Privacy notice

Personal data includes information about you, which can be used to identify you as an individual. Examples include:

• Your name
• Your date of birth
• Your contact details
• Your image

Special category data is the most sensitive type of personal data and is protected by stronger safeguards. It includes:

• Information about your health or any social care services that you may use
• Information that could identify your racial or ethnic origins
• Information that could identify your political beliefs
• Information that could identify your religious or philosophical beliefs
• Information that could identify your trade union membership
• Genetic data
• Biometric data (where used to identify you, e.g. use of fingerprints to access online services)
• Information about your sex life, or sexual orientation

Please see the list of directorate and service specific notices listed at the bottom of this page for more details about the personal data that is processed in each area and where it comes from.

Our reasons for using personal information include:

• delivery of services and support to you
• managing and development of our services
• running consultations
• determining risks and implementing measures to reduce those risks
• training workers
• investigating complaints about our services
• monitoring and protecting public spending
• monitoring the quality of our services to ensure they are delivered in the most efficient and effective way
• helping us to improve and plan new services
• complying with laws that require us to provide personal information to other organisations, such as health organisations and courts
• enabling communication with user groups/landowners/contractors/volunteers
• dealing with third party claims for damage/injury caused by or claims for damage to council or highway assets
• for security purposes or to investigate possible fraud or other violations of our User Agreement or this Privacy Policy and/or attempts to harm our members or visitors

My Care Record

The council is a part of the My Care Record approach which is supporting the work of health and care organisations across the East of England. Health and care professionals from other services will be able to view information from the records we hold about you when it is needed for your care.

For example, a doctor treating you in hospital, or a nurse working in the community, could view the information they need from your social care records.

For more information, including the My Care Record Privacy Notice, please visit the My Care Record website.

National Data opt-out

Under the national data opt-out everyone who uses publicly funded health and/or care services can stop health and care organisations from sharing their “confidential patient information” with other organisations so they can use it for research or planning purposes.

At this time, the council does not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose.

You can find out more at Your NHS data matters.

Personal and special category data

Under data protection law, the council can only process your personal and special category data if it is lawful to do so.

We will usually be allowed to use your information because we are complying with a specific public task, or because the service we are providing is set out in law, however, there may be other reasons.

To find out which legal bases different services rely on when processing your personal data, please see the service specific privacy notices which are listed at the bottom of this page.

Criminal offence data – general processing

Some services also process criminal offence data which may include:

• Information about any criminal record or criminal history
• Allegations of criminal behaviour, including unproven allegations
• Absences of convictions, for example the results of DBS checks, or Police National Computer checks
• Personal data of victims and/or witnesses
• Personal data about criminal penalties that may have been awarded.

If you want to find out whether a service is processing criminal offence data about you, and which lawful bases they are relying on, please see the service specific privacy notices which are listed at the bottom of this page.

Law enforcement purposes

Some services process personal and special category data for law enforcement purposes. To make sure that this processing is lawful, the relevant services are competent authorities for the purposes of Part 3 of the DPA 2018, and they process personal data to prevent, investigate, and prosecute criminal activities, or exercise criminal penalties.

To find out more about whether a service is processing personal data for law enforcement purposes, and which lawful bases they are relying on, please see the service specific privacy notices listed at the bottom of this page.

Sometimes, council services rely on recognised legitimate interests, or legitimate interests as a reason for processing your personal data. These lawful bases under the UK GDPR (as amended by DUAA) allow your personal data to be used in ways that you would reasonably expect and that have a minimal impact on you, or where there is a justified reason for processing your data.

Where a service relies on legitimate interests, it will only apply in respect of processing personal data that falls outside of its public authority tasks. You can find out more information about whether or not services are relying on legitimate interests to process personal information, and what those legitimate interests are, by looking at the service specific privacy notices listed at the bottom of this page.

The council rarely relies on consent to process your personal data. This is because the law says that consent must be a genuine choice about how your personal data is used. Because most of the council’s functions are set out in law this means that to meet those obligations, your personal data will need to be processed in some cases, even if you refuse consent.

However, where consent is used, it will be made clear to you at the start and will be included in the relevant service specific privacy notice listed at the bottom of this page. Where we do rely on consent to process your personal data, there will be clear information about how you can withdraw that consent.

The council will not sell or give personal information to any other organisation for direct marketing purposes without your consent.

SCC has contracts with some other organisations to help us provide services in certain areas, or to manage information. Those contracts and other arrangements have procedures in place which require the organisations to comply with data protection law so that the information will only be used to discharge those functions.

SCC will not share your personal information with third parties generally, though there are some situations in which we have a legal duty to do so, which may override your right to confidentiality in that particular circumstance. These include:

• court proceedings
• detection and/or prevention of crime or fraud
• to protect a child
• to protect a vulnerable adult

We always aim to share the minimum amount of information that will enable us to fulfil our legal obligation and will try where possible to protect your information by anonymising it. We will keep you informed about what information we have shared and with whom, where we are legally able to do so.

We will sometimes share data with third parties to help us, for example, to deliver our services to you. If this happens, the department providing the service to you will tell you which organisations your information has been shared with. Please see the service specific privacy notices listed at the bottom of this page for details about which organisations individual services share your information with.

Suffolk Office of Data and Analytics (SODA)

SODA is a collaboration between Suffolk’s local government bodies, police and healthcare board. It exists to create insight from information shared by each of the partner organisations, including Suffolk County Council.

Suffolk County Council does share personal and special category data with SODA for the purposes of analysis and for producing meaningful intelligence from the information, with a view to improving decision-making, service design and delivery, and ultimately benefitting the lives of Suffolk residents.

In particular, Suffolk County Council directorates share the following information:

• Adult social care data, including demographics and addresses
• Children and Young People social care and early help data, including demographics and addresses
• Education data, including demographics, addresses, SEND, free school meals, attendance, post 16, NEET, Youth Justice, and exclusions and suspensions
• Ordnance Survey address base

To find out whether a service transfers any personal data to countries or international organisations outside of the EU, the EEA (European Economic Area), or to any other country that does not have an equivalent level of data protection to the UK, please see the relevant service specific privacy notice in the list below.

The council will only keep personal data for as long as we need it to provide services, fulfil its obligations, to comply with any legal requirements for keeping certain types of information, and in line with any statutory or locally determined retention periods.

To find out how long services keep different types of information for, or to find out who to contact, please see the relevant service specific privacy notice listed at the bottom of this page.

Automated decision-making is when a computer makes a decision about you automatically, without a person being involved. Profiling is when a computer uses information about you to predict things about you, such as your needs, interests, or behaviours.

An example of each includes:

• Automated decision-making - a computer system deciding if you are eligible for a service based only on information that you have entered online
• Profiling - using your past service use to predict what you might need in the future

To find out whether a service is using your personal data to make automated decisions, or for profiling, please see the relevant service specific privacy notices listed at the bottom of this page.

See below for full details of each of the rights under data protection law, and when they may apply.

If you would like to make a request to exercise any of these rights, please contact the Information Governance team at data.protection@suffolk.gov.uk.

Under the Data Use and Access Act 2025 (DUAA), you have the right to complain to the council about how your personal data has been used.

You can make a data protection complaint if you are concerned about how the council has handled your personal data. For example, you may be worried about:

• How we have responded to your request to access your personal data
• How your personal data has been collected or used (for example, if it is incorrect)
• Whether your personal data has been kept secure

Informal complaints

You’re welcome to contact us by email via data.protection@suffolk.gov.uk to see if we can resolve any concerns you may have informally. If we can’t, we will send your correspondence to the council’s Customer Rights team to respond formally, as per the below.

Formal complaints

You can submit a formal data protection complaint with us.

You can also read more on how to make a data protection complaint.

If you remain unhappy with the outcome of any formal complaint you may submit, you are welcome to escalate your complaint to the Information Commissioner’s Office (ICO).

If you would like independent advice on this privacy notice or other matters about how Suffolk County Council processes your personal data, including how to make a complaint, you can contact the Information Commissioner's Office at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113

Email: casework@ico.org.uk