We understand that privacy and the security of personal information is extremely important. Because of that, this policy sets out what we do with personal information and what we do to keep it secure. It also explains where and how we collect personal information, as well as data subject rights over any personal information we hold about you.
This policy applies to you if we deliver a service to you, if we use you as a supplier or if we're seeking to enter into a contractual relationship with you. This policy gives effect to our commitment to protect your personal information.
Who we are
We are Compass Point Business Services (CPBS), a limited company owned by East Lindsey District Council (ELDC) and South Holland District Council (SHDC). We were formed as a joint venture and our main responsibilities are to deliver services to both Councils and to members of the public on their behalf.
Our primary office locations are at each respective Council's headquarters, at the addresses below, and we also operate from some the Customer Access Points owned and managed by the Councils.
ELDC Offices, Tedder Hall, Manby Park, Manby, Lincolnshire, LN11 8UP
SHDC Offices, Priory Road, Spalding, Lincolnshire PE11 2XE
Apart from processing in relation to our own employees and with current or potential suppliers contracted by us directly, where we act as the data controller, all of the personal data we process is done so in our capacity as a data processor acting on behalf of the respective district councils.
Information we hold
We hold and process a wide range of personal data. The majority of the data we process is required to allow us to deliver essential services on behalf of our two owning councils. These services are:
Customer Contact, where we take a range of information on behalf of the services we provide (as listed below) or other council services such as Waste Services, Licensing, Housing Support Services and Planning.
Revenues and Benefits, including the collection of Council Tax, Business Rates and Sundry Debt, as well as paying Benefit claims
Finance, which includes paying supplier invoices
Information and Communications Technology (ICT)
Human Resources (HR) and Payroll
Health and Safety
Internally the Company's Business Support team also processes a wide range of Company related and supplier information. This usually includes non-personal related data, with the exception being contacts within organisations we procure services from.
Categories of personal data we process in support of this will include:
Personal details, such as: name, address, telephone number, email address
Family details and/or information relating to others living with you
Lifestyle and social circumstances
Goods and services
Employment and education details
We also process sensitive classes of information that may include:
- Physical or mental health details
- Racial or ethnic origin
- Trade union membership
- Political affiliation
- Political opinions
- Criminal records data
- Religious or other beliefs of a similar nature
- Criminal proceedings, outcomes and sentences
How we use your information
The information we collect from you may be used to:
Collect Council Tax and Business Rates on behalf of the Councils
Collect other payments on behalf of the Councils
Apply relevant exemptions and discounts to your Council Tax or Business Rates accounts
Process and pay you Benefit entitlements
Pass onto the Councils with respect of other services they provide, such as Waste Services, Licensing, Environmental Protection or Housing Support
Enter into a contract arrangement with you as a supplier of services we require
Prevent and detect fraud
Help us understand more about customer service requirements
Our legal basis for processing your information
There are a number of reasons why we need to collect and use your personal information. We will provide specific Privacy Notices and/or shorter Privacy Statements on forms that will provide an explanation of what these are for each specific context.
We usually rely on one of the following lawful reasons for processing:
our legal obligation to provide a service to you on behalf of the Council(s); or
our obligation to provide a public task on behalf of the Council(s); or
because we have a contract with you or you have consented to providing your data in order to access one of our services.
We only collect enough information from you to perform the task it is needed for and this will vary throughout the Council depending on the services you require.
Some information is required legally; for example, we might need to know who is living in your household for Council Tax purposes
Some information may be given voluntarily by you as part of a contract with us or the Council we're processing on behalf of; for example, you might call our customer contact team with the intention of signing up for a green waste collection service.
Sharing your information
We will not sell your personal details to any third parties. We will only use your information for the purpose it was collected for, which may include the sharing of it with different Council departments as appropriate to provide the service you have requested.
Where allowed by law, necessary, or required by law we may share information with:
ELDC and SHDC
Customers and/or service users
Family, associates or representatives of the person whose personal data we are processing
Current, past and prospective employers
Healthcare, social and welfare organisations
Providers of goods and services
Debt collection and tracing agencies
Local and central government
Ombudsman and regulatory authorities
Press and the media (via respective Councils)
Professional advisers and consultants
Courts and tribunals
Survey and research organisations
Housing associations and landlords
Voluntary and charitable organisations
Other police forces, non-home office police forces
HM revenues customs
Department for Work and Pensions
Our staff are given training and guidance with regards to the sharing of personal data to ensure that your data is processed according to the law and only shared where there is consent or legal justification for doing so.
National Fraud initiative - Cabinet Office data matching
To prevent and detect fraud it is a legal requirement that Councils share your information with the Cabinet Office. This is for the purpose of data matching as part of the National Fraud Initiative (NFI), and as data processors acting on behalf of two Councils we're legally obliged to provide this information on their behalf. Examples of data supplied by CPBS are:
Insurance data - if claims have been made against the Council
Payroll - staff data
Trade creditors payment history and standing data (paid and open invoices)
Computerised data matching allows potentially fraudulent claims and payments to be identified and investigations to be carried out where necessary, in order to protect public funds. The use of this data by the Cabinet Office is carried out under Part 6 of the Local Audit and Accountability Act 2014 and does not require the consent of the individual concerned under Data Protection law. You will have been informed when we collected your personal information if we intend to share it with other people and organisations. However, you will not be informed if we are asked to provide your details for law enforcement or tax collection reasons as this is permitted within Data Protection Legislation.
Our Website and Cookies
We use Google Analytics to collect information about visitor behaviour on our website. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on.
You can find out more about Google's position on privacy as regards its analytics service at https://support.google.com/analytics/answer/6004245?hl=en-GB
Visitors may choose to opt-out of Google Analytics tracking with the Google Analytics opt-out browser add-on
We use a minimal number of different cookies on our site. If you do not know what cookies are, or how to control or delete them, then we recommend you visit http://www.aboutcookies.org for detailed guidance.
The list below describes the cookies we use on this site and what we use them for. Currently, we operate an 'implied consent' policy which means that we assume you are happy with this usage. If you are not happy, then you should either not use this site, or you should delete the cookies having visited the site, or you should browse the site using your browser's anonymous usage setting (called "Incognito" in Chrome, "InPrivate" for Internet Explorer, "Private Browsing" in Firefox and Safari etc.).
Default Expiration Time
2 years from set/update
Used to throttle request rate.
30 mins from set/update
End of browser session
Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the __utmb cookie to determine whether the user was in a new session/visit.
6 months from set/update
CPBS does not transfer data to third countries. If this was ever considered necessary in the future, a transfer will only take place when:
Technical and organisational security measures have been put in place via a contract; or
With the consent of the data subject; or
Where required by law.
The General Data Protection Regulation ((EU) 2016/679) (GDPR) outlines a number of rights you have as a data subject (the person the data we're processing relates to). These are:
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restriction
Right to object
Right to complain to the Information Commissioner's Office (ICO)
Right to be informed
Access and correction of your personal information
You have the right to access the personal information that we hold about you in many circumstances. This is sometimes called a 'Subject Access Request'. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge.
Before providing personal information to you or another person on your behalf, we may ask for proof of identity and sufficient information about your interactions with us that we can locate your personal information.
If any of the personal information we hold about you is inaccurate or out of date, you may ask us to correct it.
If you would like to exercise these rights, please contact us as set out below.
Right to stop or limit our processing of your data
You have the right to object to us processing your personal information if we are not entitled to use it any more, to have your information deleted if we are keeping it too long or have its processing restricted in certain circumstances.
If you would like to exercise this right, please contact us as set out below.
How long we keep your information for
We are only permitted to keep your data for as long as we need it, which we refer to as a retention period.
Some retention periods are prescribed by law, such as financial information which has to be provided to HMRC, but we often have to make our own judgements when deciding how long we keep personal data for.
Retention periods for the processing we carry out can be viewed in our retention schedule. For all services we provide on behalf of the Council, these should also be found on each respective Council's website.
Links to other relevant information
Most of the personal data we process is on behalf of ELDC and SHDC, and full privacy notices and retention periods relating to the services we provide are available from their websites:
The ICO are the UK's independent authority set up to uphold information rights in the public interest. You can go to their website to obtain more information generally regarding data protection law and practice, or to complain to them if you feel that the processing of your personal data infringes data protection law:
We take security measures to protect your information including:
Limiting access to our buildings to those that we believe are entitled to be there
Implementing access controls to our information technology, such as: encryption, firewalls, ID verification and logical segmentation and/ or physical separation of our systems and information
Robust security updates including timely patching and anti-virus software
Pseudonymisation or anonymisation of data wherever possible
Physical security controls, such as: secure waste paper disposal, controlled printing and a clear desk policy
Penetration testing to monitor security control effectiveness
Completion of Data Protection Impact Assessments (DPIA) when implementing changes
At CPBS we appoint our own Data Protection Officer (DPO), who can be contacted with any privacy related query or complaint by email at firstname.lastname@example.org or in writing at:
The Data Protection Officer
Compass Point Business Services
Manby Park, Manby
For the majority of the services we provide, CPBS acts as a data processor, delivering services on behalf of East Lindsey District Council and South Holland District Council, the data controllers. Council specific privacy notices and contact details can be located on their respective websites: East Lindsey District Council and South Holland District Council