Record of Processing Activity (RoPA)

This page provides a summary of personal data processing activities undertaken by the Council's. It complies with Article 30 of the UK GDPR by providing:

• a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
• b) the purpose of the processing;
• c) a description of the categories of data subjects and of the categories of personal data;
• d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
• e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
• f) where possible, the envisaged time limits for erasure of the different categories of data;
• g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1) [or, as appropriate, the security measures referred to in section 28(3) of the 2018 Act].

a) The Controllers and Data Protection Officer

The Data Protection Officer for both authorities is Drew Powell, Director of Strategy and Governance, who can be contacted by emailing data.protection@swdevon.gov.uk.

b) The Purpose of Processing

The is following a broad description of the way the Council's process personal data. To understand how your own personal data is processed, you may need to refer to any personal communications you have received, check our privacy notices (South Hams - Privacy, West Devon - Privacy), or contact the Council's directly to ask about your personal circumstances by emailing data.protection@swdevon.gov.uk.

Purposes for processing personal data:

We process personal data to enable us to provide a range of government services to local people and business, which include:

Statutory Services

• Organising local and national elections
• Compiling and maintaining the Register of Electors
• Homeless strategy and homelessness prevention
• Housing Advice
• Housing registers, including the self-build register
• Refugees
• Housing benefits
• Environmental health
• Council Tax and Non-Domestic Rates collection
• Waste collection and recycling
• Street cleansing
• Food safety, food export certificates and water sampling
• Food Hygiene rating scheme
• Health and Safety
• Building Control (in partnership with Devon Building Control Partnership)
• Licensing of taxis, gambling premises, alcohol and entertainment licencing, temporary events, animal activities, skin piercing and scrap metal dealers.
• Local plans and development management (outside the Dartmoor National Park area)
• Issuing Tree Preservation Orders (TPOs)

Discretionary Services

• Council-owned car parks
• Planning enforcement
• Promoting economic development
• Providing some grants to voluntary organisations
• Maintaining some parks and gardens
• Looking after council-owned parks and open spaces
• Operating markets in Totnes, Ivybridge and Kingsbridge
• Some public toilets (some are owned by the local parish or town council)

The processing for the above functions is carried out by the Council's Directorates and services that sit in those Directorates. Further information on what the Councils do can be found on each authority's website

• South Hams
• West Devon

c) Type/Classes of data processed

We process information relevant to the above reasons/purposes which may include:

• Business activities
• Case file information
• Employment and education details
• Family details
• Financial details
• Goods and services
• Housing needs
• Licences or permits held
• Lifestyle and social circumstances
• Personal details
• Student and pupil records
• Visual images, personal appearance, and behaviour

We also process 'special categories' of information, previously known as 'sensitive data', that may include:

• Criminal proceedings, outcomes and sentences
• Genetic/biometric data
• Offences (including alleged offences)
• Physical or mental health details
• Political affiliation/opinions
• Racial or ethnic origin
• Religious or other beliefs of a similar nature
• Trade union membership

Who data is processed about

We process personal information about:

• Adults living in the District/Borough
• Business owners
• Carers or representatives
• Children living in the District/Borough
• Claimants
• Complainants, enquirers or their representatives
• Customers
• Landlords
• Licence and permit holders
• Offenders and suspected offenders
• Payers of Council Tax and/or Business Rates
• People captured by CCTV images
• Professional advisors and consultants
• Receivers of Council Services
• Recipients of benefits
• Representatives of other organisations
• Staff, persons contracted to provide a service
• Students and pupils
• Suppliers
• Traders and others subject to inspection
• Tenants
• Witnesses

d) Who data may be shared with

We sometimes need to share information with the individuals we process information about and other organisations. Where this is necessary, we are required to comply with all aspects of the data protection legislation. The following is a description of the types of organisations we may need to share some of the personal data we process with for one or more reasons.

In certain circumstances, where necessary or required by law, we may share information with:

• Courts, prisons
• Credit reference agencies
• Current, past and prospective employers and examining bodies
• Customers
• Customs and excise
• Data processors
• Debt collection and tracing agencies
• Educators and examining bodies
• Family, associates or representatives of the person whose personal data we are processing
• Financial organisations
• Healthcare professionals
• Healthcare, social and welfare organisations
• Housing associations and landlords
• Housing and tenants' associations
• International law enforcement agencies and bodies
• Law enforcement and prosecuting authorities
• Legal representatives, defence solicitors
• Licensing authorities
• Local and central government
• Ombudsman and regulatory authorities
• Partner agencies, approved organisations and individuals working with the Police.
• Police complaints authority
• Police forces
• Other Police forces, non-home office Police forces
• Political organisations
• Press and the media
• Private investigators
• Professional advisors and consultants
• Professional bodies
• Providers of goods and services
• Regulatory bodies
• Religious organisations
• Security companies
• Service providers
• Students and pupils including their relatives, guardians, carers or representatives,
• Survey and research organisations
• The disclosure and barring service
• Trade unions
• Tribunals
• Voluntary and charitable organisations

e) Transfers

In very rare circumstances, it may sometimes be necessary to transfer personal information overseas. Any transfers made will be in full compliance with all aspects of the data protection legislation, for example, only with your consent if appropriate and with additional security measures in place to protect your information.

The majority of personal information is stored on systems located on the Council's own servers in the Council's own secure premises, although there are some occasions where your information may leave the UK in order to get to another organisation, or, if it is stored in a system that uses servers elsewhere.

We have additional protections on your information if it leaves the UK ranging from secure ways of transferring data, undertaking risk assessments on systems being used to ensuring we have a robust contract in place with the third party.

We will take all practical steps to make sure your personal information is not sent to a country that is not seen as "safe" either by the UK or EU Governments.

f) How long do we keep your personal data?

There is often a legal reason for keeping your personal information for a set period of time, we try to include all of these in the Council's retention schedule.

For each service the schedule lists for how long your information may be kept. This ranges from months for some records to decades for more sensitive records. As services, laws and legislation change regularly, the retention schedule is constantly changing to reflect the new requirements.

g) Technical and organisational security measures

The Council has a robust suite of security controls in place to protect the records we hold about you (on paper and electronically). The Council meets stringent Public Sector Network (PSN) Security controls, and strict Payment Card Industry Data Security Standards (PCI-DSS). The Council has Cyber Essentials accreditation and complies with NHS Digital's Data Security and Protection Toolkit (DSPT) standards.

Access to your records is only available to those who have a right to see them. Examples of further security include:

• Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This type of technology is applied to a number of our systems including our email system.
• Access Controls, controlling access to systems and networks using multi-factor authentication, allows us to stop people who are not allowed to view your personal information from getting access to it.
• Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong.
• Regular testing of our technology and ways of working including keeping up to date on the latest security updates (patches).