Risk Management and Insurance privacy notice
This page explains how your information will be held about you and processed by the Risk Management and Insurance service.
You can find out about the General Data Protection Regulations and Data Protection Act 2018 and your rights on our privacy notice page.
This document contains information about:
- who we are
- why we collect your personal information
- the legal basis for using your information
- who we may share your information with
- how you can access the information we hold about you
- how long we keep information about you
- further information and the Council’s Data Protection Officer.
Who we are
We will be the Data Controller for the personal information you provide in connection with Bournemouth, Christchurch and Poole Services.
Personal information can be anything that identifies and relates to a living person. This could be your name and contact details. As the Data Controller BCP Council will use your information to provide you with our services and meet our legal and insurance obligations.
Why we collect your personal information
Not all of the following will apply in every case. The list takes account of the interests of various parties. This includes staff, claimants and contractors, in both insurance and risk management matters.
We will collect enough personal information:
- to administer a claim or complaint. Administering a claim or complaint may include carrying out an investigation into the incident circumstances, both internal and external correspondence and liaising with specialists such as insurers and solicitors
- to communicate with you
- to arrange, manage or cancel cover under the council’s insurance policy
- to provide insurance advice (for example, in contract matters)
- to provide a service (for example, travel or engineering insurance)
- for audit purposes. Claim data may need to be provided to internal and external audit officers with legal powers empowering them to access insurance records
- to comply with internal and external reporting obligations, (This may include Corporate Governance obligations and incident notifications to an insurer)
- to manage the council’s risks
- for anti-fraud purposes, and
- for statistical analysis. Such statistical and descriptive (but not personally identifiable) information may be used:
Internally. To inform relevant council officers in order to manage the vehicle fleet, improve staff and public safety, assist service delivery and guide risk management support
Externally. To respond to Freedom of Information requests.
We are not permitted to collect information we do not need or will not use. This page covers information you have provided direct to the Council and information which has been shared with us by other organisations or internal services.
If we don’t need your personal information we will either keep your details anonymous if we already have it for another service, or we won’t ask you for it. If we use your personal information for research or analysis, we will always keep your details anonymous or use a fake name.
We don’t sell your personal information to anyone else.
The legal basis for using your information
According to the General Data Protection Regulations (GDPR) and the Data Protection Act 2018, we must have a reason to collect and use your information.
This will be:
- to deliver services and support you
- to enable us to manage the services we provide
- to train and manage our workers who deliver those services
- to investigate any worries or complaints you may have about our goods or services
- to check the quality of our goods and services
- to help with research and planning of new services
- to manage public finances for which the Council is responsible
- to comply with legal requirements
- to notify potential claims to the Council’s insurers
- to arrange, manage and cancel Insurance cover
- to manage risk.
There are a number of legal reasons why we need to collect and use your personal information. More detail is given below but broadly this is:
- carrying out public service tasks.
Some explanatory comments for the Insurance and Risk Management service:
- in order to carry out its public functions, the council arranges insurance cover. That contract requires sharing of risk information to arrange, manage and cancel cover
- we need to manage its risks in order to promote safety and plan for the future
- processing the data claimants or complainants provide is necessary in order to perform a claim or complaint administration role, distinguish a particular claim from others and to communicate with parties that require a response
- The United Kingdom’s civil courts require the preservation and disclosure of various related documentation. This includes initial reports about how an accident occurred. For example, if a claim matter becomes a civil case, we will ask for additional personal information in relation to the claim.
- public authorities have a legal obligation to protect public funds they administer. We are required to notify insurers about potential losses of which we become aware (whether notified by an injured party or not). This is in order to benefit from the protection of our insurance cover
- legislation grants certain officers and bodies rights of access to personal data and we will comply with such legitimate requests. This would include sharing data to prevent, detect, investigate or prosecute fraud for example
- checks on the integrity of data are required to meet the obligations imposed by privacy legislation. Also to ensure the information held is accurate.
In relation to the processing of claims or complaints records to extract non-personal data:
- we will also store non-personal data associated with a claim (EG type of loss, location, costs etc). We will use this to comply with Freedom of Information requests
- it is in the public interest to learn from situations that arise and promote improvement where this is practicable. To do this, we will compile non-personal data sets for the use of officers in decision-making. Unless your personal information is already known to the recipient, it will not be included in this type of use.
Our service also needs to use sensitive personal data also called “special category data”. This requires more protection to keep it safe. This is often information you would not want to be widely known and is very personal to you. It includes:
- physical or mental health
- criminal history (eg fraudulent claims).
We will take extra care of this data. The legal reason for us to collect and use this personal information is:
- it is necessary for legal cases
- you or your legal representative have given explicit consent.
Who we may share your information with
Internally, the insurance team will need to obtain and share information with specific officers. This is so they can fulfil insurance and risk management responsibilities. For example, this would include creditors, highway inspection team, any service team, auditors, management. Data is only shared as the circumstances of the responsibility dictate.
Externally, we use a range of organisations to either store personal information or to help deliver our services to you. Sometimes we have a legal duty to provide your personal information to other organisations. For example the court service or HMRC.
- we may also share your personal information with these organisations
- the council’s insurers,
- loss adjusters or solicitors acting for the council’s insurers,
- other insurers (to prevent fraudulent claims)
- local authorities for whom the insurance team provides a shared service
- council owned companies and charities, and
- the Cabinet Office as part of the National Fraud Initiative process.
Your information will not be disclosed to any other organisations, except where we are required and allowed to by law.
We may seek your consent if sensitive personal data is required to be shared with our insurers or their appointed representatives as part of the claim process. This will be clearly communicated to you. We will only share your details with these organisations if we have your consent. We will not share your information otherwise.
Accessing the information we hold about you
You have the right to request, in writing, details of the information that is held about you. Also the right to access a copy of the information. This may be by the council providing copies of documents or by inviting you to view the records at one of its offices, if appropriate. Please see our webpage for further information about how to make a subject access request.
We will not charge a fee to access your information. Sometimes there may be information that we are not allowed to show you, such as:
- legal information or advice
- crime prevention and detection records
- information that we believe may be harmful to you and your well-being
- details about or provided by other people. This is called third party information. For example, information from the Police or Department for Work and Pensions.
You may also ask us to
- stop processing your information if this causes or might cause damage or distress
- stop processing your information for direct marketing
- make decisions about you using your information by automated means (For example, using computers to decide on an entitlement)
- amend any of your data which you feel is inaccurate. You can also ask for information to be blocked, erased or destroyed.
- transfer your information electronically to another service provider.
- consider a claim for compensation for any damages caused by a breach of the Data Protection regulations.
If you give consent for us to use your information, you may withdraw this at any time. However, this may affect our ability to continue to provide you with a service.
How long we keep information about you
Claim or Complaint matters
We will retain this information for the following time periods depending on the claim or complaint circumstances and legal requirements:
1. Personal data relating to most personal injury, property or motor claims will be retained for 6 years after the incident date.
2. For claims like those described in 1 above, but where the file is open/active beyond 3 years after the incident. Personal data will be destroyed three years after closure.
3. Less frequently, some claim retention decisions times are influenced by material and legal factors. Where incident dates are not clear (for example in a subsidence incident) or a summons is issued. This can extend the time papers need to be kept in order to process a claim or potential claim. In such cases, personal data will be destroyed three years after file closure.
4. Personal data relating to matters where the courts extend the right to make a claim a considerable time in the future will be retained for as long as it is anticipated a claim may be made. As an example, an injury to a child may be pursued after they have reached the age of 18.
5. Information required to arrange, manage or cancel insurance cover will be retained for as long as a claim may be made upon that cover in order to protect the position of the parties involved. That time period is determined by legal rules but will usually be many decades.
6. With similar legal claim timescales in mind, contractual advice is retained 21½ years after expiry of the agreement.
7. Business and corporate risk registers (if personal data of staff or other parties is relevant and included) are retained indefinitely.
If you have a concern about how we are using your information, we would ask you to contact us in the first instance using the address below:
The Risk Manager
Audit and Management Assurance
Data Protection Officer
The Data Protection Officer role for BCP Council is held by the:
Contracts, Commercial and Information Governance.
If you have any queries or concerns about how your personal information please contact us using our general enquiries form first, or by writing to or visiting us at:
For further information about Information Rights legislation, please contact the Information Commissioner’s Office at www.ico.org.uk or by telephone 0303 123 1113.