Your Privacy

Elmbridge Building Control Services Limited is committed to protecting your privacy when you
use our services. The Privacy Notice below explains how we use information about you and how
we protect your privacy.
We have a Data Protection Officer who makes sure we respect your rights and follow the law. If
you have any concerns or questions about how we look after your personal information, please
contact the Data Protection Officer, Alan Harrison, at dataprotection@elmbridge.gov.uk

Why we use your personal information

What is personal information?

Personal information can be anything that identifies and relates to a living person. This can
include information that when put together with other information can then identify a person. For
example, this could be your name and contact details.

Some of your personal information might be classed as ‘special’

Some information is ‘special’ and needs more protection due to its sensitivity. It’s often
information you would not want widely known and is very personal to you. This is likely to include
anything that can reveal your:

  • physical or mental health

Why we need your personal information

We may need to use some information about you to:

  • deliver services and support to you
  • manage those services we provide to you
  • train and manage the employment of our workers who deliver those services
  • help investigate any worries or complaints you have about your services
  • keep track of spending on services
  • check the quality of services
  • to help with research and planning of new services.

How the law allows us to use your personal information

There are some legal reasons why we need to collect and use your personal information.
Generally, we collect and use personal information where:

  • you, or your legal representative, have given consent
  • you have entered into a contract with us
  • it is necessary to perform our statutory duties
  • it is required by law
  • it is necessary for employment purposes
  • it is necessary for legal cases
  • it is necessary to protect public health
  • it is necessary for archiving, research, or statistical purposes

If we have consent to use your personal information, you have the right to remove it at any time.
If you want to remove your consent, please contact dataprotection@elmbridge.gov.uk.

How we collect data

As a client of EBCS Ltd, we collect personal data about you in connection with our products and
services in the following ways:
• From your enquiry or fee quote request, whether over the phone, in person, in writing, or
through our website
• From subsequent interactions, including submission of a warranty quotation, with us by the
methods listed above
• From third parties, such as an agent or architect, appointed by you to act on your behalf

We only use what we need

Where we can, we’ll only collect and use personal information if we need it to deliver a service or
meet a requirement in accordance with the Regulatory requirements of the following:

  • The Building Act 1984
  • Regulatory Reform (Fire Safety) Order 2005
  • The Building (Local Authority Charges) Regulations 2010

If we don’t need the personal information we will either keep you anonymous if we already have it
for something else or we won’t ask you for it. For example, in a survey if we don’t need your
contact details, we will only collect your survey responses.

If we use your personal information for research and analysis, we’ll always keep you anonymous
or use a different name unless you’ve agreed that your personal information can be used for that
research.

We don’t sell your personal information to anyone else.

Marketing

Any marketing that is undertaken by EBCS will use data that is held in the public domain. No
copies of correspondence, either in paper or electronic format, will be retained.

What you can do with your information

The law gives you a number of rights to control what personal information is used by EBCS and
how it is used by us.

You can ask for access to the information we hold on you

We would normally expect to share what we record about you with you whenever we assess
your needs or provide you with services.

However, you also have the right to ask for information we have about you and the services you
receive from us. When we receive a request from you in writing, we must give you access to that
information.

However, we can’t let you see any parts of your record which contain:

  • Confidential information about other people; or
  • Data that a professional thinks will cause serious harm to your or someone else’s physical
    or mental wellbeing; or
  • If we think that giving you the information may stop us from preventing or detecting a
    crime

This applies to personal information that is in paper as well as electronic records. If you ask us,
we’ll also let others see your record (except if one of the points above applies).

If you can’t ask for your records in writing, we’ll make sure there are other ways that you can. If
you have any queries about access to your information, please contact
dataprotection@elmbridge.gov.uk

You can ask to change information you think is inaccurate

You should let us know if you disagree with something written on your file.

We may not always be able to change or remove that information, but we’ll correct factual
inaccuracies and may include your comments in the record to show that you disagree with it.

Please email us at admin@ebcsltd.co.uk to inform us of any inaccuracies.

You can ask to delete information (right to be forgotten)

In some circumstances you can ask for your personal information to be deleted, for example:

  • Where your personal information is no longer needed for the reason why it was collected
    in the first place
  • Where you have removed your consent for us to use your information (where there is no
    other legal reason for us to use it)
  • Where there is no legal reason for the use of your information
  • Where deleting the information is legally required

Where your personal information has been shared with others, we’ll do what we can to make
sure those using your personal information comply with your request for erasure.

Please note that we can’t delete your information where:

  • we’re required to have it by law
  • it is used for freedom of expression
  • it is in there for public health purposes
  • it is for, scientific or historical research, or statistical purposes where it would make
    information unusable
  • it is necessary for legal claims

You can ask to limit what we use your personal data for

You have the right to ask us to restrict what we use your personal information for where:

  • you have identified inaccurate information, and have told us about it
  • we have no legal reason to use that information, but you want us to restrict what we use it
    for rather than erase the information altogether

When information is restricted it can’t be used other than to securely store the data and with your
consent to handle legal claims and protect others, or where it’s for important public interests of
the UK.

Where restriction of use has been granted, we’ll inform you before we carry on using your
personal information.

You have the right to ask us to stop using your personal information for any council service.
However, if this request is approved this may cause delays or prevent us delivering that service.

Where possible we’ll seek to comply with your request, but we may need to hold or use
information because we are required to by law.

You can ask to have your information moved to another provider (data portability)

You have the right to ask for your personal information to be given back to you or another service
provider of your choice in a commonly used format. This is called data portability.

However, this only applies if we’re using your personal information with consent (not if we’re
required to by law) and if decisions were made by a computer and not a human being.

It’s likely that data portability won’t apply to most of the services you receive from us.

You can ask to have any computer made decisions explained to you, and details of how we may
have ‘risk profiled’ you.

You have the right to question decisions made about you by a computer, unless it’s required for
any contract you have entered into, required by law, or you’ve consented to it.

You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made
about you based on certain things in your personal information, e.g. your health conditions.

If and when ECC uses your personal information to profile you, in order to deliver the most
appropriate service to you, you will be informed.

If you have concerns regarding automated decision making, or profiling, please contact the Data
Protection Officer who’ll be able to advise you about how we use your information.

Who do we share your information with?

We use a range of organisations to either store personal information or help deliver our services
to you. Where we have these arrangements there is always an agreement in in place to make
sure that the organisation complies with data protection law.

We’ll often complete a privacy impact assessment (PIA) before we share personal information to
make sure we protect your privacy and comply with the law.

Sometimes we have a legal duty to provide personal information to other organisations.

We may also share your personal information when we feel there’s a good reason that is more
important than protecting your privacy. This doesn’t happen often, but we may share your
information:

  • to find and stop crime and fraud; or
  • if there are serious risks to the public, our staff or to other professionals;
  • to protect a child; or
  • to protect adults who are thought to be at risk

The risk must be serious before we can override your right to privacy.

If we’re worried about your physical safety or feel we need to act to protect you from being
harmed in other ways, we’ll discuss this with you and, if possible, get your permission to tell
others about your situation before doing so.

We may still share your information if we believe the risk to others is serious enough to do so.

There may also be rare occasions when the risk to others is so great that we need to share
information straight away.

If this is the case, we’ll make sure that we record what information we share and our reasons for
doing so. We’ll let you know what we’ve done and why if we think it is safe to do so.

How we protect your information

We will do what we can to make sure we hold records about you (on paper and electronically) in
a secure way, and we will only make them available to those who have a right to see them.

Examples of our security include:

  • Encryption, meaning that information is hidden so that it cannot be read without special
    knowledge (such as a password). This is done with a secret code or what’s called a
    ‘cypher’. The hidden information is said to then be ‘encrypted’
  • Pseudonymisation, meaning that we’ll use a different name, so we can hide parts of your
    personal information from view. This means that someone outside of the Council could
    work on your information for us without ever knowing it was yours
  • Controlling access to systems and networks allows us to stop people who are not allowed
    to view your personal information from getting access to it
  • Training for our staff allows us to make them aware of how to handle information and how
    and when to report when something goes wrong
  • Regular testing of our technology and ways of working including keeping up to date on the
    latest security updates (commonly called patches)

Where in the world is your information?

The majority of personal information is stored on systems in the UK. But there are some
occasions where your information may leave the UK either to get to another organisation or if it’s
stored in a system outside of the EU.

We have additional protections on your information if it leaves the UK ranging from secure ways
of transferring data to ensuring we have a robust contract in place with that third party.

We’ll take all practical steps to make your personal information is not sent to a country that is not
seen as ‘safe’ either by the UK or EU Governments.

If we need to send your information to an ‘unsafe’ location, we’ll always seek advice from the
Information Commissioner first.

How long we keep your personal information for

There is often a legal reason for keeping your personal information for a set period of time, we try
to include all of these in our retention schedule.

For EBCS the schedule lists how long your information may be kept for. This ranges from months
for some records to decades for other records.

Where can I get advice?

If you have any worries or questions about how your personal information is handled please
contact our Data Protection Officer at dataprotection@elmbridge.gov.uk

For independent advice about data protection, privacy and data sharing issues, you can contact
the Information Commissioner’s Office (ICO) at:

Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

Alternatively, visit ico.org.uk or email casework@ico.org.uk

Use of cookies

Use of website cookies

A cookie is a small file which is placed on your computer's hard drive, if your browser is
set to accept cookies. We use traffic log cookies to help us improve our website by
enabling us to monitor how visitors reach the site, which pages are visited, and how long
visitors spend on each page. A cookie does not give us access to your computer or any
personal information about you. Data generated by cookies is not traced back to
individuals, but is only used for statistical analysis purposes.

We will not use cookies to collect personally identifiable information about you.

However, if you wish to restrict or block the cookies which are set by our website, you
can do this through your browser settings. Please be aware that if you restrict cookies, it
may stop our website from working properly.

To find more information about how to control and delete cookies, please visit your
browser’s help page.