Privacy Notice

Torfaen County Borough Council as a Data Controller is committed to protecting your privacy when you use our services. This Privacy Notice is designed to give you an overview of the types of data we hold about you, how we use it, your rights in relation to it and the safeguards in place to protect it.

We have produced more detailed Privacy Notices for each area of processing, and these Service Area Privacy Notices can be accessed here.

Who provides your data to the Council?

Most of the personal information we process is provided to us directly by you when you engage with the Council, e.g. to request a service or make enquiries.

We also receive personal information indirectly from our partners and providers where we work together to deliver services to you. This could include a referral from another agency, Local Authority, Registered Social Landlord, Voluntary Sector, Police, NHS or someone acting on your behalf.  

How does the Council collect this information?

The Council collects personal information through a variety of methods including but not limited to:

  • Forms completed online or in paper format such as requests, referrals, surveys etc
  • Email or paper correspondence
  • Telephone enquiries or face to face at our public buildings
  • Enquiries using Social Media
  • Text or WhatsApp if currently receiving assistance from us
  • Meetings held with our staff
  • CCTV including bodyworn cameras or CCTV vehicle

What information does the Council collect about you?

Personal information can be anything that identifies and relates to a living person. This can include information that when put together with other information can then identify a person. For example, this could be your name and contact details.

Not all departments collect the same data, and they may process your data for different purposes – you can find the relevant Service Area Privacy Notices here.

We may need to collect information about you to:

  • deliver services and support to you
  • keep you informed about the services we provide to you
  • train and manage the employment of our workers who deliver those services
  • help investigate any worries or complaints you have about your services
  • keep track of spending on services
  • check the quality of services provided
  • administering funding or collecting monies due
  • help with research and planning of new services
  • investigating complaints or allegations

This is likely to include the following, but will depend on the above:

  • Contact details e.g. name, address, telephone number, email address
  • Financial information
  • Health information
  • Family details and dates of birth

Why does the Council process your personal data?

There are a number of legal reasons why we need to collect and use your personal information.  Each Lawful Basis relied on under Article 6 of the GDPR, is shown on the detailed Service Area Privacy Notices.

Generally, we collect and use personal information where any of the following may apply:

  • you, or your legal representative, have given consent
  • you have entered into a contract with us
  • it is necessary to perform our statutory duties, e.g. to deliver health or social care services/provide education or refuse services etc
  • it is necessary to protect someone in an emergency
  • it is required by law
  • we want to deliver other support or services

Special categories of personal data

Some information is ‘special’ and needs more protection due to its sensitivity. It’s often information you would not want widely known and is very personal to you. This is likely to be:

  • personal data revealing racial or ethnic origin
  • personal data revealing political opinions
  • personal data revealing religious or philosophical beliefs
  • personal data revealing trade union membership
  • genetic data
  • biometric data
  • data concerning health
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation

We collect and process this type of ‘special category’ data under Article 9 of the UK GDPR.

Where we collect ‘criminal data’ it is processed under Article 10 of the UK GDPR.

Who has access to your data?

Your data is shared internally only with the appropriate staff where it is necessary for the performance of their roles.

Your data may also be shared externally with a range of partner organisations who are storing or processing data on our behalf or helping us to provide a service. Where we have these arrangements there is always an agreement in place to make sure that the organisation complies with data protection law.

These may include, but not be limited to:

  • Service Providers and Partner organisations, e.g. co-ordinating assistance and support services/care and equipment providers
  • IT system suppliers, e.g. databases/applications that hold data
  • Government departments, e.g. Audit and finance requirements including the National Fraud Initiative
    • DWP/HMRC for benefits and Council Tax
    • Reporting on service outcomes, e.g. education/flying start/care provision
    • Anonymised statistical reporting
  • Other Local Authorities/agencies/schools for combined services

Apart from where previously stated, we do not pass your details to third parties unless we are lawfully required do so.

Is the data transferred out of the UK?

The majority of personal information is stored on systems in the UK. But there are some occasions where your information may leave the UK either to get to another organisation or if it’s stored in a system outside of the EU.

Where this is necessary, additional protections are implemented ranging from secure ways of transferring data to ensuring we have a robust contract in place with that third party. We’ll take all practical steps to make sure your personal information is not sent to a country that is not seen as ‘safe’ either by the UK or EU Governments.

How does the Council keep your data secure?

The Council has internal policies in place to ensure the data it processes is not lost, accidentally destroyed, misused or disclosed. Access to this data is restricted in accordance with the Council’s internal policies and in compliance with the UK GDPR.

Data will be stored securely on:

  • Our secure network
  • Secure IT systems procured by the Council
  • Secure buildings for paper records and IT infrastructure

Where the Council engages third parties to process personal data on its behalf, they do so on the basis of written instructions. These third parties are also under a duty of confidentiality and are obliged to implement appropriate measures to ensure the security of data.

How long does the Council keep your data?

There is often a legal reason for keeping your personal information for a set period and depending on the reasons for processing, this can range from months for some records, to decades for more sensitive records.

The Council will hold your personal data only for the period that is necessary and will follow organisational and Local Authority standards in this area. At the end of the retention period the Council will securely destroy or dispose of the data in line with retention schedules.

Are we making automated decisions/profiling with your data?

No

Your rights

You have a number of Rights you can exercise:

  • Access - to obtain a copy of your data on request
  • Rectification – to require the Council to change incorrect or incomplete data
  • Object, Restrict or Delete - under certain circumstances you can require the Council to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
  • Data portability – to receive and/or transmit data provided to the Council to other organisations (this applies in limited circumstances)
  • Withdraw your consent at any time (where consent has been given)
  • To know the consequences of failing to provide data to the Council
  • To know the existence of any Automated Decision-making, including profiling, and the consequences of this for you.
  • To lodge a complaint with a supervisory authority (Information Commissioners Office)

Where can I get advice?

If you have any worries or questions about how your personal information is handled, please contact our Data Protection Officer at DPA@torfaen.gov.uk or by calling 01495 762200 or in writing to Data Protection Officer, Torfaen County Borough Council, Civic Centre, Pontypool, NP4 6YB.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:

Information Commissioner's Office
2nd floor
Churchill House
Churchill way
Cardiff
CF10 2HH
Tel: 0330 414 6421

Last Modified: 09/01/2026
For more information contact:

Data Protection Officer

Tel: 01495 762200

Email: DPA@torfaen.gov.uk

Back to top

In this Section

Related Content