Digital services privacy notice

Last updated: January 2024

Who we are and how to contact us

We're the London Borough of Hammersmith and Fulham's (H&F's) Digital Services.

H&F is the Controller for the personal data we process. Our Information Commissioner's Office (ICO) registration number is: Z5124889.

You can contact H&F's Digital Services using the general council contact information on our council Contact us page, this includes H&F's switchboard phone number and address.

Please see 'Your data rights' for:

  • how to contact us to exercise your data rights (e.g. to access your data) or if you're unhappy with how we use your data or comply with your data rights
  • how to contact our Data Protection Officer (DPO).

What we collect and process

We process data you've given us directly as well as data we get from others.

We get this data about you from other H&F service areas, suppliers, and partners when we are providing digital, IT and information management services and support to the council:

  • name and contact details e.g., email addresses, telephone numbers, preferred means of engagement
  • work role, organisational structure and working location, delivery addresses
  • user permissions, web access logs and records of usage of H&F systems including all MS365 emails, chats, recordings
  • IP addresses and user credentials e.g., user IDs, passwords, inventory asset numbers, multi-factor authentication contacts
  • biometric data e.g. fingerprints, facial recognition (where used for identity and authentication purposes)
  • health data (where used to provide assistive technology to users)
  • bank account details

When you contact our Information Management Team, or they work on casework or other information rights compliance activities, we collect this data about you:

  • name and contact details e.g., email addresses, telephone numbers, postal addresses
  • details about information rights-related casework:
    • details of your requests, concerns, or feedback in relation to data subject rights and information rights under the Freedom of Information Act 2000 and Environmental Information Regulations 2004
    • details of individuals involved in potential or actual information security incidents and data protection breaches
  • details about your professional role and involvement in information rights compliance activities with H&F, for example where you contribute to data protection impact assessments, data sharing agreements, supplier security questionnaires, information asset registers

Digital Services may process special category data and criminal offences data where relevant to the purpose. For example, as part of managing information rights casework or when carrying out searches to locate information for a subject access request, as evidence in HR disciplinary processes, legal proceedings, or fraud investigations.

Providing digital, IT and information management services and support to the council and complying with your information rights
We process your data to:

  • provide a secure, accessible IT platform, operating system and devices so that officers and councillors can perform their roles
  • set up, manage, and remove user accounts and corporate devices
  • test and pilot new technology to develop, expand or upgrade the platform
  • develop and deliver training and awareness sessions and materials to support technology adoption
  • monitor the system for potential abuses of H&F's policies, or for fraudulent or criminal activity
  • monitor threats to the system, identifying and fixing technical issues, and identifying and tackling cyber security risks
  • support the SIEM (Security Incident Event Management) which is used to produce regular threat updates for staff by creating algorithms and programs that help us spot problem accounts and unusual activity and take remedial actions to support our systems
  • procure and manage contracts and service delivery for H&F's digital, IT and information management services, including networks, service desk, systems, off-site records storage
  • plan, manage, and monitor programmes and projects to deliver digital and IT solutions for H&F, including stakeholder management and strategic planning
  • carry out searches to locate information for a subject access request, as evidence in HR disciplinary processes, legal proceedings, or fraud investigations
  • advise H&F service areas on information management-related matters, including data protection, information security, records management, and information and privacy risks
  • manage physical records stored off-site and maintain H&F's information asset register
  • process and respond to requests, concerns or feedback in relation to data subject rights and information rights under FOIA/EIR. Including liaison with the Information Commissioner's Office and requesters and other service areas
  • manage, investigate and respond to potential and actual information security incidents and data protection breaches

Our legal basis for processing your data is that:

  • we need to process it to meet H&F's legitimate interests which are implementing and maintaining H&F's IT infrastructure, systems and network; monitoring threats to the system; identifying and fixing technical issues; and identifying and tracking cyber security risks. This is necessary to maintain the integrity of our IT systems and the continuity of our business (6(1)(f) of the GDPR). However, you have the right to object to this processing. Please see Your data rights – what they are for how to object to this processing
  • we need to process it to enter into or carry out a contract with you where you are employed by H&F or where you supply services to H&F (6(1)(b) of the GDPR). Please see H&F's People & Talent fair processing notice for more details about how H&F processes your data for employment purposes.
  • we need to process it to comply with the law (6(1)(c) of the GDPR). For example, we use it to comply with court orders, H&F's statutory obligations or regulatory requirements, locating information for data subject and information rights requests, as evidence in HR disciplinary processes, legal proceedings, or fraud investigations

Please see H&F's Corporate Anti-Fraud Service fair processing notice for more details about how H&F processes your data for investigation and prevention of fraud purposes.

Please see H&F's other service area privacy notices for more details on the statutory and regulatory obligations that we process your data for.

Some of your data we process may contain special category data where it is relevant to the above purposes (e.g. carrying out information searches, providing assistive technology). This could include data such as health, religious beliefs, political opinions, sexual orientation and your sex life, trade union membership, biometric, race or ethnicity. Our legal basis for processing it is:

  • we need to process it to comply with our employment obligations (9(2)(b) of the GDPR and schedule 1: part 1(1) DPA 2018)
  • we have a substantial public interest to process it (9(2)(g)) of the GDPR):
    to carry out H&F's statutory functions (schedule 1 part 2(6) of the DPA 2018)
    to prevent or detect unlawful acts (schedule 1 part 2(10) of the DPA 2018)
    We will only carry out this processing where there's a substantial public interest and we have appropriate safeguards in place for your rights.

Some of your data we process may contain criminal offence data where it is relevant to the above purposes (e.g. carrying out information searches). This could include data such as allegations about criminal offences, criminal convictions and sentences, security measures that relate to criminal offences or convictions, investigations, and proceedings. Our legal basis for processing it is authorised by UK law under GDPR Art.10 as we need to process it to:

  • comply with our employment obligations (schedule 1: part 1(1) DPA 2018)
  • carry out H&F's statutory functions (schedule 1 part 2(6) of the DPA 2018)
  • prevent or detect unlawful acts (schedule 1 part 2(10) of the DPA 2018)

We will only carry out this processing where we have appropriate safeguards in place for your rights.

H&F's other uses of your data

Please see H&F's general privacy notice, and other H&F service area privacy notices, for other ways H&F may use your data.

Who we share it with

We share your data with:

  • other service areas across H&F where this is necessary to provide digital, IT and information management services and support to the council and comply with your information rights
  • our suppliers who help us deliver our service:
    o IT Service Desk support
    o IT infrastructure, networks, hardware provision and support
    o Information security threat and incident detection, advice, and remediation
    o Workplace adjustment advice
    o Off-site records storage services
    o Provision and maintenance of business applications used to support Digital Services, e.g., collaboration and project management tools, asset management tools, incident/service request management systems
  • our partners we work with to deliver our service, including:
    o National Cyber Security Centre - to use their Active Cyber Defence and other advice/support services, report cyber security incidents.
    o London Office of Technology and Innovation - to participate in projects and initiatives to improve the use of information technology and data
    o Department for Levelling Up, Housing & Communities - to participate in projects and initiatives to improve the use of information technology and data
    o Information Commissioner's Office - to register as a data controller, notify them about data protection breaches, respond to information rights casework, obtain advice on information rights matters
    o Royal Borough of Kensington and Chelsea and Westminster City Council – to manage the shared IT infrastructure

We only process your data in the UK and the European Economic Area (EEA).

How long we keep it

We keep your data for only as long as it is required by law or we need it to provide you with services. When we no longer need your data, we'll dispose of it securely or, if it's of historic interest, we'll transfer it to our local archives service.

What are your rights?

In relation to this processing, you have the right to:

  • be informed – we do this through this privacy notice
  • access your data - by making a subject access request to us
  • have us change incorrect or incomplete data
  • restrict how we process your data

Depending on our lawful basis for processing your data you may also have the right to:

  • have us delete your data (where we process it to meet H&F's legitimate interests or carry out a contract with you)
  • object to how we process your data (where we process it to meet H&F's legitimate interests)
  • data portability (where we process it to carry out a contract with you)
  • have a person check automated decisions and automated profiling which may result in a potentially damaging decision about you

For more information on your rights and how to exercise them, please see Your data rights – what they are and Your data rights – how to exercise them.

Who to contact if you're unhappy about how we use your data or comply with your data rights

For who to contact if you're unhappy, please see Your data rights – who to contact if you're unhappy.

What if this notice changes?

If we make a big change to what personal data we process, how or why we process it, or who processes it we'll update this notice. We may also contact you using other communication channels to make you aware of the changes.

Translate this website