Bristow & Sutor is incorporated and registered in England and Wales with company number 01431688 whose registered office is at Bartleet Road, Washford, Redditch, Worcestershire, B98 0FL.
At Bristow & Sutor we understand that the privacy and security of your personal information is extremely important. This policy sets out what we do with your information and what we do to keep it secure. It also explains where and how we collect your personal information, as well as your rights over any personal information we hold about you.
This policy applies to you if you use our website, contact us via email, telephone, in writing or meet us face to face.
2. Data Protection Principles
We will comply with data protection law, which states that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
3. What information we collect and when
We only collect information that we know we will genuinely use and in accordance with the EU General Data Protection Regulation (GDPR) and associated data protection legislations. We may collect:
- Your contact details such as; your name, telephone number, email address, that you provide to us when making an enquiry by post, phone, email, when registering on our online applications or by completing a questionnaire online or offline;
- Information that you provide to us to enable us assess your ability to make payments or whether you might be considered to be a vulnerable person. This will involve collection of health and financial information.
- Information that you provide to us when making a payment (including bank account, payment card details and delivery address).
- Video recordings that may be recorded during a visit by one of our enforcement agents and telephone recordings with the Contact Centre.
Information about any device you have used to access our services (such as your device’s make and model, browser or IP address) and also how you use our services. For example, we try to identify which of our apps you use and when and how you use them.
- Video recordings captured when visiting our offices.
4. How may we use your information?
We may use your information for one or more of the following reasons:
- B&S will Process the Personal Data it receives from the Client in respect of the debtors in relation to its enforcement of the recovery of debts owed by the debtors to the Client including the use of the process contained in Schedule 12 to the Tribunals, Courts and Enforcement Act 2007 and/or the recovery of unpaid council tax from a debtor's wages in accordance with an attachment of earning process, the service of arrest warrants, the instruction of insolvency solicitors and High Court Officers and the inspection of commercial properties. In connection with this overall purpose, B&S may also disclose Personal Data to third party tracing agencies to assist it in locating debtors and may receive further Personal Data from such agencies and from the debtors themselves.
- B&S may also use the Personal Data to assess ability to pay, and to consider debtors' vulnerability to ensure they are treated with an appropriate degree of sensitivity. B&S may also Process the Personal Data of members of a debtor's household as a part of its assessment.
- B&S may use the contact details provided (address, email and phone) to enable you access to your account, but also to verify or contact you on matters relating to the account.
- B&S will Process and keep record of all payments made by the debtor.
- B&S will keep record of correspondence and agreements made with the debtor.
- B&S will Process the Personal Data it collects in respect of its use of CCTV at our offices for security reasons.
- B&S will Process the Personal Data it collects in respect of its use of Body Worn Videos (BWV) cameras and its recording of telephone calls with debtors to:
- Monitor the performance of its employees and agents
- Ensure compliance with applicable laws and be able to respond adequately and fairly in the event that complaints are made against it.
- The use of body worn videos also discourages violence against our enforcement agents and may be used to provide evidence to investigate and prosecute any violence against the enforcement agent.
This means that all cookies set by Google Analytics cannot be altered or retrieved by any service on any domain other than bristowsutor.co.uk.
What is the lawful basis on which we are processing your data?
The information that we collect about you will only be used lawfully. The data processing, we carry out on behalf of the council are necessary for:
- the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (the council). [GDPR Art 6 1(e)];
- the purposes of carrying out the obligations and exercising specific rights of the controller (the council) or of the data subject in the field of employment and social security and social protection law. [GDPR Art 9 2(b)];
- compliance with a legal obligation to which the controller (the council and Bristow & Sutor) is subject. [GDPR Art 6 1(c)];
- the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. [GDPR Art 9 2(f)];
- our Legitimate Interest, where we record phone calls and where our enforcement agents record visits. [GDPR Art 6 1(f)].
6. How long do we keep hold of your information?
We will retain your personal information in accordance with the General Data Protection Regulation (GDPR) and never retain your information for longer than is necessary. We are also legally required to hold some types of information to fulfil our statutory obligations. We store:
- Main case information for 2 years after completion. After this, the cases will then be archived for a further 5 years with restricted access for financial data for overpayments and HMRC scrutiny.
- Contact Centre Phone call recordings for 1 year.
- Body Worn Video recordings for 90 days.
Please note: We may retain data beyond these standard retention times if legally required, due to a complaint or incident starting to be investigated before the standard deletion period.
7. Who may we share your information with?
We will not share your information with third parties outside of Bristow & Sutor except where:
- We have to provide additional information to the council.
- We have a legal or contractual requirement to do so, for example meeting our statutory obligations to report to central government.
- We may pass your information to our third-party service providers for the purposes of completing tasks and providing services on our behalf of our clients. When we use third party service providers, we will disclose only the personal information that is necessary to deliver the service. We have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes.
8. How do we protect your information?
Data security is of great importance to Bristow & Sutor and to protect your Data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure your data. We take security measures to protect your information including:
- Limiting access to our buildings to those that we believe are entitled to be there (by use of passes, key fob access and other related technologies);
- Implementing access controls to our information technology;
- We use appropriate procedures and technical security measures (including strict encryption, anonymisation and archiving techniques) to safeguard your information across all our computer systems, networks, website, mobile app and video cameras;
- Never asking you for your passwords; and
- We follow the internationally recognised security standard ISO 27001, as well as the Payment Card Industry's Data Security standards (PCI-DSS).
9. What are your rights under the GDPR?
Under the GDPR data subjects have several rights subject to certain exemptions:
- The right to be informed: You have the right to be informed. We will inform you of the reason for processing your data, when we first contact you.
- The right of access: You have the right to access the personal information that we hold about you in many circumstances. This is sometimes called a ‘Subject Access Request’.
- The right to rectification: If any of the personal information we hold about you is inaccurate or out of date, you may ask us to correct it.
- The right to object: You have the right to object the processing of your personal data where we are relying on a Legitimate Interest and there is something about your particular situation, which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
This only applies to telephone and video recordings.
- The right to erasure: This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with the law.
Note, however, that we may not always be able to comply with your erasure request for specific legal reasons. Right to erasure does not apply in the following scenarios (i) when the lawful basis for processing the data is 'legal obligation' - Bristow & Sutor has the legal obligation to keep financial records after a case has been completed. (ii) For the establishment, exercise or defence of legal claims' – It is within Bristow & Sutor’s legal rights to retain records of dealing with debtors, in case we later receive legal claims.
Please refer to section 5, for the lawful basis under which we process your data and section 6, for how long we retain your information.
- The right to restrict processing: This enables you to ask us to suspend the processing of your personal data in the following scenarios: (i) if our use of the data is unlawful but you do not want us to erase it, (ii) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it, or (iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- Please refer to section 5, for the lawful basis under which we process your data.
- The right to data portability (request to transfer): Bristow & Sutor does not process automated information of debtors, with reliance on consent or contract, as the lawful basis for processing. Therefore, the right to data portability does not apply to any data we hold.
- Rights in relation to automated decision making and profiling: Bristow & Sutor does not use automated decision making and profiling in providing our service on behalf of clients. Therefore, rights in relation to automated decision making does not apply to any data we hold.
The council is the Controller of a lot of the data we process, and it is the Controller’s responsibility to respond to data subjects about their rights. Where this is the case, we may liaise with the Data Protection Officer (DPO) at the council and we will assist them to respond.
We will need to verify your identity before we can fulfil any of your rights under data protection law. This helps us to protect your personal information against fraudulent requests.
For more information on your rights, please refer to the website of the Information Commissioner’s Office (ICO).
10. Contact Details
If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this policy, the way your personal information is processed, please contact us by one of the following means:
DPO, Bristow & Sutor, Bartleet Road, Washford, Redditch, Worcestershire, B98 0FL
If you have a concern about how we handle your data, or you would like to lodge a complaint, you may do so by contacting the Information Commissioner’s Office. Go to ico.org.uk/concerns to find out more.
Mr Andrew Rose – Chief Executive Officer
Bristow & Sutor
Last Review Date: 28th January 2019