PN012 - Civica Pay Education Payments Privacy Notice
Torfaen County Borough Council is committed to protecting your privacy when you use our services. This Privacy Notice is designed to give you information about the data we hold about you, how we use it, your rights in relation to it and the safeguards in place to protect it.
TCBC Service Area: Resources
Work Area: Financial Services
Contact Details: Wendy Edwards
Privacy Notice Name: Civica Pay Education Payments
Data Controller: Torfaen County Borough Council, c/o Civic Centre, Pontypool, NP4 6YB
If you wish to raise a concern about the handling of your personal data, please contact the Data Protection Officer on 01495 762200 or email dpa@torfaen.gov.uk
This Privacy Notice relates to the information we use to administer the Civica Pay system for school meals and pupil related purchases made by parents.
Who provides your data to the Council?
The personal information we process is provided to us directly by you:
- Your personal data has been sourced from the current information held in the Schools Information Management System (SIMS). To register you will be asked to confirm/provide your contact preferences and these will be used to send out communication to you about your child’s school meal balances, activities and trips.
- Information required for payment purposes will be requested from you directly.
How does the Council collect this information?
- From information already held in the Schools Information Management System
- Information you provide via the Parent Portal
What information does the Council collect about you?
The Finance team collects:
- Payment card details at time of purchase/top up
- Transaction history and balance details
As stated above, all other information will already be stored in the Schools Information Management Systems and only the following will be used to administer the Civica Pay service:
- Contact details for parent/guardian
- Contact details for school-based employee purchasing a meal
- Free school meal eligibility
- Student name/gender/date of birth/class or form
Why does the Council process your personal data?
Under Article 6 of the UK General Data Protection Regulation (GDPR), the lawful basis we rely on for processing this information is:
(e) We need it to perform a public task.
Special categories of personal data
We do not collect any special category data or criminal data for the purposes of the Civica Pay system.
Who has access to your data?
Your data is shared internally only with the appropriate staff where it is necessary for the performance of their roles. This will include:
- the school your child attends
- catering services
- staff within Financial Services who support the Civica Pay application
Your data may also be shared externally with organisations for payment and communications. These may include, but not be limited to:
- External email relay company to send the email communications to you
- Merchant acquiring services to process your card payment
Apart from where previously stated, we do not pass your details to third parties unless we are lawfully required do so.
Is the Data transferred out of the UK?
Yes – our software provider uses an external email delivery service and Standard Contractual Clauses are in place.
How does the Council keep your data secure?
The Council has internal policies in place to ensure the data it processes is not lost, accidentally destroyed, misused or disclosed. Access to this data is restricted in accordance with the Council’s internal policies and in compliance with the UK GDPR.
Data will be stored securely in:
- Our software provider stores your data in a SQL Cloud Database, which is protected using the transparent data encryption service (AES 256).
- The Council does not see or store card holder data, it is captured by Civica Pay for processing purposes only and they are a Level 1 PCI- DSS certified organisation.
Where the Council engages third parties to process personal data on its behalf, they do so based on written instructions. These third parties are also under a duty of confidentiality and are obliged to implement appropriate measures to ensure the security of data.
How long does the Council keep your data?
The Council will hold your personal data only for the period that is necessary and will follow organisational and Local Authority standards in this area. At the end of the retention period the Council will securely destroy or dispose of the data in line with retention schedules.
- The Council will keep a record of all payments made for up to 7 years after the year of processing. This is required for finance and taxation reasons
It should be noted that schools may still retain information for regulatory and statutory requirements outside of Civica Pay. This information will be subject to the school’s Privacy Notice requirements.
Are we making automated decisions/profiling with your data?
No
Your rights
You have a number of Rights you can exercise:
- Access - to obtain a copy of your data on request
- Rectification – to require the Council to change incorrect or incomplete data
- Object, Restrict or Delete - under certain circumstances you can require the Council to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing
- Data portability – to receive and/or transmit data provided to the Council to other organisations (this applies in limited circumstances)
- Withdraw your consent at any time (where consent has been given)
- To know the consequences of failing to provide data to the Council
- To know the existence of any Automated Decision-making, including profiling, and the consequences of this for you.
- To lodge a complaint with a supervisory authority (Information Commissioners Office)
If you would like to exercise any of these rights, please contact Wendy Edwards, Group Finance Officer 01495 766305 wendy.edwards@torfaen.gov.uk
The Information Commissioner can be contacted at: The Information Commissioner’s Office (Wales), 2nd Floor, Churchill House, Churchill Way, Cardiff, CF10 2HH. Telephone 0330 414 6421 or e-mail Wales@ico.org.uk
Last Modified: 17/07/2023
Back to top