This privacy notice tells you what to expect when you have been registered on the Adverse Risk Register of Conwy County Borough Council. In this notice we explain what types of information will be collected about you, how we intend to use it, and who else your information may be shared with.
Your privacy is important to us and we are committed to handling your personal information securely. Under UK Data Protection Act 2018 and General Data Protection Regulation 2016 (GDPR) we are required to protect any personal information we hold about you.
Conwy County Borough Council is the Data Controller of Council data.
Our Data Protection Registration number is: Z4738791
Data Protection officer for the Council is:
The Information Governance Manager – contactable at:
Conwy County Borough Council
Information Governance Unit
PO Box 1
2. Why do we collect your personal information?
The Council owes a duty of care to its employees under the Health and Safety at Work Act 1974 and has a legal duty under RIDDOR – Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 – to record and report incidents of work-related violence.
In the event or likelihood of this happening, personal information about you may be collected to assess the risks to our employees (including the risk of reasonably foreseeable violence) and retained on the Adverse Risk Register.
3. What Personal Information do we hold about you?
The categories of personal information on the adverse risk register may include:
- Contact details,
- Notes and other information we obtain directly from you about actual or adverse behaviour. For example, we may make a note of the words you said if you threatened a member of staff.
4. What do we do with your information?
We will use the information we hold about you for the purposes stated, in general this will be to assess the risks to our employees. We will use the information we hold about you to assess if there is a risk to our staff when they contact or visit you.
Any information gathered will be kept in line with statutory requirements as referred to in section 2 (above) and will not be reused for different purposes or passed or sold to third parties for commercial purposes.
5. Who has access to your Personal Information?
Council staff who look after the register and staff who are working with you or have a need to contact/visit you will have access to the data on the Adverse Risk register. Access is limited to those with a need to know.
In order to prevent unauthorised access or disclosure of the details on the Adverse Risk Register, we have put in place suitable controls to limit the number of people who can see the register. These include;
- Physical controls (all records are kept securely).
- Electronic controls, any computer records are stored in a “locked down” area on the Council’s network which only staff who look after the register can access.
Records will not be visible for general viewing.
6. Who your personal information is shared with.
Your information may be shared with other agencies, organisations and contractors that may come into direct contact with you. We do this to enable them to assess the risks to their employees as part of their work.
Under UK Data Protection laws, we also have a legal duty to pass information to third party organisations such as the Police if there has been a crime committed.
When we believe that others are at risk, we will share information without your consent. When sharing information, we do so in line with UK Data Protection laws and agreed information sharing protocols.
7. How do we collect this information?
We collect this information via a number of methods including:
- Collecting information from those who you may have been aggressive or violent towards.
- Council incident report forms or any other forms as determined by the Council’s Adverse Risk Register operational procedures.
- Other sources- we may receive information about you from other organisations, agencies or service providers.
We may receive information about you either for a legal reason, or because you are receiving a service jointly delivered by another organisation and the Council.
We will match data from other sources to the data we hold at the council, to ensure we have the correct information about you, and update your record on the Adverse Risk Register.
8. How long are records held and is it secure?
Any information gathered will be kept in line with the requirements in section 4 (above). Retention periods will be in line with the Council’s Adverse Risk Register operational procedures.
Information held on the register will be subject to periodic review.
All the information we collect is stored securely on our IT systems. We have strict procedures for the way this is done. All information we hold about you is confidential.
9. What are Your Rights.
We want to ensure you remain in control of your personal data. Part of this is making sure you understand your legal rights under the Data Protection Act 1998 and GDPR which are as follows:
- The right to be informed via Privacy Notices such as this.
- The right to access any personal information the council holds about you (also known as a Subject Access Request). You will not be charged for making a subject access request. You are entitled to receive a copy of your personal data within one calendar month of our receipt of your request.
- The right to rectification we must correct factually inaccurate or incomplete data within one calendar month.
- The right to erasure/right to be forgotten. You can ask for your personal information to be erased unless we have a legal obligation to keep or process your information. In the case of the warning markers this will be in line with the Council’s operational procedures and we will only be able to erase your data subject to the outcome of regular risk reviews. This is because of the legal reasons we have to keep it. (Health and Safety at Work Act 1974 and any legal duty under RIDDOR – Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013)
- The right to restrict processing. You have the right to limit how we use your data, unless we have a legal obligation to process your data. We can retain just enough information about you to ensure that the restriction is respected in future. In the case of the Adverse Risk register we already restrict the processing of your data to only those with a need to see it if they are working with you. You will not be able to ask us to stop processing your data because of the legal reasons we have to keep it. (Health and Safety at Work Act 1974 and has a legal duty under RIDDOR – Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013)
- The right to data portability, this will be a structured, commonly used, machine readable format when asked.
- The right to object. You can object to your personal data being used for certain actions such as profiling, direct marketing or research process.
- You have rights in respect of automated decision making (decisions made by a computer) and profiling. You have the right for these decisions to be explained to you or made by a person instead. (Automated decision making does not form part of the Council’s Adverse Risk Register operational procedures.).
- You have the right to withdraw consent for us to use your data, if we have no legal reason to do so. You have the right to positively opt-in or unsubscribe from any of our communications or other mailing lists at any time and we shall continue to make this obvious and easy for you to do.
Please keep in mind that these rights do not apply in all cases, there are exceptions to the rights above and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so.
10. Can I see the information you have collected about me?
You have a right of access to your data. All requests for access can be sent to the Council using the contact details below:
Conwy County Borough Council
Information Governance Unit
PO Box 1
A Subject Access request form and other information is available via the following link:
11. Who should I contact if I want to complain?
If you have a complaint in relation to your data rights please contact the Councils Information Governance Unit in the first instance.
If you follow this procedure and are still not happy, you may wish to contact The Information Commissioner's Office at:
The Information Commissioner's Office – Wales