Covid-19 Business Support Grants Privacy Notice
Who we are
Teignbridge District Council is registered with the Information Commissioner’s Office (ICO) as a ‘data controller’ under the Data Protection Act, entry Z5463710. We are a public authority and have a nominated Data Protection Officer who can be contacted on dataprotection@teignbridge.gov.uk.
If you apply for a business support grant (including the Local Restrictions Support Grant or the Additional Restrictions Grant) we will need to collect information about the business and about the person applying.
This notice, in conjunction with our overarching privacy policy, sets out what personal data we will collect, how we will use it, who has access, who we share it with and what your rights are when applying for this support.
What information do we collect about you?
We will collect, store and use the following categories of personal information about you:
- Personal details such as name, address, date of birth, telephone number and email address for you (and your agent where you nominate someone else to complete this application on your behalf)
- Bank account details
- Business information such as business name and registration number, charity number or VAT registration number
- Unique identifier such as national insurance number, unique taxpayer number or self-assessment / partnership number
- Business income and expenditure, for example, bank statements, most recent set of accounts, tax return, ledger details, invoices or receipts
- Lease agreements, business insurance and / or utility bills
We collect telephone numbers and email addresses so that we can contact you, or your agent. If we hold a mobile number for you, or your agent, we may send a text.
Where we get your information from
Information is collected from you as the service user through online web forms when completing your application for a business support grant or by recording of your telephone call if calling our main customer support centre (or our Council Tax, Business Rates and Benefit Service direct). This information will be collected either from you directly as the data subject, or from a representative acting on your behalf.
All of our online forms have their own privacy notice at the beginning before you enter any personal information. We recommend that you read the privacy notice before filling in the form.
How your information will be used
In order to provide services to you, it is necessary for us to collect and hold personal information about you. This information will be processed by us to:
- process your request or enquiry
- contact you in case of a query or an issue concerning the service you have requested
- process and make decisions on applications you have sent us
- process financial transactions
- help investigate complaints or concerns you have raised about the service provided
- help detect and prevent fraud and corruption in the use of public funds and where necessary for law enforcement functions
- maintain our own accounts and records
- help us build up a picture of how we are performing
- provide statistical analysis
- help with research and planning new services
We will use the information you provide to carry out checks to verify your eligibility for the support grant, to administer the distribution of the funds and to contact you regarding your application and on going eligibility. The information you provide may be used for the prevention and detection of fraud and for other statutory purposes, including enforcement action.
We are required to complete post-event assurance checks on behalf of central government in guidance published in relation to the COVID19 business grant schemes. Without collecting this information, the council will be unable to meet its obligations.
If you fail to provide certain information, we may not be able to provide the service you have requested.
You may face prosecution if you have manipulated or falsified your position in order to obtain these payments. Any payment made as a result of fraud will be subject to recovery action, as well as any grants paid in error.
When you contact us requesting certain services, your personal information may be recorded in our Customer Relationship Management (CRM) system to ensure those services can be delivered.
Personal data revealed during a telephone call will be recorded to deliver appropriate services. Occasionally special category personal data may be recorded where you voluntarily disclose health, religious, ethnicity or criminal information to support your request for advice and / or services.
Please read our Customer Support Centre Privacy Notice for more information.
Lawful basis for processing data
The lawful basis for processing your personal data is on the basis of legal obligation and that it is necessary for the performance of a public task.
Teignbridge District Council has a statutory duty under Section 151 of the Local Government Act 1972 to ensure proper administration of the authority’s financial affairs. To meet this requirement, assurance must be obtained that the grant funding has been paid correctly.
In addition, processing is undertaken according to Schedule 2 of the Data Protection Act 2018 for the prevention and detection of crime.
Who we share your data with
We may share your personal data with:
- other council services
- other local authorities and government organisations to check the information provided in your application
- with the credit agency Experian to verify bank account ownership for fraud prevention
- if you apply for a Gap Grant or Small Firms Employment Fund these are processed on the Council's behalf by The Diverse Regeneration Company
- the Department for Business, Energy and Industrial Strategy (BEIS) for monitoring, evaluation and research purposes, as well as for prevention and detection of fraud and/or criminal activities and for suspension and/or recovery of the grant where necessary. BEIS may contact you for research purposes regarding the grant. The government may share your information for the purpose of counter fraud activity and debt recovery with other government departments, agencies and/or local authorities
- HMRC because grant payments are subject to tax
- the Cabinet Office for the National Fraud Initiative data matching exercise (if requested to)
We will not share this data with other organisations or individuals outside of the council for any other purpose unless we are required to do so by law or where it is appropriate to support our duty to protect public funds and / or detect and prevent fraud or other criminal activity or safeguarding requirements.
There may also be instances where our system suppliers will need to access individual’s personal information to ensure that information is being held securely and accuracy is maintained. This will be on a strict need to know basis and all contracts have confidentiality clauses built in.
Where we engage third parties to process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality, and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
We will not transfer your information to countries outside the European Economic Area (EEA) unless this is necessary, and only to countries which have sufficient safeguards in place to protect information.
We will not share your information with third parties for commercial or marketing purposes.
How long do we keep hold of your information and is it secure?
We will only retain your personal information for as long as we are required to do so by law and the purpose we collected it for. The retention period is either dictated by law or by our discretion. Once your data is no longer needed it will be securely and confidentially destroyed. For example, the Department for Business, Energy and Industrial Strategy (BEIS) has informed that we are required to retain data on Covid-19 business grants for 10 years.
Call recordings will be retained for thirty days after which they will be deleted and no longer retrievable. Customer records can be held on the Customer Relationship Management system (CRM) for up to six years.
We have implemented appropriate technological and operational security in order to safeguard your data from loss or misuse.
Automated decision making or profiling
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
Changes in your circumstances
You must notify us immediately if there are any changes in your personal details so we can maintain an accurate and up to date record of your information.
Your rights and access to your information
You have rights under the data protection legislation:
- to access your personal data, known as a subject access request;
- to be provided with information about how your personal data is processed
- to have your personal data corrected;
- to have your personal data erased in certain circumstances;
- to object to or restrict how your personal data is processed;
- to have your personal data transferred to yourself or to another business in certain circumstances;
- you have the right to be told if we have made a mistake whilst processing your data and we will self-report breaches to the Information Commissioner.
Should you wish to exercise any of your rights, you should contact the Data Protection Officer
If you have any concerns
You have a right to complain to us if you think we have not complied with our obligation for handling your personal information by contacting the Data Protection Officer in the first instance.
If you are not satisfied with the council’s response you have a right to complain to the Information Commissioner Office:
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Email: casework@ico.gsi.gov.uk
Or use their online tool for reporting concerns: https://ico.org.uk/concerns/