Who are we and what do we do?
Middlesbrough Council provides ICT Services and guest Wi-Fi in our office buildings and properties.
What type of personal data do we collect and how do we collect it?
We collect personal data from corporate ICT users including name, job title, payroll number, profile image, private appointments (if added to your calendar), location data based on network location, internet history and usage, events related to use of Council ICT hardware, our network, and applications, such as logon logoff date/time, information associated with the Council ICT device you use that may be used to uniquely identify you such as ‘IP address’, asset inventory number, and serial number. If you work from home, we collect information about your home internet connection such as your device’s public ‘IP address’.
If staff members use personal devices to access your Council email or other approved applications and websites, we collect information about your device such as ‘IP address’ and operating system.
When people use our Guest Wi-Fi, we collect device information including their ‘IP address’, ‘MAC address’, and their internet history and usage.
We also collect special category data including biometric data such as finger print and facial recognition print if you chose to unlock your Council ICT device that way. We do not intentionally collect data about trade union membership through your use of corporate email or calendars, and we advise you to use personal accounts when communicating with your trade union representatives. Sometimes we are asked to collect criminal convictions and offences data.
How the Law allows us to use your personal data
We use personal data where we have ‘legal obligations’, we use special category data where there is a ‘substantial public interest’, and we use criminal convictions and offences data for ‘statutory or government purposes’. Some of the laws that support our use of this information include the UK General Data Protection Regulation 2016, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, various Employment Laws, and the Crime and Disorder Act 1998.
What is your personal data used for?
We use personal data to manage and provide secure access to corporate ICT devices, network, applications, and the internet, where you make service requests for services or assistance, to monitor and secure the network from misuse or threats. We also use this information to investigate and provide information for management investigations and occasionally criminal investigations and prosecutions.
Will your personal data be shared?
We share some personal data with our providers who help us to provide ICT related services. Sometimes we share information with government bodies and regulators such as the National Cyber Security Centre and the Information Commissioner’s Office. We also share information with law enforcement agencies for the prevention, detection, and investigation of crime.
How do we keep your personal data secure?
We use the following measures to ensure that your personal data is secure: data protection and security policies, information security incident reporting, data and device encryption, system and data access controls, user accounts and passwords, physical and environmental security, staff vetting practices, staff training and awareness, data back-ups, ICT network penetration testing, and business continuity and disaster recovery plans.
How long will we keep your personal data?
We keep information about access to our corporate network for 30 days and Guest Wi-Fi for 24 hours. However, you access the internet using our services, we keep information about usage for 6 months. We delete information from corporate ICT devices, including special category data, when these are returned to us.
Is your personal data processed overseas?
We do not send personal data used for our services overseas.
Marketing and cookies
We do not use personal data for marketing purposes. Some of our applications and website use ‘cookies’ or ‘similar technologies’. We only use these where they are strictly necessary or where you have given your consent.
What are your information rights?
Your Information Rights are set out in law and, subject to some exceptions, you have the:
- Right to rectification - to ask for information to be corrected
- Right to erasure - to have your personal data deleted
- Right to object - to how your data is used
- Right to restriction - to request limits on how your data is used
- Right to portability - to request that we move your data to another organisation
- Right of subject access - to request a copy of data the Council holds about you
Making a complaint
If you have a concerns about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner's Office. Visit the website of the Information Commissioner's Office.