Record Of Processing Activity
Record of Processing Activity
This page provides a summary of personal data processing activities undertaken by MDDC. It complies with Article 30 of the UK GDPR by providing:
- The name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
- The purpose of the processing;
- A description of the categories of data subjects and of the categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- Where possible, the envisaged time limits for erasure of the different categories of data;
- Where possible, a general description of the technical and organisational security measures referred to in Article 32(1) [or, as appropriate, the security measures referred to in section 28(3) of the 2018 Act].
The Purpose of Processing
The following is a broad description of the way MDDC process personal data.
Purposes for processing personal data:
MDDC process personal data to enable us to provide a range of government services to local people and business, which include:
- Organising local and national elections
- Compiling and maintaining the Register of Electors
- Homeless strategy and homelessness prevention
- Housing Advice
- Housing registers, including the self-build register
- Housing benefits
- Environmental health
- Council Tax and Non-Domestic Rates collection
- Waste collection and recycling
- Street cleansing
- Food safety, food export certificates and water sampling
- Food Hygiene rating scheme
- Health and Safety
- Building Control
- Licensing of taxis, gambling premises, alcohol and entertainment licencing, temporary events, animal activities, skin piercing and scrap metal dealers.
- Local plans and development management
- Issuing Tree Preservation Orders (TPOs)
- Council-owned car parks
- Planning enforcement
- Promoting economic development
- Providing some grants to voluntary organisations
- Maintaining some parks and gardens
- Looking after council-owned parks and open spaces
- Operating markets
- Some public toilets (some are owned by the local parish or town council)
The processing for the above functions is carried out by MDDC services.
Types and Classes of Data Processed
MDDC process information relevant to the above reasons/purposes which may include:
- Business activities
- Case file information
- Employment and education details
- Family details
- Financial details
- Goods and services
- Housing needs
- Licences or permits held
- Lifestyle and social circumstances
- Personal details
- Student and pupil records
- Visual images, personal appearance, and behaviour
MDDC also process 'special categories' of information, that may include:
- Criminal proceedings, outcomes and sentences
- Genetic/biometric data
- Offences (including alleged offences)
- Physical or mental health details
- Political affiliation/opinions
- Racial or ethnic origin
- Religious or other beliefs of a similar nature
- Trade union membership
Whose data is processed.
MDDC process personal information about:
- Adults living in the District/Borough
- Business owners
- Carers or representatives
- Children living in the District/Borough
- Complainants, enquirers or their representatives
- Licence and permit holders
- Offenders and suspected offenders
- Payers of Council Tax and/or Business Rates
- People captured by CCTV images
- Professional advisors and consultants
- Receivers of Council Services
- Recipients of benefits
- Representatives of other organisations
- Staff, persons contracted to provide a service
- Students and pupils
- Traders and others subject to inspection
Who data may be shared with
MDDC sometimes need to share information with the individuals MDDC process information about, as well as other organisations. Where this is necessary, MDDC are required to comply with all aspects of data protection legislations.
The types of organisations MDDC may need to share some of the personal data we process, for one or more reasons.
In certain circumstances, where necessary or required by law, MDDC may share information with:
- Courts, prisons
- Credit reference agencies
- Current, past and prospective employers and examining bodies
- Customs and excise
- Data processors
- Debt collection and tracing agencies
- Educators and examining bodies
- Family, associates or representatives of the person whose personal data we are processing
- Financial organisations
- Healthcare professionals
- Healthcare, social and welfare organisations
- Housing associations and landlords
- Housing and tenants' associations
- International law enforcement agencies and bodies
- Law enforcement and prosecuting authorities
- Legal representatives, defence solicitors
- Licensing authorities
- Local and central government
- Ombudsman and regulatory authorities
- Partner agencies, approved organisations and individuals working with the Police.
- Police complaints authority
- Police forces
- Other Police forces, non-home office Police forces
- Political organisations
- Press and the media
- Private investigators
- Professional advisors and consultants
- Professional bodies
- Providers of goods and services
- Regulatory bodies
- Religious organisations
- Security companies
- Service providers
- Students and pupils including their relatives, guardians, carers or representatives,
- Survey and research organisations
- The disclosure and barring service
- Trade unions
- Voluntary and charitable organisations
In rare circumstances, it may be necessary to transfer personal data overseas. Any transfers made will be in full compliance with the data protection legislations.
The majority of personal information is stored on MDDC's own servers in MDDC's own secure premises. There are some occasions when your information may leave the UK in order to get to another organisation, or, if it is stored in a system that uses servers elsewhere.
MDDC have additional protections on this data, ranging from secure ways of transferring data, undertaking risk assessments on systems being used to ensuring MDDC have a robust contract in place with the third party.
MDDC will take all practical steps to make sure your personal data is not sent to a country that is not seen as "safe" either by the UK or EU Governments.
How long does MDDC keep your personal data?
MDDC has a published retention schedule for all data, that is governed by Government guidelines or legislation. Any data that is not within the guidelines is deleted.
Technical and organisational security measures
MDDC has a robust set of security controls in place to protect the records we hold about you (on paper and electronically). MDDC meets the stringent Public Sector Network (PSN) Security controls, and strict Payment Card Industry Data Security Standards (PCI-DSS). MDDC builds to Cyber Essentials standards and complies with NHS Digital's Data Security and Protection Toolkit (DSPT) standards.
Access to your records is only available to those who have a right to see them. Examples of further security include:
- Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This type of technology is applied to a number of our systems including our email system.
- Access Controls, controlling access to systems and networks using multi-factor authentication, allows us to stop people who are not allowed to view your personal information from getting access to it.
- Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong.
- Regular testing of our technology and ways of working including keeping up to date on the latest security updates (patches).