Sports field with goal posts and houses in the distance

Privacy policy and data protection

The GMCA is a Public Authority and we have a number of legal responsibilities to provide services to you.  These services include the fire service, waste collection and disposal and commissioning of services for victims.

To do this we collect, hold and process a large amount of information including personal information about you. Holding this information about you makes us a 'data controller' under Article 4(7) of the General Data Protection Regulation (GDPR).  The GDPR works together with the Data Protection Act 2018 to make sure that your information is collected, stored and shared appropriately.

We will collect your information in many forms dependant on how you are accessing our services.  This may include using paper or online forms, by telephone, email or in person. This information is important and we make sure that it is stored safely and in accordance with current Data Protection Legislation.

You should expect that we will keep a record of any contact you make with us and that we will only hold the information we need.

More details about what the Data Protection Act 2018 and the General Data Protection Regulations are and what they mean for you can be found on the Information Commissioner’s Website (opens in a new tab)

The legislation requires us to appoint a Data Protection Officer who is responsible for protecting individuals’ personal data according to current legislation.  You can contact the GMCA Data Protection Officer via email at

Types of information that we process

To allow us to deliver our required services we may process different types of information. This includes the information shown below:

Personal data

  • Personal details
  • Family details
  • Lifestyle and social circumstances
  • Financial details
  • Employment and education details
  • Housing needs
  • Visual images, personal appearance and behaviour
  • CCTV footage
  • Licenses or permits held
  • Student and pupil records
  • Business activities
  • Service user case file information
  • Birth, death and other data processed by the registrars

Special classes of personal data

  • Physical or mental health information
  • Racial or ethnic origin
  • Trade union membership
  • Political affiliation
  • Political opinions
  • Religious or other beliefs of a similar nature
  • Sexual life or sexual orientation
  • Criminal offences (including alleged offences)
  • Criminal proceedings, outcomes and sentences

Using your personal information

In deciding what personal data we need, we will:

  • only collect, hold and use your personal information where it is necessary for us to do so to ensure we can deliver you the best service
  • securely delete or destroy your personal information when we no longer need it
  • keep your personal information safe and secure
  • take into account your privacy when planning to use or hold your personal information in new ways, such as using new systems or improving the way we work
  • be open with you about how we use your information and who we share it with
  • make it easy for you to see and correct your personal information

What do we do with your information?

We may use your personal information to:

  • Communicate with you and provide services and information appropriate to your needs.
  • Check our performance in responding to you.
  • Ensure that we meet all our legal obligations.
  • Enforce the law such as licensing, planning enforcement, trading standards and food safety.
  • Process financial transactions including grants, payments and benefits or we are acting on behalf of other government bodies, for example the Department for Works and Pensions.
  • Protect you or others from harm or injury

We may also use your information or pass it to external organisations for other purposes allowed under relevant Data Protection and other legislation or where you have consented for it to be used for a particular purpose.

We may also use your information to calculate statistical information to prioritise activities, target and plan the provision of services. We make sure that you cannot be identified when we use your information like this.

Specifically this means that we may use your information to:

  • Maintain our own accounts and records
  • Support and manage our employees
  • Manage our property
  • Enable licensing and regulatory activities
  • Provide services required by us as a public service
  • Prevent crime and prosecute offenders including the use of CCTV
  • Administer any corporate activities we are required to carry out as a data controller and public authority
  • Undertake research
  • Provide commercial and non-commercial activities that we undertake as a public body
  • Support internal financial and corporate functions
  • Manage archived records for historical and research reasons
  • Undertake data matching for local and national fraud initiatives
  • Improve public health
  • Assist in disputes or potential cases of malpractice
  • Investigate complaints

We may also use your information to help to target some of our services and let you know what information or activities may be available to help you. This may include:

  • Promoting the services we provide
  • Marketing our local tourism
  • Carrying out health and public awareness campaigns
  • Providing leisure and cultural services
  • Local Fraud Initiative
  • National Fraud Initiative (NFI) 2020 to 2021
  • Carrying out surveys

Who do we share your information with?

We sometimes share your information with service providers. This could include Hospitals, GPs or other Health and Care services along with other groups like Housing Associations, Voluntary and Charitable Societies, and the Greater Manchester Police. This will make it easier for you to get the services you need when you need them and will reduce the number of times you have to provide the same information.

We may also share information for research and evaluation purposes. This helps us to make sure we are providing the right services, in the right areas, in the right way.

We will always make sure we have a legal basis for processing or sharing your personal information and that we comply with current GDPR and Data Protection legislation.  Anyone working with us must follow the same strict rules we do when using your personal information.

Legal basis for processing

As a Public Authority we have legal responsibilities to provide services to residents.  As a result of these responsibilities we can use your information to support us in providing these services.  This makes us a 'data controller and processor' under Article 4(7 and 8) of the General Data Protection Regulation.  Processing includes collection, recording, storing, changing, sharing or destroying your information.

We have listed below some of the legal acts and regulations that detail the responsibilities and powers we have to provide our services to you:

  • Localism Act 2011
  • Health and Social Care (Safety and Quality) Act 2015
  • Children Act 2004
  • Health and Social Care Act 2001
  • Health and Social Care (Community Health and Standards) Act 2003
  • National Health Service Act 2006
  • Social Security (Claims and Information) Regulations 1999
  • Care Act 2014
  • Crime and Disorder Act 1998
  • Housing Act 1996
  • Homelessness Act 2002
  • Education Act 2011
  • Education and Skills Act 2008
  • Fire and Rescue Services Act 2004
  • Regulatory Reform (Fire Safety) Order 2005 (opens in a new tab)
  • Environmental Protection Act 1990
  • Environment Act 1995
  • Police Reform and Social Responsibility Act 2011

We will use this and other legislation to make sure that what we do with your information is lawful.

When we are sure that the way we want to use your information is lawful, we will only process it in line with the General Data Protection Regulations (GDPR) and current Data Protection Legislation.

According to Article 6 of the GDPR, at least one of the conditions below must apply whenever we process your personal data:           

  1. Consent: you have given clear consent for us to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract we have with you.
  3. Legal obligation: the processing is necessary for us to comply with the law.
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of someone else unless there is a good reason to protect your personal information

More sensitive information or ‘special categories’ of information have stricter rules for processing according to Article 9 of the GDPR. These categories include:

  • Race
  • Ethnic origin
  • Politics
  • Religion
  • Trade union membership
  • Genetics
  • Biometrics (where used for ID purposes)
  • Health
  • Sex life
  • Sexual orientation.

Information on criminal offences is also considered a special category and must be processed according to Article 10 of the GDPR.

Research and Evaluation

In addition to sharing information to improve the delivery of services, we may also share information with other public organisations to create statistical and anonymised data to:

  • Better plan how we provide services to our community;
  • Help improve services and to make sure they are effective;
  • Be published in various reports that will be publically available;
  • Improve the health of the population as a whole

By anonymising the data we can make sure that it will not contain any personal information. So you, your family or any individual person cannot be identified.

The personal information we use may include names, contact details, family details, lifestyle and social circumstances, financial details and information about services that have been provided or offered and not accepted.

We may also share ‘special categories’ of information which may include physical or mental health details, racial or ethnic origin and religious or other beliefs.

Your information may be shared with service providers, survey and research organisations.  Information will be anonymised before any research is used or made public.  This means that any information that identifies you as a person or your family or carers will be removed before the information or results of any research or evaluation are made public.

When we use your information for research and evaluation reasons we still comply with current Data Protection legislation and the General Data Protection Regulation.  

Detect and prevent fraud or crime

By law we have to protect the public funds we are responsible for. This means we may use the information you provide to prevent and detect fraud. This may involve sharing your information with organisations responsible for auditing or administering public funds including the Audit Commission, the Department for Work and Pensions, other public bodies, HM Revenue and Customs, and the Police.

Data matching may also be used to identify errors and potential frauds. This means that we take information from different places and put it together to give a better picture of what is happening.  We may also take part in national data matching exercises undertaken by the Audit Commission.

Information may be shared with organisations such as the Police to prevent or detect crime, apprehend or prosecute offenders or prevent harm to an individual.

What we do before we share information

Whenever we want to share your information with anyone we will carry out a Data Protection Impact Assessment and record the results.  These include but are not limited to:

  • What specific information is to be shared
  • The purpose of the sharing
  • The lawful basis for the sharing
  • An evaluation of the potential risks that the sharing would create and how we lessen them
  • How the information will be kept secure

The Information Commissioner’s Office have issued a Code of Practice (opens in a new tab), that explains the process we must go through when we do a Data Protection Impact Assessment

Find out more about how and when it is appropriate to share your information from the Information Commissioner’s website (opens in a new tab).

We may also pass your information to other people and organisations providing a service on our behalf. These providers are legally obliged to keep your details securely and use them only to provide the service to you in accordance with our instructions.

Additional information processing

Your information may also be shared with other people and organisations where the organisations are required by law to do so or with appropriate justification under the Data Protection Act 2018, for example where a crime is being investigated we may share your information with the police without your knowledge or consent.

What do we do to make sure your information is secure?

The information you provide will be subject to rigorous procedures to make sure it cannot be seen, accessed or shared with anyone who should not see it. 
These include:

  • All staff receive specific information security training.
  • All staff comply with Information Security policies and procedures. These set out how your information is protected and what happens if the security of the information is breached
  • All the laptops used by staff are encrypted and need a unique logon password and ID to access the computer systems.
  • All desktop computers need a unique logon password and ID to access the computer systems.
  • Staff only have access to the information they need to do their job.  This means if they are not the right person in the right team, they will not be able to see your information.
  • Staff with access to the most sensitive information may need to have a Disclosure and Barring Service (DBS) check.   This check will show any criminal convictions which may mean the staff member cannot be trusted with your information

We also have responsibilities to keep our computer systems secure and take steps to stop outside malicious access also known as hacking. This requires us to comply with requirements specified by Central Government, along with requirements specified by NHS Digital.

Find out more about the Central Government requirements (opens in a new tab)

Find out more about the NHS Digital requirements (opens in a new tab)

How long will you hold onto my information?

There is legislation to tell us how long we must keep some of your information. This can vary from 1 year up to 100 years depending on what the information relates to

Your information will be held for no longer than this legislation says it must be held for.  Not all of the information we hold has its retention stated in law and in these cases we use recommendations from legal advisors and other specialists to decide how long to keep it. 

All decisions that are not based on legal requirements have good, solid reasoning to make sure information is not kept longer than required.

All of these legal requirements and formal decisions are recorded in our retention schedule which should be available on our website.  If you cannot find the retention schedule please contact us on

What are my rights of access to my information?

The GDPR gives you the following rights over your information

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

For more information on the GDPR and your rights go to the Information Commissioners website (opens in a new tab).

How can I exercise these rights?

To find out what information we hold about you, you need to make a Subject Access Request in writing. We have appointed a Data Protection Officer, if you wish to exercise any of your other information rights please email

If you are not satisfied with the response from us you can complain to the Information Commissioner’s Office. For further details on this and your information rights please visit the Information Commissioner’s website (opens in a new tab).

Who we process information about

We will process information about:

  • Citizens
  • Suppliers
  • Staff, people contracted to provide a service
  • Complainants, enquirers or their representatives
  • Professional advisers and consultants
  • Students and pupils
  • Carers or representatives
  • Landlords
  • Victims
  • Witnesses
  • Offenders and suspected offenders
  • Licence and permit holders
  • Traders and others subject to inspection
  • People captured by CCTV images
  • Representatives of other organisations


The Greater Manchester Combined Authority collects certain information or data about you when you visit and any other websites that include ‘’ in the address. For more information read our website privacy notice

Other links

Emergency Planning and Service Delivery Privacy Notice - Coronavirus

Privacy Notice: Greater Manchester Self Isolation Pathfinder Evaluation