Below is the council's corporate privacy notice. For specific services' privacy notices, and corporate data protection policies, see the
Related Information box on this page.
For further details in relation to your information and your rights please go to the Information Commissioners Office website.
London Borough of Merton Corporate Privacy Notice
24 May 2018
The London Borough of Merton (referred to as "we" throughout this document) is a Data Controller in line with Data Protection law, as we collect and process personal information about you in order to provide public services and meet our statutory obligations. Please see below 'Why we need your information', for a full description of the public services in which we may use your personal data.
We are committed to protecting and respecting your privacy. Through this Privacy Notice we have tried to be as transparent as possible to fully explain how your personal data is held and processed. It explains when and why we collect personal information about people who come into contact with us, whether through applying or receiving our services or living or visiting the borough or our website.
This Privacy Notice also explains how we collect, use and share your information and how long we keep it, and how we keep it secure.
Any questions regarding our privacy practices should be sent to:
Data Protection Officer
London Borough of Merton
What type of information is collected about you
We may collect various types of personal data about you
depending on the services you receive and your contact with us, such as your:
- Contact details; including name, address, email address, telephone number, etc
- Financial details for purposes of receiving or making payments
- Date of birth
- Employment details (when you apply for jobs)
- Proof of identity
- Housing information relating your Council tenancy
- National identifiers such as; NHS & NI numbers
- Visual images, personal appearance and behaviour
- Information about your family.
- Licenses or permits held
- IP address and information regarding what internet pages are accessed and when
- Business activities
- Lifestyle, social and personal circumstances
- The services you receive
We may also collect various types of sensitive personal data, sometimes known as special categories from individuals, such as:
- Physical or mental health details
- Political affiliation and opinion
- Racial or ethnic origin
- Offences (including alleged offences)
- Gender and sexual orientation
- Religious or other beliefs of a similar nature
- Trade union membership
- Criminal proceedings, outcomes and sentences
We may also record and monitor telephone calls to our Contact Centre for quality and training purposes.
When you visit our website, cookies are used to collect information about website usage. For more details see our
Why we need your information
We need your personal data in order to provide you with council services that you apply for, or receive, from us and also for where we are required to use information in order to meet our statutory obligations. We will only collect personal data that is absolutely necessary and any information we collect about you will be strictly in accordance with Data Protection legislation and other statutory obligations which we are bound by.
We process your information for the following services, including:
- Council tax and Business Rates
- Landlord Licencing
- Housing benefit
- Voting and elections
- Housing Needs
- School admissions and education services
- Parking permit and blue badge applications
- Youth services
- Adults and Children's social care services
- Birth, marriages and deaths
- Planning and building control applications
- Health and wellbeing
- Bins, recycling and waste collection
- Crime and public safety
The lawful basis for using your information
We collect and use information under one or more of the following legal bases.
Public task – we need to process your information to comply with the law such as schools admissions, waste collection, collecting council tax etc.
Legitimate interest – we need to process your information and share in your interests e.g. Safeguarding
Consent – we need your permission to use your information for purposes including marketing
Contract – we need to process your information as part of a contract such as contract of employment.
Legal obligation – we need to share your information with public authorities e.g. HMRC
Vital interest – we need to process you information to protect someone's life in an emergency.
Where we require consent to use your information we will make it clear when we ask you for consent and also explain how you can withdraw your consent.
You will be advised of any additional purposes or uses at the time the information is collected or used.
Who your information may be shared with
We have statutory obligations to collect, process and share personal or sensitive personal information without consent, with our partners such as the NHS, housing associations, schools, central government, such as DWP, HMRC, Home Office, Department of Education, Department of Health, other councils and law enforcement agencies such as the Police and the Crown Prosecution Service, for the following purposes:
- Health and wellbeing and public health
- Prevention of fraud including participating in the National Fraud Initiative
- Safeguarding of vulnerable adults and children
- Protect you or other individuals from serious harm
- Prevention and detection of crime
- Protect public funds
- Assessment of any tax or duty
- Public safety and law enforcement
- Collection of debt
- Criminal or civil prosecution of offenders
- If required to do so by any court or law
- National security
We may also share your information with our partners to deliver national government programmes and initiatives such as the Troubled Families programme, or improving services we deliver, or provide the services you agreed to receive. We may share with:
- NHS (GPs, Hospital, Mental Health, CCGs etc.)
- Voluntary sectors
- Central government
- Other councils
- Housing associations
In most cases this will be done where there is a lawful basis under the conditions set out in the Data Protection Legislation.
We may also share your information with third party service providers working on our behalf for the purposes of completing tasks and providing services to you on our behalf (for example; domiciliary care providers). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure, as required by the Data Protection Act 1998 and General Data Protection Regulation 2016 (GDPR), and not to use it for any other purpose.
How long we keep your information
We keep your information in line with any legal or business requirement as detailed in the council's retention schedule.
Marketing and e-newsletters
We always act upon your choices around what type of communications you want to receive and how you want to receive them e.g. email newsletters to inform you of what we're doing, news and events.
You have a choice about whether or not you wish to receive information from us. If you no longer want to receive our e-newsletters, then you can do this by clicking the unsubscribe link or responding to the email sender.
We will never use or share your personal information to third parties for marketing purposes without your permission.
We may analyse your personal information to improve services and for the following purposes;
- undertake statutory functions efficiently and effectively
- service planning by understanding your needs to provide the services that you request
- understanding what we can do for you and inform you of other relevant services and benefits
- help us to build up a picture of how we are performing at delivering services to you and what services the people of Merton need
- analysis of costs and spend of services we provide so that we can to ensure better and efficient use of public funds
- evaluating, monitoring health of the Merton population and protecting and improving public health
We are however committed to using pseudonymised or anonymised information as much as is practical, and in many cases this will be the default position.
Pseudonymisation is where the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms.
Anonymisation is the process of removing identifying particulars or details from (something, especially medical test results) for statistical or other purposes.
Profiling means any form of automated processing of personal data to analyse or predict aspects concerning individuals economic or health situation, personal preferences, interests etc. However, we will notify you where we would do this and where required we will seek your consent.
Automated-decision making means any processing that is carried out by automated means without any human review element in the decision-making e.g. carrying out credit checks searches to detect and reduce fraud.
We may use your information from the different services that you engage with to create a single view and profile of you, which will help us to better understand your specific needs and ensure we are providing the right and efficient services to you in accordance with your needs as well as ensure that we hold one accurate record of your basic personal data across all our services; such as your name, date of birth, address, email address, change in circumstances etc.
Protecting your information
Any information held by the council about individuals is held securely and in compliance with all current data protection legislation.
We are committed to protecting our service user's personal data. We have put measures in place to ensure that our staff, service providers, partners and suppliers all protect your information in line with the law and follow best practice. The information security measures we've put in place include:
- following best practice and the law when it comes to collecting, handling and giving access to information in both manual and electronic forms
- annual training for staff in their data protection responsibilities
- access to your information is only given to those who need to know and where it is necessary
- information will not be held for longer than required and will be disposed of securely
- we encrypt all our electronic devices and sensitive information that is transmitted is encrypted
How you can access, update, restrict, remove or correct your information
Data Protection law gives you the right to apply for a copy of information about yourself, called a Subject Access Request. You will need to request this in writing and provide proof of identity.
How to request your information
The accuracy of your information is important to us to be able to provide relevant services so if you become aware that your information is not correct, please email
If you wish to request that the council restrict processing your data or sharing your data, including for marketing purposes, please email
firstname.lastname@example.org and we will then consider your request in accordance with the legal basis we have to process your data (see below) and let you know our decision.
Your information choice and rights
Where we use your personal data to fulfil a statutory obligation, for other purposes other than what you have consented or where the data protection law allows, then we will let you know so that you can make an informed choice about how your information is used.
If you do not want your information to be used for any purpose beyond providing the services you have agreed to receive, such as; sharing it with our partners or providers for service delivery planning or improvement of services or for Business Intelligence, profiling research or statistical purposes you can choose to opt out of this. However, if you opt out or withdraw consent from certain processing of your information, we may not be able to deliver certain services to you.
You may not be able to object to your information being used, held, or shared under certain circumstances. For example, where have a duty to safeguard a vulnerable adult or a child, or the prevention and detection of crime, or where we are required to fulfil our statutory obligations.
Where you would like to withdraw your consent or opt-out of any other use of your information, please contact the Data Protection Officer using the details above.
The Information Commissioner's Office
The Information Commissioner is the UK's independent body set up to uphold information rights. If you would like to know more about your rights under the Data Protection law, and what you should expect from us, visit the Information Commissioner's website.
If you have a complaint or any concerns regarding our privacy practices or about exercising your Data Protection rights, you can
contact the Information Commissioner's Office.
Changes to our Privacy Notice
We will review and updated this Privacy Notice to reflect any changes in the services we provide.
A Caldicott Guardian is a senior person within social care who makes sure that service users' personal information is used legally, ethically, appropriately and that confidentiality is maintained. If you need to contact the Caldicott Guardian email
email@example.com or see the council's
contact us page. Please make sure any request is clearly marked for the attention of the Caldicott Guardian.
Record of Processing Activity
We are required to keep a record of its processing activities known as a