updates including timely patching and anti-virus software
  • Physical security e.g. restricted room access, etc.
  • Independent vulnerability testing
  • Data Protection Impact Assessments
  • Contractual controls
  • Data minimisation
  • Retention management
  • Supplier Accreditation checks

In accordance with Article 30(2) of the GDPR, Bury Council Contracts will require data processors to keep a record of the above when it is processing data on behalf of Bury Council unless it is exempt from doing so, such as:

  • it is an enterprise or an organisation employing fewer than 250 people, and;
  • it isn't processing data that it is likely to result in a risk to the rights and freedoms of data subjects;
  • the processing is occasional; or
  • the processing does not include special categories of data or personal data relating to criminal convictions and offences.

Internal processing activities

Bury Council has undertaken a full review of all systems that process personal data to ensure that all processing has been accounted for. These will include both manual and electronic systems, which will comply with the Council's requirements in terms of security, risks assessed via the undertaking of a DPIA and will be referred to as required in the relevant privacy notices.