UK Community Renewal Fund privacy notice - North Lanarkshire Council

Introduction and our commitment to privacy

This is North Lanarkshire Council’s privacy notice in respect of the UK Community Renewal Fund.

We are committed to protecting the privacy and confidentiality of personal information that we hold. This privacy notice will tell you what we do with your personal information, how we look after it and what rights you have in respect of your personal information.

We regularly review this privacy notice and it was most recently updated on 26 April 2021.

Controller

We are a controller and responsible for the personal information we process in connection with the UK Community Renewal Fund. It is important that you read this privacy notice together with our general privacy notice which contains further information about our data processing. This privacy notice supplements our general privacy notice and is not intended to override it.

North Lanarkshire Council is one of many ‘Lead Authorities’ for the UK Community Renewal Fund. We will share some personal information with the UK Government’s Ministry of Housing, Communities and Local Government (MHCLG), the government body responsible for the UK Community Renewal Fund. MHCLG will be a joint controller with us. View MHCLG’s privacy notice.

Data Protection Officer

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please email dataprotection@northlan.gov.uk or write to us at:

Data Protection Officer
North Lanarkshire Council
Civic Centre
Windmillhill St
Motherwell ML1 1AB

Information Commissioner's Office

You have the right to make a complaint at any time to the Information Commissioner's Office, the UK data protection regulator. See the Information Commissioner's Office website for more information. We would, however, welcome the opportunity to address any issues before you do so.

The personal information we process

Personal information (personal data) means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal information as follows:

We may also collect, use and share aggregated data (such as statistical or demographic data) for any purpose. Aggregated data could be derived from personal information but is not considered personal information in law as this data will not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which will be used in accordance with this privacy notice.

Purposes for which we will use your personal information

We will only use your personal information when it is lawful to do so.

We will use your personal information to perform our functions as a Lead Authority for the UK Community Renewal Fund, including to:

• process and assess applications and carry out due diligence;
• contact you or your organisation;
• carry out administration, monitoring, evaluation, verification, assurance and reporting activities;
• identify delivery risks and weaknesses and to ensure appropriate corrective action;
• provide assistance, information and collaboration to MHCLG, the Secretary of State and the UK Government in connection with matters relating to the UK Community Renewal Fund;
• manage payments to those delivering projects including entering into funding agreements and recovering unused funds;
• maintain accounts and records and to create aggregated data; and
• fulfil our responsibilities under applicable laws, including our Value for Money duty, equalities and procurement/state aid legislation.

We may also use your personal information:

• for the prevention and detection of crime;
• for the apprehension or prosecution of offenders;
• for the assessment or collection of taxes or duties;
• to prevent or detect unlawful acts;
• to protect the public against dishonesty, malpractice, or other seriously improper conduct; and
• to prevent fraud (including data matching under local and national fraud initiatives).

Legal basis for processing your personal information

We will process personal information according to the provisions of the Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation 2018 (UK GDPR) and all applicable laws and regulations relating to processing of personal information and privacy.

We have set out below a description of the legal grounds we rely on. Note that we may process personal information under more than one lawful ground depending on the specific purpose for which we are using personal information.

We will use personal information on the following legal grounds:

• where necessary to perform a task carried out in the public interest or in the exercise of official authority vested in us including on the basis of Local Government (Scotland) Acts (UK GDPR Article 6(1)(e) and section 8 of DPA 2018); and
• where we need to comply with a legal or regulatory obligation including on the basis of Local Government (Scotland) Acts, procurement, subsidy control and state aid legislation and Equality Act 2010 (UK GDPR Article 6(1)(c)).

In addition, we will use special categories of personal information (e.g. health information) on the following legal grounds:

• where necessary for reasons of substantial public interest, on the basis of law which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (UK GDPR Article 9(2)(g) and paragraphs 6 (Statutory etc and government purposes), 8 (Equality of opportunity or treatment), 10 (Preventing or detecting unlawful acts), 11 (Protecting the public against dishonesty etc), 12 (Regulatory requirements relating to unlawful acts and dishonesty etc) and 14 (Preventing fraud) of Schedule 1 Part 2 of DPA 2018);
• where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (UK GDPR Article 9(2)(j) and Article 89(1), section 19 and paragraph 4 (Research etc) of Schedule 1 Part 1 of DPA 2018); and
• where necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity (UK GDPR Article 9(2)(f)).

In addition, we will use personal information relating to criminal convictions and offences on the following legal grounds:

• The UK GDPR Article 6 grounds mentioned above;
• paragraph 4 (Research etc) of Schedule 1 Part 1 of DPA 2018;
• paragraphs 6 (Statutory etc and government purposes), 10 (Preventing or detecting unlawful acts), 11 (Protecting the public against dishonesty etc), 12 (Regulatory requirements relating to unlawful acts and dishonesty etc) and 14 (Preventing fraud) of Schedule 1 Part 2 of DPA 2018); and
• paragraphs 33 (Legal claims) and 36 (Extension of conditions referring to substantial public interest) of Schedule 1 Part 3 of DPA 2018.

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Sharing your personal information

We may share your personal information with the following parties for the purposes set out above.

• UK Government, including Secretary of State and MHCLG;
• other Lead Authorities of the UK Community Renewal Fund;
• other members of the UK Community Renewal Fund assessment panel including Skills Development Scotland, New College Lanarkshire and Voluntary Action North Lanarkshire;
• our third party service providers and processors;
• the Scottish Government;
• arm's Length External Organisations (ALEOs) such as Routes to Work;
• Audit Scotland;
• Police Scotland and other law enforcement agencies;
• charities and other voluntary organisations;
• Scottish Public Services Ombudsman;
• the Scottish Information Commissioner;
• the UK Information Commissioner;
• professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services;
• credit reference agencies;
• fraud prevention agencies;
• debt collection and tracing agencies;
• courts, tribunals and hearings; and
• private investigators.

Third parties who are controllers will process personal information in accordance with their privacy policies and/or notices. We do not allow our third-party service providers who are processors to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.

We do not send you personal information overseas.

How long we will hold your personal information

Personal information relating to successful bids will be held for up to five years from the termination of the funding agreement. It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

We will erase personal information relating to unsuccessful bids within one year from the closure of the bidding process. This is estimated to be around July 2022. In some circumstances, we will anonymise personal information (so that it can no longer be associated with you or anyone else) for research or statistical purposes, in which case we may use this information indefinitely without further notice.

Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal information. You may have the right to:

• Access your personal information (known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate personal information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
• Erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it or where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Please note that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following circumstances:
• If you want us to establish the accuracy of the personal information.
• Where our use of the personal information is unlawful but you do not want us to erase it.
• Where you need us to hold the personal information even if we no longer require it as you need it to establish, exercise or defend legal claims.
• You have objected to our use of the personal information but we need to verify whether we have overriding legitimate grounds to use it.
• Object to processing of your personal information in certain circumstances. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

If you wish to exercise any of the rights set out above, please contact us.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of the other rights). This is a security measure e.g. to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Direct marketing and automated decision making and profiling

We do not carry out any direct marketing or automated decision-making or profiling.

Storage, security and data management

Your personal information will be stored within our secure IT system. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.