Business Operations Financial Teams Service Privacy Notice

Read our privacy notice for information on how we collect, store and process your data.

We are committed to protecting your personal information.

The council is the data controller for purposes of the Data Protection Act (2018), and The General Data Protection Regulation (EU) 2016/679 ("GDPR"), and is also registered as a data controller with the Information Commissioner’s Office (ICO).

As a data controller, we have a responsibility to make sure you know why and how your personal information is being collected. This is according to relevant data protection law.

The primary laws which govern how Brighton & Hove City Council collects and uses your personal information (known as “Data”) are:

The Business Operations Financial Teams provide a range of services to the council and external customers. We are also subject to other specific laws which define when and for what purposes we can use your personal data to carry out effective financial management.

Why we’re collecting your data

We are collecting your data for the purpose of making payments to you and receiving payments from you. The information collected from you will vary depending on the nature of the service. Our processing activity may include:

  • processing BACS payments, direct debits and purchasing card transactions
  • raising invoices for chargeable services provided by the council
  • collecting outstanding debts for the council and on behalf of third parties who have contracted a service from us
  • paying invoices from suppliers for goods or services received by the council
  • processing payments for looked after children, adoption and other carer allowances
  • administering payments for social care placements
  • managing the financial affairs of vulnerable adult service users
  • billing for care services received in relation to the assessed contribution
  • fraud prevention and detection, including the National Fraud Initiative

Making Payments to the Council

We collect personal information to process statutory payments such as Council Tax or Business Rates, to collect payment for services we have provided to you and to recover overpayments. Depending on the type of payment, your information may be collected in one of the following ways:

  • card payments made online using the Payments page of the council website.
  • PayPal transactions through the Payments page of the council website.
  • over the telephone by using the Automated Payment Line or by speaking to a council officer.
  • by completing a Direct Debit Mandate or setting up a Standing Order.
  • paying by BACS or Faster Payments.
  • paying by PayPoint.

Receiving Payments from the Council

It is necessary for the council to collect your personal information to set up a creditor account to make payment to you if you have supplied us with goods or services or we need to pay you to fulfil a statutory duty. If you have overpaid us your bank account details will be needed for us to refund you.

Our Legal Basis for collecting your Data

Section 151 of the Local Government Act 1972 requires local authorities to make arrangements for the proper administration of their financial affairs. We have a lawful basis for processing information where it is necessary to comply with a legal obligation or the performance of a contract or to perform our official duties and public tasks. This is in accordance with Articles 6(1)(b), 6(1)(c) and 6(1)(e) of the General Data Protection Regulation.

What Data We Collect From You

The type of personal information collected from you is as follows

Personal Data

  • contact details, including name, address, email address, telephone number
  • date of birth
  • proof of identity
  • national Insurance numbers
  • bank account details for the purposes of receiving or making payments

Special Category Data

We do not collect Special Category Data but we may hold information about health and care needs so we can process care payments and bill for care services.

Who we share your data with

We share information with a range of organisations depending on the service being provided and the statutory requirements we have to comply with. We only share information where it is necessary and appropriate to do so and we ensure it is used safely and securely. Your data may be shared with: 

  • other council departments, other councils and local government organisations;
  • other central government organisations and statutory bodies, such as the Department for Work and Pensions, HM Revenue and Customs, HM Courts and Tribunals Service, the Cabinet Office; the Office for National Statistics;
  • ombudsman and regulatory authorities;
  • third parties commissioned by the council or customers to process data or provide goods and services, including contractors, enforcement agents and IT software providers;
  • Lloyds and other banks;
  • debt collection and tracing agencies;
  • the Insolvency Service and Insolvency Practitioners;
  • law enforcement and fraud prevention agencies, such as Sussex Police and prosecuting authorities;
  • Brighton & Hove Clinical Commissioning Group
  • health, social care and welfare organisations;
  • internal and external auditors
  • The Council operates shared services with Surrey County Council and East Sussex County Council. We may share your information with one of these partners if necessary to provide these services.

If you have given us your written permission your information may be shared with:

A named friend or family member; a support worker or other individual authorised by you or by the law to act on your behalf, such as a charity sector representative or power of attorney;

There are other specific situations where we may be required to disclose information about you, such as:

  • where we are required to provide the information by law
  • where disclosing the information is required to prevent or detect a crime, including fraud
  • where disclosure is in the vital interests of the person concerned

How Long We Will Keep Your Data

We will not keep your data for longer than is necessary, subject to any legal obligations we have to retain the data. These will vary according to the services you are involved with and the lawful basis for processing within those services. Your information will be held in accordance with the Council’s corporate retention schedule.

How we store your data

Your information will be stored on electronic databases, document management systems and on paper records.

How We Protect Your Data and Keep it Secure

We will only make your information available to those who have a need to know in order to perform their Council role. Some examples of the security measures we use include:

  • training for our staff, making them aware of how to handle information securely, and how and when to report when something goes wrong.
  • we can use encryption when data is being sent, meaning we scramble information so other people cannot read it without access to an unlock key.
  • where possible we will pseudonymise your data. This means we will remove your identity so the people working with your data will not know your identity.

Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information, from getting access to it.

Regular testing of our technology and ways of working, including keeping up to date on the latest security updates (called patches).

Transferring Data outside the European Economic Area

Your information is not processed outside of the European Economic Area.

Your Rights

Check your rights in relation to your personal information.

How to get advice or make a complaint

Data protection contact information 

If you’d like to discuss your data protection rights, you can contact the Data Protection Team. Only use these contact details if you have questions about data protection and not for questions about other services. 

We also have a Data Protection Officer. Visit our data protection officer page to find their contact details. 

Please contact the Data Protection Team first if you have any concerns. 

You can then contact the Information Commissioner’s Office (ICO). The ICO is the national regulator with responsibility for ensuring compliance with data protection.