Last Updated: 28th November 2018
Approved by ODC: 10th December 2018
- About us
- What personal information we collect
- When we obtain your personal information
- How we use your personal information
- Disclosing and sharing your personal information
- Sending your personal information overseas
- How we protect your personal information
- How long do we store your personal information
- Payment security
- Cookies and links to other sites
- Your duty to inform us of changes
- What we may need from you
- Your rights and keeping you in control
- Contacting our Data Protection Officer
Appendix A – How we process your personal information
Any questions you have in relation to this policy or how we use your personal information should be sent to firstname.lastname@example.org or addressed to the Data Protection Officer (who has been appointed to oversee our handling of personal information) at "The Data Protection Officer, Onchan District Commissioners, Hawthorn Villa, 79 Main Road, Onchan, Isle of Man, IM3 1RD.
Furthermore, the data protection supervisory authority in the Isle of Man is the Isle of Man Information Commissioner, who can be contacted by calling 01624 693260 or alternatively at www.inforights.im.
2. ABOUT US
Onchan District Commissioners is a local authority operating in the Isle of Man. The address for Onchan District Commissioners is Hawthorn Villa, 79 Main Road, Onchan, Isle of Man, IM3 1RD. For the purposes of the data protection law Onchan District Commissioners will be the Controller.
3. WHAT PERSONAL INFORMATION WE COLLECT
The personal information we collect will depend upon our relationship with you and the services which we provide. Your personal information (i.e. any information which identifies you, or which can be identified as relating to you personally) will be collected and used by the Authority. This includes information you give when using particular services.
We collect personal information that is necessary for us to perform a contract or otherwise perform services to you. We also collect personal information from third parties to allow us to do this. In addition, we may require information from you and from third parties about you to allow us to comply with legislation and regulations that apply to us – examples of this may be for anti-money laundering purposes.
Your activities and involvement with Onchan District Commissioners will generate further information. Examples of this could be information in relation to your contact with us or ongoing account payment data; or it could be just a record of your general enquiries. It very much depends on the service that you are using.
We may generate personal information about you in relation to the services that we offer. In our Housing Department we would generate a customer contact record that would be kept up to date to enable us to best service your needs and requirements e.g. this may be time of the week when you are more likely to prefer a housing repair visit.
We do collect data from third parties but this is in a very limited capacity. For example, we may collect, information from social media where you have given us permission to do so, or if you post on one of our social media pages. Further, we may receive information from Government bodies in relation to you as an individual. This will only be done where there is a defined data sharing agreement between both parties, and you have been made aware.
We may receive, generate and/or collect from third parties the following personal information:
(a) Personal details, e.g. name, previous names, gender, date and place of birth, employment history;
(b) Contact details, e.g. address, email address, landline and mobile numbers
(c) Identification information such as national insurance number, passport number or driving licence number;
(d) Next of kin and emergency contact details;
(e) Information concerning your identity, e.g. photo ID, passport information, National Insurance number or equivalent tax identification number, National ID card, birth number (or equivalent) and nationality;
(f) Job information, e.g. job title or other information about that person's job
(g) Financial information such as financial history and needs, income, bank details, payment details and information obtained as a result of our credit checks;
(h) Information on relevant family members;
(i) Information relating to the advice that is requested or the services that we are providing;
(j) Information captured during telephone calls;
(l) We may carry out credit checks and these may be carried out by third parties on our behalf;
(m) Complaints information;
(n) Records of correspondence and other communications between us, including email and social media communications;
(o) Information that we need to support our legal and regulatory obligations e.g. information relating to the detection of suspicious and criminal activity;
(p) Licence plate details in respect of car park services;
(q) Monitoring of telephone calls to Onchan District Commissioners and the Housing Office; and
(r) Photographs of events ran by Onchan District Commissioners.
Special category personal information
We do not normally collect or store special category personal information. However, where we do these require higher levels of protection. Types of special category personal information which may be processed about you include:
(a) Details of current or former physical or mental health;
(b) Information relating to criminal sanctions (including offences and alleged offences and any caution, court sentence or criminal conviction;
(c) Details of race and/or ethnicity, political opinions, religious or philosophical beliefs or trade union membership; and/or
(d) Data concerning sex life and/or sexual orientation.
We may process special category personal information in the following circumstances:
(a) In relation to an application for social housing;
(b) An application for a job.
(c) 'Shop watch' administration
We will only keep such personal information for as long as is required and in line with our Data Retention Policy. A copy of the Data Retention Policy can be access on the Google Drive at: https://drive.google.com/open?id=1pk53S0hW-RJcYV67sVeoLMdfwp98Wqns
4. WHEN WE OBTAIN YOUR PERSONAL INFORMATION
We collect personal information from a number of different sources, including:
(a) Directly from you or from someone else on your behalf;
(b) Via publicly available sources such as internet search engines and social media sites;
(c) From credit reference agencies and fraud prevention databases;
(d) From government agencies including tax agencies and agencies that issue identification documentation.
5. HOW WE USE YOUR PERSONAL INFORMATION
We only ever use your personal information where it is necessary:
- In order to perform a task carried out in the public interest or in the exercise of official authority held by the controller;
- In order to enter into, or perform, a contract with you;
- With your explicit consent. Usually this will be a one-off and will not permit us to continue processing indefinitely;
- In order to comply with a legal or regulatory obligation to use such personal information;
- In order to establish, exercise or defend our legal rights; and/or
- In order to protect your vital interests **.
** Vital interests are intended to cover only interests that are essential for someone's life. So this lawful basis is very limited in its scope, and generally only applies to matters of life and death.
We will only use your personal information for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, where this is required or permitted by law.
You will find further details of our legal grounds for each of our processing purposes at Appendix A below.
We do not collect your personal data for the purposes of Marketing. There may be situations where you have requested to be notified of a particular event or activity that you are interested in. At this time we would ask you to opt in to receive this information and will be very specific about what and how your information will be used. At any time you can choose to change your preferences.
6. DISCLOSING AND SHARING YOUR PERSONAL INFORMATION
We will never sell your personal information.
We may share personal information in assisting with responding to enquiries and complaints and also with subcontractors or suppliers who provide us with services. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, if you have a problem with your social housing heating system then we will pass your information to the private central heating contractor. However, these activities will be carried out under a contract which imposes strict requirements on our supplier to keep your information confidential and secure. Our contractor will not use
your information for any other purpose.
Further reasons for sharing your personal information may include
- Prevention and detection of fraud, and where litigation is being contemplated or defended;
- Prevention and detection of crime;
- Employment Screening;
- To fulfil a service offering e.g. Boiler servicing
- Credit and financial checks
- Audit requirements
- To fulfil our legislative responsibilities
Information may be shared with the following organisations
- Law enforcement agencies
- Government departments
- Local Authorities
- Occupational Health
- Contracted third party service providers
- Financial companies
- Financial organisations including Banks and Pensions providers
- External and Internal Auditors
- Third sector organisations (Charities)
Finally, we may also share information with the Isle of Man Public Records Office, which may be permanently preserved for research use at the Isle of Man Public Record Office if the records containing your personal data are selected for permanent preservation under the Public Records Act 1999. This is because the Isle of Man Public Record Office preserves records of the Isle of Man public authorities that are of long-term historic and cultural value. Should you wish to find out more information regarding this please contact the Isle of Man Public Record Office (which is part of the Department of Enterprise) at email@example.com and/or the Department of Enterprises Data Protection Officer at DPODfE@gov.im.
7. SENDING YOUR PERSONAL INFORMATION OVERSEAS
We (or third parties acting on our behalf) may store or process information that we collect about you in countries outside the Isle of Man and the European Union. Where we make a transfer of your personal information outside of the Isle of Man and EU we will take the required steps to ensure that your personal information is protected. Such steps may include placing the party we are transferring information to under contractual obligations to protect it to adequate standards. If you would like further information regarding the steps we take to safeguard your personal information, please contact our Data Protection Officer using the details outlined above at paragraph 1.
8. HOW WE PROTECT YOUR PERSONAL INFORMATION
We employ a variety of physical and technical measures to keep your personal information safe and to prevent unauthorised access to, or use or disclosure of your personal information.
We store your digital data in safe and secure locations within the Authority's ICT infrastructure in the Isle of Man. We control who has access to information (using both physical and electronic means). This data is also backed up to protect against loss of our data storage facility. The Authority's ICT systems are audited on a regular basis.
Some of our services use the internet to pass data and therefore this data is stored in the 'cloud' for a period of time. These services that the Authority use have undergone strict evaluation, making sure that the service runs to the highest security standards. We only use cloud services that operate in the EU and are therefore governed by the same strict data protection laws as the Isle of Man.
Our physical files are stored in secure locations and only permitted staff gain access to these files. These premises are protected using access security systems.
Our Document Retention policy identifies levels of security required for particular types of files. Files and documents that contain personal information are given our highest level of security requirement.
Our staff receive data protection training and we have a set of detailed data protection procedures which personnel are required to follow when handling personal data.
9. HOW LONG DO WE STORE YOUR PERSONAL INFORMATION
How long information will be stored for is contained within the Onchan District Commissioners' Retention Policy and depends on the information in question and what it is being used for. We are required to keep some personal data for specific periods of time in line with legislation. For example, if you have applied for job with the Authority but you were unsuccessful we will delete your information straight away, as this personal information is no
longer required by Onchan District Commissioners.
We continually review what information we hold and delete what is no longer required. We never store payment card information.
10. PAYMENT SECURITY
Onchan District Commissioners accepts a number of payment options and we are required to collect and process payments for a number of our services; e.g payment counters, on-line payments etc.
If you are using a payment card (credit/debit) we will never store your card payment details.
All electronic payment forms (on our website) that request financial data will use the Secure Sockets Layer (SSL) protocol to encrypt the data between your browser and our servers.
If you use a credit/debit card to make a payment, your card details are sent securely to our payment providers (World pay, Barclaycard and Paypoint), we will never store your card payment details on our systems. Our payment providers are all PCI DSS Compliant **.
If you are making your transaction from your PC or Mobile device, we cannot guarantee the security of your home computer or the internet, and any online communications (e.g. information provided by email or our website) are at the user's own risk.
It is important that personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.
Any payments made over the telephone using payment card will be done confidentially. No details are written down, they are always input into our payment machines in real time.
If you choose to pay by payment card then this will be done securely using one of our card payment machines. The card and pin will only be managed by yourself, we will never ask for your card or pin at time of payment.
All Cheques will be kept safe and secure in our safe area until they are passed to the banks.
Some of our premises have CCTV and you may be recorded when you visit them. CCTV is there to help provide security and to protect both you and Onchan District Commissioners staff. CCTV will only be viewed when necessary (e.g. to detect or prevent crime), and footage is only stored temporarily in line with our retention policy. The only exception to this would be if footage has been highlighted for review.
Clear CCTV signage is in place in areas where we operate CCTV.
12. COOKIES AND LINKS TO OTHER SITES
Links to other sites
Our website contains hyperlinks to many other websites. We are not responsible for the content or functionality of any of those external websites (but please let us know if a link is not working by using the 'Contact us' link at the top of the page).
13. YOUR DUTY TO INFORM US OF CHANGES
It is important that personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.
14. WHAT WE MAY NEED FROM YOU
We may need to request specific information from you to help us confirm your identity and ensure your right to access the personal information (or to exercise any of your other rights). This is to ensure that personal information is not disclosed to any person who has no right to receive it.
15. YOUR RIGHTS AND KEEPING YOU IN CONTROL
Under data protection law you have the right to make certain requests in relation to the personal information that we hold about you. We will not usually make a charge for dealing with these requests. If you wish to exercise these rights at any time please contact using the details set out above in paragraph 1.
There may be cases where we may not be able to comply with your request (such as where this would conflict with our obligation to comply with legal requirements). However, if we cannot comply with your request, we will tell you the reason provided we are allowed to do so by law, and we will always respond to any request you make.
There may be circumstances where exercising some of these rights (such as the right to erasure, the right to restriction of processing and the right to withdraw consent) will mean that we can no longer provide you with services and may therefore result in the cancellation of the relating contract/your services.
Your rights include:
The right to access personal information/ Subject Access Requests (SAR's)
The right to confirmation as to whether or not we have your personal information and, if we do, to obtain a copy of the personal information we hold (this is known as subject access request) and certain details as to how we use it. We shall reply promptly, and certainly within one month from the point of receiving the request and all necessary information from you. We will usually provide you with your information in writing, unless you request otherwise, or where you have made the request using electronic means, in which case the information will, where possible, be provided to you by electronic means.
The right to erasure
You have the right to ask us to erase your personal information in certain circumstances, for example, where the personal information we collected is no longer necessary for the original purpose. This will need to be balanced against other factors however. For example, we may have legal obligations which mean we cannot comply with your request.
The right to rectification
We take reasonable steps to ensure that information we hold about you is accurate and complete.
However, you have the right to have personal information amended or updated without any undue delay if you do not believe this is the case.
The right to restriction of processing
In certain circumstances, you have the right to request that we stop processing of your personal information, for example, where you think that we no longer need to use your personal information or where you think that the personal information we hold about you may be inaccurate.
The right to data portability
You have the right to receive your personal data, which you have provided to us, in a structured, commonly used digital (machine readable) format and have the right to transfer this data to another controller, without objection or obstruction from us. It should be noted that this request can only be met where data is being processed by automated means and is therefore stored in a way that it can be extracted into a machine readable file. For example, any data stored on paper record would not be available by this method (however, see above for how to obtain copies of your personal information).
Please keep in mind that there are exceptions to the rights above and, although we will always try to respond to your satisfaction, there may be situations where we are unable to do so.
The right to Object
You have the right to object to the processing of your personal information, relating to a particular situation, at any time. This includes personal profiling. We shall no longer carry out the processing of this personal information unless we can demonstrate legitimate grounds for the processing.
The right not to be subject to automated decision making
We do not carry out automated decision making based upon your personal information. Information will be used to assess certain circumstances but this is always subject to ratification; e.g. we have a housing points system for social housing applications, however final allocations of properties are always managed by our allocations team.
The right to complain to the Information Commissioner
You can complain to Onchan District Commissioners directly by contacting our Data Protection Officer using the details set out above at paragraph 1.
If wish to make a complaint which does not directly relate to your data protection and privacy rights, you can do so in accordance with the Onchan District Commissioners' Complaints Policy that can be found on our website.
If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the Isle of Man Information Commissioner that regulates and enforces data protection law in the Isle of Man. Details of how to do this can be found at www.inforights.im
16. CONTACTING OUR DATA PROTECTION OFFICER
You may contact our Data Protection Officer if you have any questions about how we collect, store or use your personal information.
If you would like further information on your rights or wish to exercise them, please write to our Data Protection Officer, Onchan District Commissioners, Hawthorn Villa, 79 Main Road, Onchan, Isle of Man, or email firstname.lastname@example.org
APPENDIX A – HOW WE PROCESS YOUR INFORMATION
We will use your information for purposes including:
1. To deliver our products and services to you on an ongoing basis and to administer the contract we have with you:
We will use your information to provide products and/or services to you and to administer your accounts. This extends to the provision of:
(a) Social Housing services;
(b) Private parking;
(c) Library services
(d) Receiving and processing payments including Rates, rent, memberships and private refuse collection;
(e) Refuse and recycle collection.
(f) Building Control
(g) Byelaws Enforcement
(h) Dilapidated properties
(i) Procurement of goods
(j) Venue hire
(k) Commercial property management
(l) IOM Local Government Superannuation Scheme
Our lawful basis for using your personal information for this purpose is to perform our contract with you, that it is necessary for compliance with a legal obligation, that it is necessary for the
performance of a task carried out in the public interest, and/or necessary in the exercise of official authority vested in Onchan District Commissioners.
2. Product and service improvement:
We will analyse your information to identify possible service and product improvements. The lawful basis for this is to perform our contract with you and/or that it is necessary for compliance with a legal obligation and/or that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Onchan District Commissioners.
3. Photographs, pictures, press releases:
We run a number of local events throughout the year, ranging from large events such as Onchan Torchlight Procession and Christmas Market, to small events, such as young reading groups in our library. With your consent (or the consent of a parent if aged under 16) and in the interests of generating a closer community we will routinely publish photographs, pictures and press releases which may include your personal information. Furthermore, we may forward photographs of events to media outlets such as local newspapers. Our basis for lawful processing of this personal information is that it is undertaken with consent, and/or that it is necessary for the performance of a task carried out in the public interest.
We have a number of CCTV cameras in operation. CCTV is there to help provide security and to protect both you and Onchan District Commissioners' staff. CCTV will only be viewed when necessary (e.g. to detect or prevent crime), and footage is only stored temporarily in line with our retention policy. The only exception to this would be if footage has been highlighted for review. The lawful basis for processing of this personal data is that it is processed in order to protect the vital interests of data subjects and/or is undertaken in the interests of the public.
5. Telephone calls:
We may monitor or record phone calls made to the reception and housing office of Onchan District Commissioners in case we need to check that we have carried out your instructions correctly, to resolve queries or issues, for legal purposes, to protect our legal rights in case of a dispute, and to help detect and prevent fraud or other crimes. Our basis for lawful processing of this personal information is that it is necessary to perform our contract with you, to comply with a legal obligation and/or that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Onchan District Commissioners.
6. To prevent and detect crime including e.g. fraud, terrorist financing and money laundering:
This will include monitoring, mitigation and risk management. We do this to comply with our legal obligations. We may share your information with relevant agencies, law enforcement and other third parties where the law allows us to for the purpose of preventing or detecting crime.
Additionally we may take steps to help prevent financial crime and manage risk. We will do this because we have a legal obligation to prevent or detect crime or it is in the public interest. We may be required to use your information to do this, even if you've asked us to stop using your information. That could include (amongst other things) passing information to relevant agencies if we think you've given us false or inaccurate information, or we suspect criminal activity.
7. IT systems:
We will use your information to allow us to provide you with access to Onchan District Commissioners' online platforms. The platform may allow you to directly or indirectly communicate with us for applying for services online. The lawful basis for using your information for this purpose is to perform our contract with you.
8. To record events of local and national importance:
On occasions where there is an event of local or national importance your personal data may be forwarded to the Isle of Man Public Record Office. Our basis for lawful processing of this personal information is that it is undertaken with consent, that it is necessary for compliance with a legal obligation and/or that it is necessary for the performance of a task carried out in the public interest, and/or necessary in the exercise of official authority vested in Onchan District Commissioners.
9. Protecting our legal rights:
We may need to use your information to protect our legal rights e.g. in the case of defending or the protection of legal rights and interests, court action and/or managing complaints or disputes. This may be in connection with action taken against you or the persons. We would do this on the basis that it is necessary for the performance of a task carried out in the public interest, necessary for the performance of a contract and/or is necessary for compliance with a legal obligation to which Onchan District Commissioners is subject.