Skip to main content

Records of Processing Activities under Article 30 of the GDPR

Controller details

Waverley Borough Council, The Burys, Godalming, Surrey, GU7 1HR

Data Protection Officer: Adrian Fennell – DPO@waverley.gov.uk

Purpose of the Processing

We process personal information to enable us to provide a range of government services to local people and businesses which include:

  • maintaining our own accounts and records
  • supporting and managing our employees / HR functions
  • promoting the services we provide
  • marketing our local tourism
  • carrying out health and public awareness campaigns
  • managing out property
  • providing leisure and cultural services
  • provision of education
  • carrying out surveys and consultations
  • administering the assessment and collection of taxes and other revenue including benefits and grants
  • licensing and regulatory activities
  • local fraud initiatives
  • the provision of social services
  • safeguarding
  • volunteering services/projects
  • crime prevention and prosecution of offenders including the use of CCTV
  • corporate administration and all activities we are required to carry out as a data controller and public authority
  • Digitalisation of data to modern mediums
  • undertaking research
  • the provision of all commercial services including the administration and enforcement of parking regulations and restrictions
  • the provision of all non-commercial activities including refuse collections from residential properties
  • internal financial support and corporate functions
  • managing archived records for historical and research reasons
  • data matching under local and national fraud initiatives
  • debt administration and factoring
  • the use of CCTV systems for public safety, protection of life and property and traffic management
  • protection of life and property
  • management of information technology systems
  • information and databank administration
  • public health
  • prevention and control of disease within the community
  • occupational health and welfare
  • produce and distribute printed material
  • management of public relations, journalism, advertising and media
  • sending promotional communications about the services we provide
  • enable us to buy, sell, promote and advertise our products and services
  • fundraising
  • any duty or responsibility of the local authority arising from common or statue law

Description of the categories of data subject

We process personal information about:

  • customers
  • residents
  • tenants
  • members of the public who may choose to contact us
  • businesses
  • suppliers
  • volunteers
  • Elected members (councillors) / Members of Parliament
  • staff, persons contracted to provide a service
  • claimants
  • recipients of benefits
  • complainants, enquirers or their representatives
  • professional advisers and consultants
  • students and pupils
  • carers or representatives
  • landlords
  • witnesses
  • offenders and suspected offenders
  • licence and permit holders
  • traders and others subject to inspection
  • images of people recorded on CCTV systems
  • representatives of other organisations
  • donors and potential donors to charitable cause

Categories of personal data

We may process information relevant to the above reasons/purposes which may include:

  • personal details
  • family / next of kin details
  • lifestyle and social circumstances
  • goods and services
  • financial details
  • employment and education details
  • housing needs
  • visual images, personal appearance and behaviour
  • licenses or permits held
  • student and pupil records
  • business activities
  • case file information charitable interests

We may also process sensitive classes of information that may include:

  • physical or mental health details
  • racial or ethnic origin
  • trade union membership
  • political affiliation / opinions
  • sexual orientation
  • offences (including alleged offences)
  • religious or other beliefs of a similar nature
  • criminal proceedings, outcomes and sentences

Categories of recipients to whom personal data have been or may be disclosed

Where allowed by law, necessary or required by law, we may share information with

  • customers / service users
  • family, associates or representatives of the person whose person data we are processing
  • current past and prospective employers
  • healthcare, social and welfare organisations
  • educators and examining bodies
  • providers of goods and services
  • financial organisations
  • debt collection and tracing agencies
  • service providers
  • local and central government
  • ombudsman and regulatory authorities
  • press and the media
  • professional advisers and consultants
  • courts and tribunals
  • trade unions
  • political organisations
  • professional advisers
  • credit reference agencies
  • professional bodies
  • survey and research organisations
  • polices forces
  • housing associations and landlords
  • voluntary and charitable organisations
  • religious organisations
  • students and pupils including their relatives, guardians, carers or representatives
  • data processors
  • other police forces, non-home office police forces
  • regulatory bodies
  • courts, prisons
  • customs and excise
  • international law enforcement agencies and bodies
  • security companies
  • partner agencies, approved organisations and individuals working with the police
  • licensing authorities
  • healthcare professionals
  • current, past and prospective employers and examining bodies
  • law enforcement and prosecuting authorities
  • police complaints authority
  • the disclosure and barring service
  • charities and not-for-profit partners

Transfers of personal data to a third country & safeguards

  • technical and organisational security measures have been put in place via a contract; or
  • with consent of the data subject; or where required by law

Time limit for erasure

Security measures we take

Technical and organisational security measures; (Art 32)

  • encryption
  • pseudonymisation
  • anonymization
  • BCP and resilience planning including backups
  • robust security updates including timely patching and anti-virus software
  • user access controls
  • physical security e.g. cryptags, clear desk policy
  • penetration testing
  • risk assessment
  • data protection impact assessments
  • staff training
  • contractual requirements

All Waverley Borough Council’s contracts will require any data processor to also keep a record, in writing, of the above when it is processing data on behalf of the council unless it is an enterprise or organisation that employs fewer than 250 people AND :

  • the processing it carries out is unlikely to result in a risk to the rights and freedoms of data subjects;
  • the processing is occasional; or
  • the processing does not include special categories of data or personal data relating to criminal convictions and offences.