Dudley Metropolitan Borough Council’s trading arm, Revolution, are committed to fulfilling our obligations in line with the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
In order to ensure this, we have appointed a Data Protection Officer and, in cooperation with our Corporate Information Governance Team, we are completing compliance audits of all our services, including traded services. We have implemented robust technical and organisational measures ensuring that all data processing activities are controlled ensuring compliance with GDPR.
We believe we are able to demonstrate compliance with the requirements specifically for the dealings we have with our traded service customers.
We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all of our clients, employees and other people with whom we interact and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.
Revolution acts as both a Data Controller and a Data Processor. We are a data processor on behalf of all customers and clients who purchase our services. We are also a data controller in relation to data subjects, for example, our own employees. This document sets out our processing requirements, lawful basis for processing and the appropriate controls we have in place to safeguard information. This should assist you in evidencing that you have received assurance from us in meeting our compliance obligations.
1. Information About Us & This Document
This document applies to Revolution, the commercial trading arm of Dudley Metropolitan Borough Council and all of its components. The component entities of Revolution are as detailed on the Revolution Services site available at this link: http://www.revolutionforschools.dudley.gov.uk
Registered address: The Council House, Priory Road, Dudley DY1 1HF
Data Protection Officer: Lewis Bourne
Email address: email@example.com
Telephone number: 01384 815607
2. What Does This Document Cover?
This document explains how Revolution traded services use your personal data: how it is collected, why it is collected, our lawful reasons for doing so, how it is held and how it is processed. It also explains your rights under the law relating to your personal data. It is also acts as the Revolution Privacy Notice for compliance with Article 12(1) of the GDPR.
3. What Is Personal Data?
Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
The personal data that we hold/process is set out in Part 5, below.
4. What Are My Rights?
Under the GDPR, you have the following rights, which we will always work to uphold:
a) The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Paragraph 12.
b) The right to access the personal data we hold about you. Paragraph 11 will tell you how to do this.
c) The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Paragraph 12 to find out more.
d) The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please contact us using the details in Paragraph 12 to find out more.
e) The right to restrict (i.e. prevent) the processing of your personal data.
f) The right to object to us using your personal data for a particular purpose or purposes.
g) The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
h) Rights relating to automated decision-making and profiling. We do not use your personal data in this way.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 12.
Further information about your rights can also be obtained from the Information Commissioner’s Office or by viewing Dudley MBC’s Corporate Privacy Notice available at this link: https://www.dudley.gov.uk/privacy-disclaimer-statement/corporate-privacy-disclaimer-statement/.
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
5. What Personal Data Do You Process?
The type of personal data we collect or process may vary according to the relationship between you and Revolution and according to the service that we provide to you or for your benefit, directly or indirectly. We always capture the name and contact details of the person or persons with whom we interact with, when we provide our services, be it to manage the account, to provide us with information or to process accounts. In addition, the categories of personal data processed by the various Revolution teams are listed below. Typical examples of services are shown and their relationship to the data processed, please note that this is not an exhaustive list and is illustrative of the type of processing undertaken.
5.1 HR Operations/ HR Transactions and Payroll Services team may process the data below on clients’ employees but only where it is necessary to perform the advisory or consultancy role.
• Personal information and contact details such as name, title, addresses, date of birth, marital status, phone numbers and personal email addresses;
• Emergency contact information such as names, relationship, phone numbers and email addresses;
• Information collected during the recruitment process by the client and retained during employment including references, proof of right to work in the UK, application form, CV, qualifications;
• Employment contract information such as start dates, hours worked, post, roles;
• Education and training details;
• Details of salary and benefits including payment details, payroll records, tax status information, national insurance number, pension and benefits information;
• Details of any dependants;
• Nationality and immigration status and information from related documents, such as your passport or other identification and immigration information;
• Information in your sickness and absence records such as number of absences and reasons(including sensitive personal information regarding your physical and/or mental health);
• Racial or ethnic origin, sex and sexual orientation, religious or similar beliefs;
• Criminal records information as required by law to enable employee to work with children;
• Trade union membership;
• Information on grievances raised by or involving the employee;
• Information on conduct and/or other disciplinary issues involving the employee;
• Details of appraisals, performance reviews and capability issues;
• Details of time and attendance records;
• Information about the use of IT, communications and other systems, and other monitoring information;
• Details of use of business-related social media;
• Images of staff captured by the School’s CCTV system;
• Your use of public social media (only in very limited circumstances, to check specific risks for specific functions within the School);
• Details in references about employees, clients give to others.
5.1.1 School clients may also ask advice which involves our processing of the following categories of data about pupils and parents:-
• Personal information such as name, pupil number, date of birth, gender and contact information;
• Emergency contact and family lifestyle information such as names, relationship, phone numbers and email addresses;
• Characteristics (such as ethnicity, language, nationality, country of birth and free school meal eligibility);
• Attendance details (such as sessions attended, number of absences and reasons for absence);
• Financial details such as monies owed and financial hardship;
• Performance and assessment information;
• Behavioural information (including exclusions);
• Special educational needs information;
• Relevant medical information;
• Special categories of personal data (including biometric data, ethnicity, relevant medical information, special educational needs information);
• Images of pupils engaging in school activities, and images captured by the School’s CCTV system.
5.1.2 School clients may also ask advice which involves our processing or the following categories of data about Governors:-
• Names, Addresses and Occupations.
5.2 The Information Governance and Data Protection Officer Service may process the data below but only where it is necessary to perform the advisory or consultancy role.
• Name and contact information of clients’ vendors and suppliers;
• Financial and payment details of clients’ vendors and suppliers;
• The data set out in paragraph 5.1 where a person is making a subject access request;
• The data set out in paragraph 5.1 where advising on matters involving pupils and/or parents.
5.3 The Health and Safety team may process the data below but only where it is necessary to perform the advisory or consultancy role.
• Information required to perform a DSE risk assessment including name, and health status;
• Information required to perform a pregnancy risk assessment including name, and health status;
• Name and contact information of clients’ vendors and suppliers;
• Financial and payment details of clients’ vendors and suppliers.
5.4 Other Services as defined in the Service Portal may process the data below but only where it is necessary to perform the advisory or consultancy role you have purchased or to deliver a specific service to you.
• The data set out in paragraph 5.1 where necessary to provide the service as specified in the Service Level Agreement.
6. What Is Your Reason For Holding/Processing My Personal Data?
Under the GDPR, we must always have a lawful basis for processing/using personal data. The lawful bases for processing are set out in Article 6 of the GDPR. The reasons why Revolution hold/process your personal data are:
• Because we need to do so in order to perform a contract that we have with you or are taking steps to enter into with you;
• Because we have your consent to hold/process your data;
• Because we have a legal obligation to hold/process the data regardless of whether any contract exists between us;
• Because we have a legitimate interest in holding/processing your data, or there is a legitimate third party interest and there is not a good reason to protect the individual’s personal data which overrides those legitimate interests.
7. For What Purpose Do You Use My Personal Data?
The purposes for which Revolution use your personal data may be one or more of the following:
• Communicating with you to inform you of our services;
• Communicating with you with the purpose of entering into a contract with you;
• Providing, administering and managing our contract with you;
• Supplying our services to you or for your benefit;
• Personalising and tailoring our services for you or for your benefit;
• Communicating with you on matters that may fall outside the immediate contractual obligations but arise in the course of supplying our services to you;
• Advising your employer, where we are engaged, for example, as their HR/Employment law advisers or health and safety advisers or Information Governance or data protection advisers:
- On all matters pertaining to your employment;
- On all matters relating to the application and interpretation of health and safety policies and procedures to your employment;
- On all matters relating to the application and interpretation of data protection laws to your employment;
- On all matters relating to the operational and educational needs of a school, including clerking and governance;
- On all matters relating to the application and interpretation of immigration laws within the context of your employment or potential employment;
- Where you are not an employee of a Revolution client, advising our client on the application and interpretation of data protection laws and freedom of information laws within the context of a Subject Access Request you have submitted or a freedom of information request you have submitted to our client and where we are acting either as adviser or a Data Protection Officer;
- Where permitted by law, we may also use your personal data for marketing purposes, which may include contacting you by email and/or telephone and/or text message and/or post with information, news, and offers on our services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out.
8. How Long Will You Keep My Personal Data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
• Where the data relates to a contractual relationship between us and you where it may potentially come to be considered evidence in a dispute, we shall keep that data up to six years
• Where the data consists of information that we are required to retain by law, we shall keep the data as long as we are required to do so.
• Where there is no contractual relationship between us but there exists a risk of litigation where the data may potentially come to be seen as evidence or somehow material, we shall keep the data as long as that risk is live and material.
• Where the information is required for effective operation of our accounts or business operations we shall keep the data, but no longer than is required by law
• Where the purpose for which the data was lawfully acquired is still live we shall keep the data, but no longer than is required by law.
9. How and Where Do You Store Or Transfer My Personal Data?
We will only store or transfer your personal data to secure systems located within the United Kingdom. All data held will be stored on secure Council services located in Council managed Data Centres or, where a cloud solution is utilised, on secure cloud systems that have undergone robust cloud risk assessments before being utilised by the Council. This means that your personal data will be fully protected under the GDPR or to equivalent standards by law.
The Council has to comply with strict security compliance such as, Public Sector Network Code of Connection (PSN) and Payment Card Industry Data Security Standards (PCI-DSS). As a consequence the Council’s systems and data centres must meet national and international cyber security standards. The services you purchase via Revolution benefit from making use of the Council’s wider security obligations.
10. Do You Share My Personal Data?
Revolution will not share any of your personal data with any third parties for any purposes, subject to these exceptions:
• To make effective the objectives of a contract that we have with you or for your benefit;
• Where we have your consent to share your data;
• Where we are legally obliged to do so by statute, a court order or other type of legal obligation.
If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law, as described above.
11. How Can I Access My Personal Data?
If you want to know what personal data Revolution have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 12.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request within one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
12. How Do I Contact You?
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:
For the attention of: Corporate Information Governance Team
Email address: firstname.lastname@example.org
Telephone number: 01384 815607
Postal Address: The Council House, Priory Road, Dudley, DY1 1HF
13. Changes To This Privacy Notice
We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.