The GMCA is a Public Authority and we have a number of legal responsibilities to provide services to you. These services include the Fire Service, waste collection and disposal and commissioning of services for victims.
To do this we collect, hold and process a large amount of information including personal information about you. Holding this information about you makes us a 'data controller' under Article 4(7) of the General Data Protection Regulation (GDPR). The GDPR works together with the Data Protection Act 2018 to make sure that your information is collected, stored and shared appropriately.
We will collect your information in many forms dependant on how you are accessing our services. This may include using paper or online forms, by telephone, email or in person. This information is important and we make sure that it is stored safely and in accordance with current Data Protection Legislation.
You should expect that we will keep a record of any contact you make with us and that we will only hold the information we need.
More details about what the Data Protection Act 2018 and the General Data Protection Regulations are and what they mean for you can be found on the Information Commissioner’s Website.
The legislation requires us to appoint a Data Protection Officer who is responsible for protecting individuals’ personal data according to current legislation. You can contact the GMCA Data Protection Officer via email at OfficeofDPO@greatermanchester-ca.gov.uk.
To allow us to deliver our required services we may process different types of information. This includes the information shown below:
In deciding what personal data we need, we will:
We may use your personal information to:
We may also use your information or pass it to external organisations for other purposes allowed under relevant Data Protection and other legislation or where you have consented for it to be used for a particular purpose.
We may also use your information to calculate statistical information to prioritise activities, target and plan the provision of services. We make sure that you cannot be identified when we use your information like this.
Specifically this means that we may use your information to:
We may also use your information to help to target some of our services and let you know what information or activities may be available to help you. This may include:
We sometimes share your information with service providers. This could include Hospitals, GPs or other Health and Care services along with other groups like Housing Associations, Voluntary and Charitable Societies, and the Greater Manchester Police. This will make it easier for you to get the services you need when you need them and will reduce the number of times you have provide the same information.
We may also share information for research and evaluation purposes. This helps us to make sure we are providing the right services, in the right areas, in the right way.
We will always make sure we have a legal basis for processing or sharing your personal information and that we comply with current GDPR and Data Protection legislation. Anyone working with us must follow the same strict rules we do when using your personal information.
As a Public Authority we have legal responsibilities to provide services to residents. As a result of these responsibilities we can use your information to support us in providing these services. This makes us a 'data processor' under Article 4(8) of the General Data Protection Regulation. Processing includes collection, recording, storing, changing, sharing or destroying your information.
We have listed below some of the legal acts and regulations that detail the responsibilities and powers we have to provide our services to you:
We will use this and other legislation to make sure that what we do with your information is lawful.
When we are sure that the way we want to use your information is lawful, we will only process it in line with the General Data Protection Regulations (GDPR) and current Data Protection Legislation.
According to Article 6 of the GDPR, at least one of the conditions below must apply whenever we process your personal data:
More sensitive information or ‘special categories’ of information have stricter rules for processing according to Article 9 of the GDPR. These categories include:
Information on criminal offences is also considered a special category and must be processed according to Article 10 of the GDPR.
In addition to sharing information to improve the delivery of services, we may also share information with other public organisations to create statistical and anonymised data to:
By anonymising the data we can make sure that it will not contain any personal information. So you, your family or any individual person cannot be identified.
The personal information we use may include name, contact details, family details, lifestyle and social circumstances, financial details and information about services that have been provided or offered and not accepted.
We may also share ‘special categories’ of information which may include physical or mental health details, racial or ethnic origin and religious or other beliefs.
Your information may be shared with service providers, survey and research organisations. Information will be anonymised before any research is used or made public. This means that any information that identifies you as a person or your family or carers will be removed before the information or results of any research or evaluation are made public.
When we use your information for research and evaluation reasons we still comply with current Data Protection legislation and the General Data Protection Regulation.
By law we have to protect the public funds we are responsible for. This means we may use the information you provide to prevent and detect fraud. This may involve sharing your information with organisations responsible for auditing or administering public funds including the Audit Commission, the Department for Work and Pensions, other public bodies, HM Revenue and Customs, and the Police.
Data matching may also be used to identify errors and potential frauds. This means that we take information from different places and put it together to give a better picture of what is happening. We may also take part in national data matching exercises undertaken by the Audit Commission.
Information may be shared with organisations such as the Police to prevent or detect crime, apprehend or prosecute offenders or prevent harm to an individual.
Whenever we want to share your information with anyone we will carry out a Data Protection Impact Assessment and record the results. These include but are not limited to:
The Information Commissioner’s Office have issued a Code of Practice, that explains the process we must go through when we do a Data Protection Impact Assessment
Find out more about how and when it is appropriate to share your information from the Information Commissioner’s website.
We may also pass your information to other people and organisations providing a service on our behalf. These providers are legally obliged to keep your details securely and use them only to provide the service to you in accordance with our instructions.
Your information may also be shared with other people and organisations where the organisations are required by law to do so or with appropriate justification under the Data Protection Act 2018, for example where a crime is being investigated we may share your information with the police without your knowledge or consent.
The information you provide will be subject to rigorous procedures to make sure it can’t be seen, accessed or shared with anyone who shouldn’t see it.
We also have responsibilities to keep our computer systems secure and take steps to stop outside malicious access also known as hacking. This requires us to comply with requirements specified by Central Government, along with requirements specified by NHS Digital.
There is legislation to tell us how long we must keep some of your information. This can vary from 1 year up to 100 years depending on what the information relates to
Your information will be held for no longer than this legislation says it must be held for. Not all of the information we hold has its retention stated in law and in these cases we use recommendations from legal advisors and other specialists to decide how long to keep it.
All decisions that are not based on legal requirements have good, solid reasoning to make sure information is not kept too long.
All of these legal requirements and formal decisions are recorded in our retention schedule which should be available on our website. If you cannot find the retention schedule please contact us on firstname.lastname@example.org.
The GDPR gives you the following rights over your information
For more information on the GDPR and your rights go to the Information Commissioners Website.
To find out what information we hold about you, you need to make a Subject Access Request in writing. If you wish to exercise any of your other information rights please contact us on OfficeOfDPO@greatermanchester-ca.gov.uk.
If you are not satisfied with the response from us you can complain to the Information Commissioner’s Office. For further details on this and your information rights please visit the Information Commissioner’s Website.
We will process information about:
The Greater Manchester Combined Authority collects certain information or data about you when you www.greatermanchester-ca.go.uk and any other websites that include ‘greatermanchester-ca.gov.uk’ in the address. To read our website privacy notice please click here.