Privacy notice

Last updated: September 2025 

Our identity and contact details 

Islington Council is registered with the Information Commissioner’s Office as a Data Controller under the UK General Data Protection Regulation and Data Protection Act 2018.   

Our registration number is: Z6018243 

Our contact details are: Data Protection Officer, Information and Digital Governance Team, London Borough of Islington, 3rd floor, Laycock Wing, 222 Upper Street, London N1 1XR.  Email: DP@islington.gov.uk

Personal data 

Personal data refers to information that relates to a living individual who can be identified directly or indirectly from that data. This may include identifiers such as your name, address, phone number, or email address. Personal data may be provided by you, by someone else, or created by the council while delivering services. 

Some personal data is considered more sensitive and is referred to as ‘special category data’. We only collect this type of data when it is necessary to provide a service, fulfil a legal obligation, or monitor equality for customers and employees. We will always explain why and how this data will be used, provide a clear lawful basis for processing, or seek your consent where appropriate. 

Examples of special category data include: 

• racial or ethnic origin 
• political opinions 
• religious or philosophical beliefs 
• trade union membership 
• genetic and biometric data 
• physical or mental health conditions 
• sex life and sexual orientation 

Finally, criminal offence and convictions data includes information about criminal allegations, legal proceedings, convictions, and security measures. For the council, such data is typically collected in relation to specific employment requirements, investigations into fraud, safeguarding concerns, equality initiatives, or where it is necessary to protect the vital interests of the data subject or others. 

Further details about how and why we use personal data are provided in the section below on 'why we use personal data'.

Our Appropriate Policy provides more detail on our handling of special category data.

Children’s personal data

We may collect and process personal data about children when delivering services such as education, safeguarding, and social care. We ensure that children’s data is handled with additional care and in accordance with relevant legislation. Where appropriate, we seek consent from a parent or guardian. 

Legislation that governs the collection and use of personal data 

We are committed to protecting your personal data and ensuring it is handled responsibly and transparently. In line with Article 5(1) of the UK General Data Protection Regulation (UK GDPR), we follow these key principles when processing your information: 

• lawfulness, fairness and transparency: We process your personal data lawfully, fairly and in a way that is clear and understandable. 
• purpose limitation: We collect your data for specific, explicit and legitimate purposes. It will not be used for anything other than these stated purposes. 
• data minimisation: We only collect data that is relevant and limited to what is necessary for the services we provide. 
• accuracy: We take steps to ensure your data is accurate and up to date. If you believe any information we hold is incorrect, we will correct or remove it promptly. 
• storage limitation: We keep your data only for as long as necessary, in accordance with our Records Retention Policy (available in our policy library). 
• integrity and confidentiality: We use appropriate security measures to protect your data from unauthorised access, accidental loss, destruction or damage. 

These principles guide how we collect, use, store and protect your personal information across all council services. 

Our legal basis for using your personal data 

Under the UK GDPR, we rely on several lawful bases to process personal data depending on the context: 

• consent: when you have given clear permission. 
• contract: when processing is necessary for a contract with you. 
• legal obligation: when required by law. 
• vital interests: to protect someone’s life. 
• public task: To perform official functions. 
• legitimate interests: For our or a third party’s legitimate interests, unless overridden by your rights.  
• where we consider using your data for a new purpose, we will assess its compatibility with the original purpose and ensure a lawful basis applies, in line with the DUAA. 

The majority of our functions fall under the category ‘public task’. 

Why we use personal data 

The council provides a wide array of services to the public, and it often cannot do so without using people’s personal information. Processing covers everything we do with your data - from collecting and storing it, to managing and deleting it. 

We use personal data to: 

• provide services and support to you 
• train staff 
• investigate concerns or complaints about our services 
• monitor and manage spending on services 
• check the quality of services, including meeting regulatory obligations 
• support research and planning of new services. 

Where we specifically require you to provide personal data, we will explain why. You can find more detailed information about how your data is used for particular services on the relevant pages of our website. 

How we use personal data to meet our equalities duties 

The council is legally required to consider the impact of its policies and operations on different groups, including those defined by age, sex, ethnic origin, race, and sexual orientation. To support this, we collect and analyse statistical data to help ensure our policies are fair and inclusive.  Find out more information about our approach to equality and diversity.

Where appropriate we carry out Equality Impact Assessments (EIAs) to evaluate whether our policies or practices may disproportionately affect any group and to promote positive relations between communities. The data used for these assessments is anonymised and does not identify individuals. It does not affect anyone’s entitlement to services or facilities. 

How personal data may be used in other ways or matched with other sources 

We collect your personal information for specified purposes or a set of related purposes. If we intend to use your data for any new or significantly different purposes, we will carry out a Data Protection Impact Assessment (DPIA) to assess compatibility, legal basis, and potential risks. 

For example, the council may use your information to improve and develop services, or to prevent and detect fraud. Where practicable and reasonable, we will inform you of any significant changes to how we process your personal data. This may be done at the corporate or service level, depending on the nature of the change. In some cases, we may seek your consent if the new processing purpose requires it. This ensures transparency and upholds your rights under data protection law. 

We also compare the information we hold about you across different areas of the council. We may collect and match information from other organisations, such as other local authorities or government bodies. This helps us to: 

• check that the information we hold is accurate 
• prevent or detect crime 
• protect public funds from fraud 
• meet our legal obligations. 

In some cases, we may share your information with other organisations so they can carry out these checks too. Any such sharing is done in accordance with data protection law and subject to appropriate safeguards. 

How we collect your information 

To carry out our responsibilities as a local authority and to pursue other lawful or legitimate interests on behalf of our residents and service users, we collect personal information in various ways. These include communication by letter, email, face-to-face interactions, telephone calls, online forms, social media, and referrals from third parties or key stakeholders acting jointly with, or on behalf of, the council. 

How the council handles telephone calls and recordings 

When you contact the council by phone, calls to our contact centres may be recorded in accordance with council policy. These recordings help us monitor and improve the performance of our staff, ensure the accuracy of information provided, and enhance the overall customer experience. Call recordings are kept for a set period and are then deleted in line with council retention policies.   

Please refer to our retention policy.

How the council uses CCTV 

Information about how CCTV is used is available on our CCTV page. 

Who we share your personal data with 

We use several commercial companies and partners to either store personal information or to manage it on our behalf, and to provide certain services to you. Where we have these arrangements there is always a contract or a memorandum of understanding or information sharing protocol in place to ensure that the organisation complies with data protection law.   

We may also need to share data internally between council departments where this is legal and proportionate.   

In addition, there are circumstances when we are likely to share data with other public authorities and organisations where there is a legal basis for doing so, these might include:  

• other local authorities   
• government departments, including HMRC   
• health service providers   
• the police   
• fire brigades   
• housing associations   
• voluntary and charity organisations   
• independent suppliers of council services e.g. care homes
• income recovery agents e.g. bailiffs.  

Sometimes we have a legal duty to supply information about people. This is often because we must give that information to courts, including:  

• when we take a child into care   
• court orders 
• cases under mental health law.  

In very limited circumstances we may share your personal information when there is a pressing and legal reason for doing so, that is more important than protecting your confidentiality. For example, we may share your information:  

• for the detection and prevention of crime/fraudulent activity. 
• if there are serious risks to the public, our staff or to other professionals. 
• to protect a child.  
• to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.  

This risk must be identified as being serious before we can go against your right to privacy. When we are worried about your physical safety or we feel that we need to take action to protect you or another person from being harmed in other ways, where appropriate we will discuss this with you and, if possible, get your permission to tell others about your situation.   

When using personal data for research purposes, the data will be pseudonymised to avoid the identification of an individual, unless consent has been given for the use of the personal data.   

We do not sell or provide personal information to any other organisation for the purposes of direct marketing.   

Transfer of data outside of the UK or EEA 

We do not routinely transfer personal data outside the UK or the EEA. In the rare instances where such transfers are necessary, we implement appropriate safeguards to ensure that the personal data continues to benefit from the same level of protection as it would under UK data protection laws. These safeguards may include adequacy decisions, Standard Contractual Clauses (SCCs), or other lawful transfer mechanisms. 

How we keep your personal data secure 

We take appropriate steps to make sure we hold records about you (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them. Our security includes:   

• encryption   
• firewall and network security frameworks   
• access controls on systems   
• access controls on council buildings   
• security training for all staff. 

For any processing activities that are likely to result in a high risk to individuals’ rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the UK GDPR. For more information please refer to our Data Protection policy.

How long we keep your data 

We will retain your personal information only for as long as it is needed to fulfil the purpose for which it was collected. This includes meeting any legal, financial, or reporting obligations. 

For further information please refer to our Retention Schedule Policy and Retention Schedule.

In rare cases the council may seek to hold information beyond its retention so that it can be used to help plan and deliver services more effectively. Where this is done, the council will anonymise the data so that individuals can’t be identified. 

Your rights 

The council must provide you with information regarding the data that we hold about you, which includes our purpose for processing your information; how long we’ll hold your information for and who we might share this data with. This is called ‘privacy information’. Specific privacy notices for our services can be found via the links at the bottom of this page. 

You also have the following rights with respect to your personal data depending on our reason for processing your information:  

• he right to be informed   
• the right of access (Subject Access Requests)  
• the right to rectification  
• the right to erasure (right to be forgotten)  
• the right to restrict processing  
• the right to data portability  
• the right to object  
• the right to not be subject to automated decision-making. 

Find out more about your individual data subject rights. This includes information about how to make a Subject Access Request (SAR) to request copies of your data.   

You can also use the contact information detailed to exercise any of your data subject rights including a request for deletion or correction of your data.  In circumstances where you request either deletion or correction and we have shared your personal information with others; we’ll do what we can to ensure they also correct the information or comply with your request for deletion. 

In addition to this general Privacy Notice, we would also encourage you to review our privacy notices relevant to particular services which can be found via the links at the bottom of this page. 

Use of automated decision making 

The council does not currently use automated decision-making (ADM) to make decisions about individuals.  

Managing your consent 

Where you may have provided your consent for the handling and use of your personal information for a particular purpose, you can always withdraw that consent. Therefore, where we have requested your consent, we will provide you with details of how to withdraw it.  Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. However, we will not always need your consent to use your personal data.   

Data analytics 

In order to improve the services that we provide to our residents and ensure we make the most efficient use of resources, we use data and information from a range of sources gathered across the council and from data provided by external organisations. For example, we use data from the NHS, to understand more about the needs, including health and care, of residents. This data is also used to derive statistics and intelligence for research and planning purposes and to monitor how our services are performing. This information may also be used to identify priorities for action and inform decisions made by the council about the services we provide.  

To protect your individual privacy, data analytics are only undertaken using anonymised (where your name or identifying details are removed) or pseudonymised data (where your name or identifying details are replaced with a key).  

At no point will profiling data be used to identify you or your family. It is for research and planning purposes only. We do not use profiling to make decisions about individuals. Where profiling is used, it is solely for research, planning, or service improvement purposes.  

Cookies 

To make this site simpler, we sometimes place small data files on your device. These are known as cookies. Most websites do this to improve user experience. Cookies help us: 

• remember your settings so you don’t have to re-enter them on each visit
• retain information you’ve provided (e.g. your postcode)
• measure how you use the website so we can improve it
• process your IP address for firewall support. 

We use both essential cookies and non-essential cookies.  Essential cookies are necessary for the website to function and cannot be switched off in our systems, while non-essential cookies (such as those used for analytics or personalisation) require your consent before they are placed on your device.  

Our use of cookies complies with the Privacy and Electronic Communications Regulations (PECR) and the Data (Use and Access) Act 2025 (DUAA). Under these laws, we are responsible for ensuring that any cookies or similar technologies used on our website—whether set by us or by third-party services—are deployed lawfully and transparently. 

You can manage your cookie preferences at any time using our cookie settings tool, accessible from the footer of our website. If you choose to reject cookies, your browser can be set to automatically block them or notify you when a website attempts to store a cookie. You can also delete previously stored cookies. Please note that rejecting all cookies may affect your ability to use some features of our website. 

Our cookies are not used to identify you personally. They are simply here to make the site work better for you. 

For more information please refer to our cookie policy.

To learn more about cookies and how to manage them, visit www.aboutCookies.org.  

Measuring website usage 

We use Google Analytics and MS Clarity to collect information about how people use this site. We do this to make sure the website is meeting users’ needs and to understand how we could improve it.  

These analytics tools store information about what pages you visit, how long you are on the site, how you got there and what you clicked on. We do not collect or store your personal information other than your IP address (e.g., not your name or address). We do not try to identify you from your IP address.  

We also collect information on the number of times particular search terms are used and the number of failed searches. We use this information to improve access to the site and to identify gaps in the information content so we can plan appropriate expansion of the system.  

Social network contact 

When you choose to contact the council via social media accounts (e.g., Facebook or X) you should be aware that the council cannot control the data you post there. Once we have transferred any requests for service or complaints from the platform concerned onto our corporate systems, your information will be treated like any other personal data the council holds.  

We would also encourage you to familiarise yourself with these companies’ privacy policies:  

Facebook: Meta Privacy Policy

X: X Privacy Policy

AI (Microsoft Copilot 365) 

We use Microsoft Copilot 365 within the council to enhance staff productivity and efficiency. It is important to note that this generative Artificial Intelligence (AI) tool will not be used to make decisions about service users or residents. Instead, Copilot is being evaluated to understand how it can assist our staff with tasks such as: 

• meetings: Copilot assists with meetings by taking minutes, producing summaries and actions, and helping staff catch up on missed meetings. 
• writing: Copilot helps with writing documents and emails, such as suggesting ways to word something, helping to create drafts and formatting documents. 
• presentations: Copilot is used to speed up the time it takes to create PowerPoint presentations. 
• data analysis: Copilot is used to analyse and visualise data, identify trends, and create reports and graphs. 

The council’s data, used with MS Copilot 365, is stored within our secure Microsoft tenant, which is held within the UK. The data is under the control of the council and is not used to train or improve Microsoft, or third party, AI models. 

Where the council uses resident or service user personal data with MS Copilot 365, this is processed under the lawful basis of ‘public task’ or to fulfil our legal and statutory duties under the legislation cited within our privacy notices. 

Where MS Copilot 365 is used to assist the council with meetings involving members of the public, we may collect video recording or transcripts of conversations. These are used for the purposes of accurate minute taking and are automatically deleted after 60 days. 

We recognise that the potential uses of Copilot may evolve over time. Any new applications will be carefully considered and aligned with our commitment to data privacy and security. To ensure responsible AI usage, we have established an AI Centre of Excellence that oversees staff training, governance, and ethical considerations. 

Contact the council about data protection 

If you have any data protection queries or require further information on how the council handles your data, please feel free to contact our Data Protection Officer, c/o Information Governance Team, London Borough of Islington, 3rd floor, Laycock Wing, 222 Upper Street, London N1 1XR, or by email at dp@islington.gov.uk  

Complaints 

If you have any data protection complaints, or if you believe your personal data has been mishandled, please contact our Information Governance Team, using the contact details above. 

If you remain dissatisfied with the outcome of your complaint, you can refer the matter for adjudication to the Information Commissioner’s Office (ICO) via their website or by using the contact details below. 

Independent advice 

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:  

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF  

Telephone: 0303 123 1113 

Email: casework@ico.org.uk

Future changes 

As the council develops new services, we may need to update this Privacy Notice. Any changes to how we process personal data will be published on this page.