Customer feedback service privacy notice

Read our privacy notice for information on how we collect, store and process your data.

The council is the data controller for purposes of the Data Protection Act (2018) and EU General Data Protection Regulation as of May 2018 and is registered as a data controller with the Information Commissioner’s Office (ICO) under registration number Z5840053.

Brighton & Hove City Council are committed to protecting your personal information. As a data controller, we have a responsibility to make sure you know why and how your personal information is being collected in accordance with relevant data protection law.

Why we are processing your data

  • We are collecting your data for the purpose of resolving any complaints you have, answering any enquiries you might wish to raise or recording your compliments.
  • We have a legal basis for collecting this data as we have a legal obligation under Local Government Act 1974 to assist in any investigation conducted by the Local Government & Social Care Ombudsman and because is necessary for the performance of a public task by the Council which is carried out in the public interest.
  • We may need to process special categories of personal data (for example, race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, or sexual orientation), where we have identified a special condition applies under data protection legislation and that the processing is necessary. The basis which we rely on is that processing is necessary for one or more of the following reasons: to carry out certain obligations and rights, to establish, exercise or defend a legal claim, processing is in the substantial public interest or necessary to protect the vital interests of the data subject.
  • Your data may be shared with internal departments and external organisations for the purpose of resolving complaints and processing any enquiries you may have to make sure that it delivers its functions as efficiently as possible; this Council may share your information with one of its local authority partners, namely Surrey County Council, East Sussex County Council etc, with whom it operates a shared service arrangement.

How long we will hold your data (retention)

We will hold your data in accordance with our retention schedule and that is:

  • Corporate complaints for 5 years from the date of the last contact
  • Adult social care and children social care indefinitely
  • Compliments for 1 year
  • Comments and enquiries for 1 year

How your data will be stored

  • We use a system (iCasework) provided by a third-party supplier to capture, coordinate and manage your request for information, complaint, enquiry or comments
  • Your information will be stored electronically and on paper records.
  • We will only make them available to those who have a right to see them. Example of the security measures we used are:
    • We use Encryption meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code. The hidden information is said to then be ‘encrypted’.
    • Pseudonymisation meaning that we’ll use a different name so we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours.
    • Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
    • Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong.
    • Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches).

Will my data be transferred abroad?


Your information rights

Under GDPR you have certain rights concerning your information, namely:     

  •  The right to be informed - to be informed regarding why, where and how we use your information
  • The right of access– to request access to the information we hold about you.
  • The right to rectification– to have your information corrected if it is inaccurate or incomplete.
  • The right to erasure or the ‘right to be forgotten’– to ask for your information to be deleted or removed where there is no need for us to continue processing it, except when processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest.
  • The right to restriction of processing– to ask us to restrict the use of your information in certain circumstances.
  • Right to data portability, to ask us to copy or transfer your information from one data controller to another in a safe and secure way, without impacting the quality of the information.
  • The right to object to processing– to object to how your information is used in certain circumstances.   
  • The data subject right not to be subject to a decision based solely on automated processing

Learn more about your rights on our privacy and data webpage.

How to get advice or make a complaint

Data protection contact information 

If you’d like to discuss your data protection rights, you can contact the Data Protection Team. Only use these contact details if you have questions about data protection and not for questions about other services. 

We also have a Data Protection Officer. Visit our data protection officer page to find their contact details. 

Please contact the Data Protection Team first if you have any concerns. 

You can then contact the Information Commissioner’s Office (ICO). The ICO is the national regulator with responsibility for ensuring compliance with data protection.