Data protection

How the Council uses your information

Data Protection legislation says that organisations must make sure that personal information is-

• fairly, lawfully and transparently processed
• collected for specified, explicit and legitimate purposes
• adequate, relevant and limited to what is necessary
• accurate and up to date
• not be kept for longer than necessary
• kept securely

If you have any concerns about how your personal information is being processed by the Council, you should contact the Council's Data Protection Officer in the first instance; email [email protected] or telephone 01738 475444.

If you remain dissatisfied, you can contact the Information Commissioner's Office (opens new window) (ICO); this is an independent authority, which regulates data protection in the UK.

You have rights in relation to the personal information that the Council Holds about you. You can find out more about these on our Personal Information Rights page, including details of your rights in relation to accessing your information.

Data matching

The Council is legally required to protect the public funds it's responsible for. As part of its work protecting these funds, it may share information it holds with other public bodies which are also responsible for auditing or administering public funds. The Council does this in order to prevent and detect fraud.

What is Data Matching?

Data matching involves comparing computer records (usually personal information) held by one body against other computer records, held by a different part of the same body, or those held by another organisation to see how far they match.

Computerised data matching allows potentially fraudulent claims and payments to be identified, but the inclusion of personal data within a data matching exercise does not mean that any specific individual is under suspicion. Where a match is found it may indicate that there is an inconsistency that requires further investigation; until this investigation is carried out, no assumption can be made as to whether there is fraud, error or another explanation.

Data matching exercises can also help bodies ensure that their records are up to date.

Audit Scotland

Audit Scotland appoints the auditor of Perth and Kinross Council's accounts. It is also responsible for carrying out data matching exercises.

Audit Scotland currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. The Council is required to provide particular sets of data to Audit Scotland for matching for each exercise. The datasets which the Council has to provide are laid out in Audit Scotland's National Fraud Initiative.

The use of data by Audit Scotland in a data-matching exercise is carried out with statutory authority, normally under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned.

Data matching by Audit Scotland is subject to a Code of Practice. You can also find this on the National Fraud Initiative web page, along with further information on Audit Scotland's legal powers, and the reasons it matches particular information.

If you have any questions in relation to data matching, you can contact Audit Scotland, or the Council's Data Protection Officer.

Data sharing

Where appropriate, the Council shares personal information with its partner organisations. Where this happens it will be clearly indicated at the point of collection of the information.

The main organisations we share information with are:

• Audit Scotland
• NHS Tayside
• Police Scotland
• DWP
• HMRC
• Social Care providers
• Scottish Government (and its agencies)
• Scottish Children's Reporter's Administration
• The Care Inspectorate
• Mental Welfare Commission
• Office of the Public Guardian
• Registered Social Landlords
• The Convention of Scottish Local Authorities
• Perth College

This page will be updated on an ongoing basis to provide additional details about how and why we share information with these organisations.

Data protection complaints  

If you are concerned about how Perth and Kinross Council has processed your personal information - for example, because you believe that there has been an authorised disclosure of your information, or because you are dissatisfied with our response to a subject access request - you can complain to us about it.

Complaints about how personal information has been handled are dealt with under the Data Protection Complaints Procedure, which is set out below. Complaints about other services, including issues arising from freedom of information requests cannot be considered under this Procedure.

Data Protection Complaints Procedure

A data protection complaint is an expression of dissatisfaction made when an individual considers that personal information has been processed in a way that infringes data protection legislation.

Data protection complaints include dissatisfaction with how the Council has dealt with a request to exercise a data subject right, as set out in the UK General Data Protection Regulation, or because of a data breach.

If someone is concerned about how Perth and Kinross Council has handled their personal information, or the personal information of someone they're acting on behalf of, they have the right to make a data protection complaint.

Data protection complaints are responded to on behalf of the Council by the Council's Data Protection Officer.

The easiest way to make a data protection complaint is to email the Council's Data Protection Officer at [email protected]. Individuals can also write to the Data Protection Officer at the address below:

Data Protection Officer
Information Rights Team
Legal and Governance
Perth and Kinross Council
2 High Street
Perth
PH1 5PH

They can also telephone 01738 475444.

Data protection complaints may be submitted verbally or by email to any Council officer. They may also be made through Perth and Kinross Council social media channels (it will not usually be possible to respond to a data protection complaint by social media). Data protection complaints made in these ways will be passed to the Data Protection Officer for response. Complainants may be asked to provide contact details or clarification of the issue they wish to complain about.

Someone making a data protection complaint may be asked to provide proof of their identity, such as a photograph of their passport, driving licence or an official letter. This is so the Data Protection Officer can make sure that data protection law is complied with when responding to the complaint.

If someone submits a complaint on behalf of someone else, they may be asked to provide a mandate authorising them to do so, proof of their identity and proof of the identity of the person for whom they are acting. This is so the Data Protection Officer can make sure that data protection law is complied with when responding to the complaint.

If you make a data protection complaint and you are a child, we will try to answer you using age-appropriate language that you can understand easily.

If anyone making a data protection complaint lets us know that there may be a risk to them as a result of how the Council is processing their personal information, we will deal with it as a matter of urgency.

The Council will acknowledge data protection complaints as soon as possible. We aim to do this within 5 working days of receiving it and will generally do so in writing. The law says that data protection complaints must be acknowledged within 30 days.

The Council will aim to respond to data protection complaints within 30 days of receiving it. The law doesn't specify a timescale for responding to data protection complaints, only that this should be done without undue delay. If a complaint is complex, or it's likely to take some time to respond to, we will contact the complainant to let know that we are still working to resolve matters.

If a complainant lets us know that they consider their concerns to be urgent, every effort will be made to investigate them quickly.

If a data protection complaint involves how another organisation or company, associated with the Council, may have processed personal data, we will work with them to resolve the issue. This means that it may be necessary to proportionately share personal information with the organisation or company concerned.

Once a data protection complaint has been investigated, we will let the complainant know the outcome as soon as possible. This will usually be done by email or letter. We will let them know of any action we are taking as a result of the complaint and if appropriate we will offer them the opportunity to request us to review our response.

Individuals have the right to complain to the Information Commissioner's Office about how personal data has been processed at any time; they don't need to wait for the outcome of the Council's investigation to do so. They can contact the Information Commissioner's Office via their website - Make a complaint about how an organisation has used your personal information | ICO.